No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

I use the `tls` package for similar purposes and haven’t seen this happen.

What does this code look like?

So the `PrivateKey` resource in tls only outputs `privateKeyPem` , so I use the `sshpk` util to convert over to openssh format:

```function convertPrivateKeyToOpenSSH(key: pulumi.Input&lt;string&gt;) {
  return pulumi.output(key).apply((unwrappedKey) =&gt; {
    const parsedKey = sshpk.parsePrivateKey(unwrappedKey, "pem");
    // @ts-ignore
    return parsedKey.toString("ssh");
  });
}```
... which is called like:
`convertPrivateKeyToOpenSSH(tlsPrivateKeyOutput.privateKeyPem)`

... the result of which is pushed in `stringData` in a k8s cluster Secret.

and presumably `convertPrivateKeyToOpenSSH` returns the same string every time?

Diff looks like this, it's odd I can't see the keys inside `stringData`:
```                    +-kubernetes:core/v1:Secret: (replace)
                      ~ stringData: {
                        }```
... and I compared secrets before/after application and they look identical.

If I jump into the json diff seems like the reasons are just the converted private keys (public keys unchanged), so I must be doing something wrong re: converting these keys.

I also tried trimming the converted private keys just in case to no avail.