sparse-intern-71089
09/06/2019, 9:02 PMgorgeous-egg-16927
09/06/2019, 9:07 PMdata
and stringData
fields of a Secret should be marked as secret by default.bitter-dentist-28132
09/06/2019, 9:20 PMlet googleMapsKey = config.requireSecret('googleMapsKey');
const googleMapsKeySecret = new k8s.core.v1.Secret(`google-maps-key-${stackName}`, {
metadata: { namespace: namespace },
stringData: {GOOGLE_MAPS_KEY: googleMapsKey},
}, {provider: provider});
const deployment = new ServiceDeployment(`deployment-${stackName}`, namespace, {
// ...
envFrom: [{secretRef: {name: googleMapsKeySecret.metadata.name}}],
}, {provider: provider});
export class ServiceDeployment extends pulumi.ComponentResource {
constructor(name: string, namespace: pulumi.Output<string>, args: ServiceDeploymentArgs, opts?: pulumi.ComponentResourceOptions) {
super("vantrix:pulumi-library:ServiceDeployment", name, {}, opts);
const container: k8stypes.core.v1.Container = {
// ...
envFrom: args.envFrom,
};
this.deployment = new k8s.apps.v1.Deployment(name, {
// ...
spec: {
template: {
spec: {
containers: [ container ],
imagePullSecrets: args.imagePullSecrets,
},
},
},
}, { parent: this });
}
}
export interface ServiceDeploymentArgs {
// ...
imagePullSecrets?: pulumi.Input<k8stypes.core.v1.LocalObjectReference>[],
envFrom?: pulumi.Input<k8stypes.core.v1.EnvFromSource>[];
}
gorgeous-egg-16927
09/06/2019, 9:38 PMlet googleMapsKey = config.requireSecret('googleMapsKey');
?
I would expect the Deployment not to be marked secret because it only references the names of secrets, not the secret value directlybitter-oil-46081
09/06/2019, 9:47 PMlastAppliedConfig
property of the metadata bag on the Secret as encrypted (because it would contain the plaintext value of the secret).
However, in the languages, we can only track this secretness at the level of Output<T>'s so the single secret property of .metadata
taints the entire metadata output, which means when you pull the .name
property off of the metadata
output, the secretness is transferred to it.
We could be smarter about how we taint the Output<T>'s here. Eps in the case where you dot into a nested property like this.bitter-dentist-28132
09/06/2019, 9:50 PMpulumi stack export
, the lastAppliedConfiguration
is secretized as you say, but the other parts of it are not, except for the spec.template.spec.containers
field.bitter-dentist-28132
09/06/2019, 9:51 PMspec.template.spec.containers
is the Output<T>
?bitter-oil-46081
09/06/2019, 9:58 PMgoogleMapsKeySecret.metadata.name
invocation here. I believe what is happening is that the Output<T>
for googleMapsKeySecret.metadata
is being treated as a secret because part of the object (i.e. the lastAppliedConfig
property that the kubernetes provider added to it) itself is a secret.bitter-dentist-28132
09/06/2019, 10:00 PMcontainers
?gorgeous-egg-16927
09/06/2019, 10:01 PM.metadata.name
in envFrom
gorgeous-egg-16927
09/06/2019, 10:02 PM.metadata
field is marked secret, it will cascade through all the resources that access itbitter-dentist-28132
09/06/2019, 10:04 PMenvFrom
field would stop it from bubbling up beyond that level.gorgeous-egg-16927
09/06/2019, 10:04 PMgorgeous-egg-16927
09/06/2019, 10:04 PMenvFrom
as a workaroundgorgeous-egg-16927
09/06/2019, 10:06 PMsecret
->`envFrom`->`container`->`containers`bitter-dentist-28132
09/06/2019, 10:07 PMgorgeous-egg-16927
09/06/2019, 10:14 PMbitter-dentist-28132
09/06/2019, 11:19 PMgoogleMapsKeySecret.metadata.name.apply(n => {
const deployment = new ServiceDeployment(`deployment-${stackName}`, namespace, {
// ...
envFrom: [{secretRef: {name: n}}],
}, {provider: provider});
});
is there a more pleasant way to accomplish the same thing, like with await
or something?