bitter-dentist-28132
09/06/2019, 9:02 PMenvFrom
with a reference to a secret's name. and it seems that makes the entire container spec secret, which means i get an empty output for the diff, so i can't see the image change. any way around that? where's the demarcation of what's marked secret? if i were to pass a new k8stypes.core.v1.EnvFromSource
to envFrom
instead of an array of hashes, would that work?gorgeous-egg-16927
09/06/2019, 9:07 PMdata
and stringData
fields of a Secret should be marked as secret by default.bitter-dentist-28132
09/06/2019, 9:20 PMlet googleMapsKey = config.requireSecret('googleMapsKey');
const googleMapsKeySecret = new k8s.core.v1.Secret(`google-maps-key-${stackName}`, {
metadata: { namespace: namespace },
stringData: {GOOGLE_MAPS_KEY: googleMapsKey},
}, {provider: provider});
const deployment = new ServiceDeployment(`deployment-${stackName}`, namespace, {
// ...
envFrom: [{secretRef: {name: googleMapsKeySecret.metadata.name}}],
}, {provider: provider});
export class ServiceDeployment extends pulumi.ComponentResource {
constructor(name: string, namespace: pulumi.Output<string>, args: ServiceDeploymentArgs, opts?: pulumi.ComponentResourceOptions) {
super("vantrix:pulumi-library:ServiceDeployment", name, {}, opts);
const container: k8stypes.core.v1.Container = {
// ...
envFrom: args.envFrom,
};
this.deployment = new k8s.apps.v1.Deployment(name, {
// ...
spec: {
template: {
spec: {
containers: [ container ],
imagePullSecrets: args.imagePullSecrets,
},
},
},
}, { parent: this });
}
}
export interface ServiceDeploymentArgs {
// ...
imagePullSecrets?: pulumi.Input<k8stypes.core.v1.LocalObjectReference>[],
envFrom?: pulumi.Input<k8stypes.core.v1.EnvFromSource>[];
}
gorgeous-egg-16927
09/06/2019, 9:38 PMlet googleMapsKey = config.requireSecret('googleMapsKey');
?
I would expect the Deployment not to be marked secret because it only references the names of secrets, not the secret value directlybitter-oil-46081
09/06/2019, 9:47 PMlastAppliedConfig
property of the metadata bag on the Secret as encrypted (because it would contain the plaintext value of the secret).
However, in the languages, we can only track this secretness at the level of Output<T>'s so the single secret property of .metadata
taints the entire metadata output, which means when you pull the .name
property off of the metadata
output, the secretness is transferred to it.
We could be smarter about how we taint the Output<T>'s here. Eps in the case where you dot into a nested property like this.bitter-dentist-28132
09/06/2019, 9:50 PMpulumi stack export
, the lastAppliedConfiguration
is secretized as you say, but the other parts of it are not, except for the spec.template.spec.containers
field.spec.template.spec.containers
is the Output<T>
?bitter-oil-46081
09/06/2019, 9:58 PMgoogleMapsKeySecret.metadata.name
invocation here. I believe what is happening is that the Output<T>
for googleMapsKeySecret.metadata
is being treated as a secret because part of the object (i.e. the lastAppliedConfig
property that the kubernetes provider added to it) itself is a secret.bitter-dentist-28132
09/06/2019, 10:00 PMcontainers
?gorgeous-egg-16927
09/06/2019, 10:01 PM.metadata.name
in envFrom
.metadata
field is marked secret, it will cascade through all the resources that access itbitter-dentist-28132
09/06/2019, 10:04 PMenvFrom
field would stop it from bubbling up beyond that level.gorgeous-egg-16927
09/06/2019, 10:04 PMenvFrom
as a workaroundsecret
->`envFrom`->`container`->`containers`bitter-dentist-28132
09/06/2019, 10:07 PMgorgeous-egg-16927
09/06/2019, 10:14 PMbitter-dentist-28132
09/06/2019, 11:19 PMgoogleMapsKeySecret.metadata.name.apply(n => {
const deployment = new ServiceDeployment(`deployment-${stackName}`, namespace, {
// ...
envFrom: [{secretRef: {name: n}}],
}, {provider: provider});
});
is there a more pleasant way to accomplish the same thing, like with await
or something?