https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
p
I can do something like this in the yaml file
Copy code
d username="{{kafa-api-key}}" password="{{kafa-api-secret}}
got those values in gcp secret
but it is not clear to me how to link the things together
anyone? 🙂
@billowy-army-68599
b
did you populate the values in secret manager using pulumi, or out of band?
my suggestion would be that you use Pulumi's secret management, and then use a transformation on the YAML file before deploy. https://www.pulumi.com/docs/intro/concepts/config/ https://www.pulumi.com/docs/intro/concepts/programming-model/#transformations
here's an example of using a transformation on a configfile:
Copy code
// Create resources for the Kubernetes Guestbook from its YAML manifests
const guestbook = new k8s.yaml.ConfigFile("guestbook",
    {
        file: "<https://raw.githubusercontent.com/pulumi/pulumi-kubernetes/master/tests/examples/yaml-guestbook/yaml/guestbook.yaml>",
        transformations: [
            (obj: any) => {
                // Do transformations on the YAML to use the same namespace and
                // labels as the NGINX stack above
                if (obj.metadata.labels) {
                    obj.metadata.labels['appClass'] = namespaceName
                } else {
                    obj.metadata.labels = appLabels
                }

                // Make the 'frontend' Service public by setting it to be of type
                // LoadBalancer
                if (obj.kind == "Service" && obj.metadata.name == "frontend") {
                    if (obj.spec) {
                        obj.spec.type = "LoadBalancer"
                    }
                }
            }
        ],
    },
    {
        providers: { "kubernetes": clusterProvider },
    },
);
you can modify that transformation to look for 
obj.kind == "Secret"
and then modify the 
obj.spec.data
to insert the Pulumi config secret
p
uuu
let me read all of that 🙂
thanks @billowy-army-68599
Copy code
did you populate the values in secret manager using pulumi, or out of band?
manually populated
or do you suggest a better way?
I don't need encryption since the secret is already managed by gcp secret manager
b
it really depends on your use case, unfortunately. If you're using secretsmanager and populating it manually, it's not stored in Pulumi's state, so Pulumi can't use the value easily. You can do a 
get()
request to get it into the pulumi state, but that might not be what you want
there are tools to populate secrets automatically from secrets manager like this: https://github.com/godaddy/kubernetes-external-secrets
you could use Pulumi to install this: https://github.com/godaddy/kubernetes-external-secrets#gcp-secret-manager and then define an ExternalSecret with Pulumi which would create a regular Kubernetes secret
the easiest method is the one I mentioned before - don't do any of this and just store the secret in Pulumi and use Pulumi's secret management insteadf
p
ok
the only question I got using Pulumi secret management is: how do I share secrets between members of my team?
in other words, the idea is to let new joiner to do pulumi up
without doing something like this
Copy code
$ pulumi config set --secret secretMessage "it's a secret to everybody"
or maybe I am missing something 🙂
b
if you're using the Pulumi SaaS, you'll need to either A) upgrade to a team plan, like team starter B) use the 
gcpkms
encryption provider when you initialize your stack: https://www.pulumi.com/docs/intro/concepts/config/#available-encryption-providers
p
thanks a lot @billowy-army-68599
2 Views
Open in Slack
PreviousNext
Powered by