https://pulumi.com logo
Join Slack
Powered by
I'm trying to create a "special" type of Secret fo...
# typescript
q
I'm trying to create a "special" type of Secret for Kubernetes, which is 
dockerconfigjson
with Pulumi. I'm running into problems:
Copy code
export const imagePullSecret = new k8s.core.v1.Secret(
  "docker-hub",
  {
    type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
    metadata: {
      namespace: "community"
    },
    data: {
      ".dockerconfigjson": config
        .requireSecret("docker-hub-token")
        .apply(value => {
          Buffer.from(
            JSON.stringify({
              auths: {
                "<https://index.docker.io/v1/>": {
                  auth: value
                }
              }
            })
          ).toString("base64");
        })
    }
  },
  {
    provider: kubernetesProvider
  }
);
Copy code
Diagnostics:
  kubernetes:core:Secret (docker-hub):
    error: check failed because malformed resource inputs: malformed RPC secret: missing value
Any advice, @creamy-potato-29402?
g
Copy code
export const imagePullSecret = new k8s.core.v1.Secret(
    "docker-hub",
    {
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        metadata: {
            namespace: "community"
        },
        stringData: {
            ".dockerconfigjson": config
                .requireSecret("docker-hub-token")
                .apply(value => {
                    return JSON.stringify({
                        auths: {
                            "<https://index.docker.io/v1/>": {
                                auth: value
                            }
                        }
                    })
                })
        },
    },
    {
        provider: kubernetesProvider
    }
);
^ I think that should do the trick. I made a couple changes: 1. Using the 
stringData
field avoids having to base64 encode the string yourself. 2. You weren’t returning a value inside of the 
apply
, so the value of 
.dockerconfigjson
was 
null
.
I realize this is still complicated, but we’re actively working on making this process far easier. Stay tuned for related announcements around KubeCon next month!
q
Thank you. I'll give that a try 😀
Do you know if it's possible to create a service account and then fetch the default token that is created?
g
I haven’t done that myself, but it should be doable.
Can you give me an example of how you’re creating the service account and where you need to use the token?
q
I have a private repository, called production, that creates a namespace for each team at InfluxDB
Each namespace gets a default service account. I want to use that as an output to consume in each team's repository for their own Pulumi code
I also don't mind creating an explicit service account in the namespace too, if that's easier
I've tried both, but I failed 😀
I think, in my limited knowledge, the challenge is because the token is created async by a controller
My limited knowledge of Pulumi I mean, I'm down with the Kubernetes bit 👍
g
I’m not super familiar with service accounts in k8s, but you can use the 
get
APIs to grab info on resources created out of band from Pulumi (e.g., by k8s). Something like this might do the trick:
Copy code
const token = k8s.core.v1.ServiceAccount.get("token", "namespace/token-id");
q
I'd probably need to enter an arbitrary sleep to let the reconcile happen,. It that could work. I'll let you know
Thanks
l
@gorgeous-egg-16927 has this been made easier meanwhile? I need the same.
g
Not yet, but I could add it to the kx package pretty easily. Can you file an issue to remind me?
l
3 Views
Open in Slack
PreviousNext
Powered by