No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

You can read the file from disk using whatever library makes sense, in typescript:

``` const secret = new k8s.core.v1.Secret("secret", {
    stringData: { 
        "tls.crt": fs.readFileSync("myservice.cert.pem").toString(),
        "tls.key": fs.readFileSync("myservice.key.pem").toString(),
    },
});```

Yes, but if I want to store them in the pulumi stack so it can be encrypted?

It’s not possible for me to store the key in revision control, so I need to stash it in the stack in an encrypted format

I can cobble together a secret of type “tls” that has the exact same base64 values read from the stack that I see in the yaml file output from the kubectl command, but they are clearly different somehow when I go to actually use the secret

The “stringData” field is base64 encoded server-side. If you’re passing in base64 encoded data, you can use the “data” field instead. 

OK, I got this working!  I’m going to document my solution here for future reference

```$ base64 &lt; myservice.cert.pem | pulumi config set --secret tls.crt
$ base64 &lt; myservice.key.pem | pulumi config set --secret tls.key```

```const secretsName = `${serviceName}-secrets`;
const secrets = new k8s.core.v1.Secret(secretsName, {
    metadata: {
        name: secretsName,
        namespace: "mynamespace"
    },
    type: "<http://kubernetes.io/tls|kubernetes.io/tls>",
    data: {
        "tls.crt" : Buffer.from(config.require("tls.crt")).toString(),
        "tls.key" : Buffer.from(config.require("tls.key")).toString(),
    },
});```