How can I emulate this via pulumi from pulumi conf...
# kubernetesb
breezy-gold-44713
04/07/2020, 11:59 PMHow can I emulate this via pulumi from pulumi config secrets?
kubectl create secret tls myservice-tls --cert=myservice.cert.pem --key=myservice.key.pem --dry-run -o yamlb
billowy-army-68599
04/08/2020, 12:10 AM
You can read the file from disk using whatever library makes sense, in typescript:
Copy code
const secret = new k8s.core.v1.Secret("secret", {
stringData: {
"tls.crt": fs.readFileSync("myservice.cert.pem").toString(),
"tls.key": fs.readFileSync("myservice.key.pem").toString(),
},
});b
breezy-gold-44713
04/08/2020, 12:15 AMYes, but if I want to store them in the pulumi stack so it can be encrypted?
breezy-gold-44713
04/08/2020, 12:16 AMIt’s not possible for me to store the key in revision control, so I need to stash it in the stack in an encrypted format
breezy-gold-44713
04/08/2020, 12:18 AMI can cobble together a secret of type “tls” that has the exact same base64 values read from the stack that I see in the yaml file output from the kubectl command, but they are clearly different somehow when I go to actually use the secret
g
gorgeous-egg-16927
04/08/2020, 2:49 AMThe “stringData” field is base64 encoded server-side. If you’re passing in base64 encoded data, you can use the “data” field instead.
b
breezy-gold-44713
04/08/2020, 7:40 PMOK, I got this working! I’m going to document my solution here for future reference
breezy-gold-44713
04/08/2020, 7:41 PM Copy code
$ base64 < myservice.cert.pem | pulumi config set --secret tls.crt
$ base64 < myservice.key.pem | pulumi config set --secret tls.keybreezy-gold-44713
04/08/2020, 7:42 PM Copy code
const secretsName = `${serviceName}-secrets`;
const secrets = new k8s.core.v1.Secret(secretsName, {
metadata: {
name: secretsName,
namespace: "mynamespace"
},
type: "<http://kubernetes.io/tls|kubernetes.io/tls>",
data: {
"tls.crt" : Buffer.from(config.require("tls.crt")).toString(),
"tls.key" : Buffer.from(config.require("tls.key")).toString(),
},
});🎉 2
83 Views