https://pulumi.com logo
#general
Title
# general
v

victorious-scientist-9866

03/23/2020, 2:05 AM
@green-morning-1318 @billowy-army-68599 thanks to you both. I think this works fine for the
.htpasswd
example since the file contents are already hashed/secure but it doesn't work for the example of an image pull secret since the contents are only base64 encoded and can easily be decoded. Ideally, unencrypted secret data wouldn't be commited to the git repository storing my deployment files.
g

green-morning-1318

03/23/2020, 2:23 AM
I’m not going to pretend I’m an expert on this, but you might give this a try. A K8s secret for private registries is of type “kubernetes.io/dockerconfigjson”. The content is stored in “.dockerconfigjson” under the data element and always follows a specific format:
Copy code
{
  "auths": {
    "<http://your.private.registry.example.com|your.private.registry.example.com>": {
      "username": "janedoe",
      "password": "xxxxxxxxxxx",
      "email": "<mailto:jdoe@example.com|jdoe@example.com>",
      "auth": "c3R...zE2"
    }
  }
}
The auth part is base64 encoded and seems to be username and password concatenated with a : So if you know your Registry server, username, password, email address you could construct the content of that file programmatically and create a secret like
Copy code
new k8s.core.v1.Secret("myK8sSecret", {
        metadata: {
            name: "imagePullSecret",
            namespace: "default"
        },
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        data: {
            ".dockerconfigjson": toBase64(<the entire auth string>),
        }
    }
In that case, the contents needed to generate the secret are always in your possession and should indeed never be in git. Source for coming up with this potential solution: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#inspecting-the-secret-regcred
v

victorious-scientist-9866

03/23/2020, 2:24 AM
Thanks, that was pretty much what I ended up with:
Copy code
const deployToken = new k8s.core.v1.Secret("shrcc-deploy-token", {
  stringData: pulumi.all([
    config.requireSecret("deployTokenUsername"),
    config.requireSecret("deployTokenPassword"),
  ]).apply(([username, password]) => ({
    ".dockerconfigjson": JSON.stringify({
      auths: {
        "<http://registry.gitlab.com|registry.gitlab.com>": { username, password }
      }
    }),
  })),
  type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
}, { additionalSecretOutputs: ["stringData"], provider })
but it doesn't quite feel right...
g

green-morning-1318

03/23/2020, 2:42 AM
It makes sense to me to do it this way to be honest 🤔
If you do happen to find a different approach, I’d love to hear it
v

victorious-scientist-9866

03/23/2020, 3:01 AM
thanks, will do 🙂
f

faint-motherboard-95438

03/30/2020, 10:29 PM
Hi there, I was searching how to do this too and ended up on this thread. I agree with @victorious-scientist-9866, I would expect a less “handmade” way, and maybe there is, but that will do for now. Thanks !