https://pulumi.com logo
Powered by
Title
b

bulky-area-51023

10/23/2021, 3:41 PM
I’m currently working on fetching pulumi 
secret
from stack, and generating kubernetes manifest from it (e.g. environment variable). But it doesn’t seem to be replaced into string value. I’m aware of that the return value of 
require_secret
is 
Output[T]
but having some passthrough 
apply(lambda val: val)
doesn’t work. I think the main problem is that 
secret
object is not a direct argument of subsequent resource. Any kind of piece of advice would be very appreciated
b

billowy-army-68599

10/23/2021, 4:56 PM
you're likely placing the lambda at the wrong place, can you share the code you tried?
b

bulky-area-51023

10/23/2021, 5:43 PM
Code is pretty complicated, but I’ll include the details as much as I can. So in 
utils.py
, 
for secret_key in secret_keys:
        try:
            secret_value = config.require_secret(secret_key).apply(
                lambda val: val
            )
        except pulumi.ConfigMissingError as cme:
            raise cme
        richen_manifest['extra_env'].append({
            'name': secret_key,
            'value': secret_value
        })
   # this is a jinja2 template rendering...
   template.render(manifest)
and in the 
__main__.py
, we call that rendering part from 
utils
and then dump it to a temporary file. 
with open(tmp_manifest, 'w') as f:
                yaml.dump(yaml.load(rendered_manifest), f)

            kubernetes.yaml.ConfigFile(
                f'events-{server}-{product}-{stage}',
                file=tmp_manifest,
                opts=ResourceOptions(provider=k8s)
            )
And the bare template looks like 
containers:
        - image: {{ registry }}/{{ image }}:{{ image_tag }}
          env:
          {% for item in extra_env %}
            - name: {{ item.name }}
              value: "{{ item.value }}"
          {% endfor %}
So the resulting rendering looks like 
env:
        - name: SCHEMA_REGISTRY_AUTH
          value: "<pulumi.output.Output object at 0x7fcc98c51b80>"
b

billowy-army-68599

10/23/2021, 5:49 PM
you need to life the apply to where the template is rendered: 
config.require_secret(secret_key).apply(template.render)
etc
b

bulky-area-51023

10/23/2021, 6:47 PM
Since there are lot’s of secrets that should be into the template, it’s tough to maintain the 
apply
scheme. Is there any other solutions available?
b

billowy-army-68599

10/24/2021, 3:50 PM
no, 
apply
is there because of technical reasons around when the value is known. Why is it tough to maintain?
4 Views
#kubernetesJoin Slack
Powered by