https://pulumi.com logo
Title
f

faint-dog-16036

07/26/2021, 6:26 PM
So I'm using a utility to convert a
tls.PrivateKey
pem
into
openssh
format and throwing it into a k8s secret using
stringData
The issue is that pulumi thinks the secret changes every single update (despite it remaining stable), and so it recreates the secret every time. Anyone run into this?
b

bored-table-20691

07/26/2021, 6:27 PM
I use the
tls
package for similar purposes and haven’t seen this happen. What does this code look like?
f

faint-dog-16036

07/26/2021, 6:32 PM
So the
PrivateKey
resource in tls only outputs
privateKeyPem
, so I use the
sshpk
util to convert over to openssh format:
function convertPrivateKeyToOpenSSH(key: pulumi.Input<string>) {
  return pulumi.output(key).apply((unwrappedKey) => {
    const parsedKey = sshpk.parsePrivateKey(unwrappedKey, "pem");
    // @ts-ignore
    return parsedKey.toString("ssh");
  });
}
... which is called like:
convertPrivateKeyToOpenSSH(tlsPrivateKeyOutput.privateKeyPem)
... the result of which is pushed in
stringData
in a k8s cluster Secret.
b

billowy-army-68599

07/26/2021, 6:39 PM
what's in the diff?
b

bored-table-20691

07/26/2021, 6:40 PM
and presumably
convertPrivateKeyToOpenSSH
returns the same string every time?
f

faint-dog-16036

07/26/2021, 6:47 PM
Diff looks like this, it's odd I can't see the keys inside `stringData`:
+-kubernetes:core/v1:Secret: (replace)
                      ~ stringData: {
                        }
... and I compared secrets before/after application and they look identical.
If I jump into the json diff seems like the reasons are just the converted private keys (public keys unchanged), so I must be doing something wrong re: converting these keys. I also tried trimming the converted private keys just in case to no avail.