https://pulumi.com logo
Join Slack
Powered by
I’m currently working on fetching pulumi `secret` ...
# kubernetes
b
I’m currently working on fetching pulumi 
secret
from stack, and generating kubernetes manifest from it (e.g. environment variable). But it doesn’t seem to be replaced into string value. I’m aware of that the return value of 
require_secret
is 
Output[T]
but having some passthrough 
apply(lambda val: val)
doesn’t work. I think the main problem is that 
secret
object is not a direct argument of subsequent resource. Any kind of piece of advice would be very appreciated
b
you're likely placing the lambda at the wrong place, can you share the code you tried?
b
Code is pretty complicated, but I’ll include the details as much as I can. So in 
utils.py
,
Copy code
for secret_key in secret_keys:
        try:
            secret_value = config.require_secret(secret_key).apply(
                lambda val: val
            )
        except pulumi.ConfigMissingError as cme:
            raise cme
        richen_manifest['extra_env'].append({
            'name': secret_key,
            'value': secret_value
        })
   # this is a jinja2 template rendering...
   template.render(manifest)
and in the 
__main__.py
, we call that rendering part from 
utils
and then dump it to a temporary file.
Copy code
with open(tmp_manifest, 'w') as f:
                yaml.dump(yaml.load(rendered_manifest), f)

            kubernetes.yaml.ConfigFile(
                f'events-{server}-{product}-{stage}',
                file=tmp_manifest,
                opts=ResourceOptions(provider=k8s)
            )
And the bare template looks like
Copy code
containers:
        - image: {{ registry }}/{{ image }}:{{ image_tag }}
          env:
          {% for item in extra_env %}
            - name: {{ item.name }}
              value: "{{ item.value }}"
          {% endfor %}
So the resulting rendering looks like
Copy code
env:
        - name: SCHEMA_REGISTRY_AUTH
          value: "<pulumi.output.Output object at 0x7fcc98c51b80>"
b
you need to life the apply to where the template is rendered: 
config.require_secret(secret_key).apply(template.render)
etc
b
Since there are lot’s of secrets that should be into the template, it’s tough to maintain the 
apply
scheme. Is there any other solutions available?
b
no, 
apply
is there because of technical reasons around when the value is known. Why is it tough to maintain?
5 Views
Open in Slack
PreviousNext
Powered by