No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

i tried to search soource of problem and when i did
```sudo tcpdump -i en0 "dst 54.70.73.136 || dst 35.163.58.164"```
see many request to remote host during pulumi stack command runnig

then search info how to trace pulumi
<https://www.pulumi.com/docs/troubleshooting/>

and found this:

image.png

Could you please file an issue on <http://github.com/pulumi/pulumi|github.com/pulumi/pulumi>? It would be useful to know the general shape of your Pulumi program’s configuration and resources. (i.e. what would cause those decryptValue calls in the first place.) We have some optimizations in place to avoid redundant calls to decrypt values, but it could be that you are hitting some codepath that isn’t using cached/memoized values.

/cc <@U84HBHXS8>

thx you for the advice, seams i get the source of the problem.

This is production ready env that contains many k8s.apps.v1.Deployment that spec became secrets coz its use k8s.core.v1.Secret as input for .envFrom.secretRef

also i have k8s.core.v1.Service that also became secrets coz its use
deployment.spec.template.metadata.labels as input for selector

even all k8s.networking.v1beta1.Ingress became secret coz its use service.metadata.name as input for serviceName

<@U83S3MLQ0> i’ll try to test and collect more information and then I’ll create an issues.

finnaly i found the true source or the problem

```    secret           : {
        apiVersion: "v1"
        data      : "[secret]"
        id        : "default/backend-api-secrets-ahdxt3ym"
        kind      : "Secret"
        metadata  : "[secret]"
        stringData: "[secret]"
        type      : "Opaque"
        urn       : "urn:pulumi:stage::project-aws-eks::k8s:app:backend$kubernetes:core/v1:Secret::backend-api-secrets"
    }```
*metadata* of the k8s.core.v1.Secret became secret I use it for the creating service account with providing registry secret with *secret*.*metadata.name*

but it’s encrypted and my service account became encrypted as well and then I use *sa*.*metadata.name* for my deployment and its also became encrypted all my k8s resources became encrypted :smile:.

i found workaround with:
```secret.id.apply(v => v.replace(/^[^\/]+\//,''))```
It’s not a good solution at all. I think not all *metadata in secrets must be encrypted -> name at least*