No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

image.png

Could it be related to this, from the programming model page?
&gt; There is also a runtime aspect to secrets, in that any Output&lt;T&gt;
&gt; value may be marked secret. If an output is a secret, then any computed values from it—such as those derived through an apply
&gt; call—will themselves be marked secret. All such values are stored encrypted inside of your state, and never in plaintext.

I mean it must be? I'm not sure if this is the way it is supposed to work, but basically that one secret config value used in that one kubernetes secret turns the entire dependent deployment, service, and ingress into `[secret]`, basically eliminating any useful diff on future updates.

I don't think it's support to work that way. If `deployment_name` was built from a secret then it should be secret, but it doesn't look like you're using the `kw.Secret` to build `deployment_name`...