@green-morning-1318 @billowy-army-68599 thanks to you both. I think this works fine for the

.htpasswd

example since the file contents are already hashed/secure but it doesn't work for the example of an image pull secret since the contents are only base64 encoded and can easily be decoded. Ideally, unencrypted secret data wouldn't be commited to the git repository storing my deployment files.

I’m not going to pretend I’m an expert on this, but you might give this a try. A K8s secret for private registries is of type “kubernetes.io/dockerconfigjson”. The content is stored in “.dockerconfigjson” under the data element and always follows a specific format:

{
  "auths": {
    "<http://your.private.registry.example.com|your.private.registry.example.com>": {
      "username": "janedoe",
      "password": "xxxxxxxxxxx",
      "email": "<mailto:jdoe@example.com|jdoe@example.com>",
      "auth": "c3R...zE2"
    }
  }
}

The auth part is base64 encoded and seems to be username and password concatenated with a : So if you know your Registry server, username, password, email address you could construct the content of that file programmatically and create a secret like

new k8s.core.v1.Secret("myK8sSecret", {
        metadata: {
            name: "imagePullSecret",
            namespace: "default"
        },
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        data: {
            ".dockerconfigjson": toBase64(<the entire auth string>),
        }
    }

In that case, the contents needed to generate the secret are always in your possession and should indeed never be in git. Source for coming up with this potential solution: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred

Thanks, that was pretty much what I ended up with:

const deployToken = new k8s.core.v1.Secret("shrcc-deploy-token", {
  stringData: pulumi.all([
    config.requireSecret("deployTokenUsername"),
    config.requireSecret("deployTokenPassword"),
  ]).apply(([username, password]) => ({
    ".dockerconfigjson": JSON.stringify({
      auths: {
        "<http://registry.gitlab.com|registry.gitlab.com>": { username, password }
      }
    }),
  })),
  type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
}, { additionalSecretOutputs: ["stringData"], provider })

It makes sense to me to do it this way to be honest 🤔

thanks, will do 🙂

Hi there, I was searching how to do this too and ended up on this thread. I agree with @victorious-scientist-9866, I would expect a less “handmade” way, and maybe there is, but that will do for now. Thanks !