is there an example laying around showing how to g...
# typescriptb
busy-journalist-6936
02/28/2022, 11:27 PMis there an example laying around showing how to get the hash of a secret that I create with a pulumi resources so I can use it as a label/annotation to roll my pod deployment when it's value is updated?
b
billowy-army-68599
02/28/2022, 11:42 PM
not with a secret, but something like this?
https://github.com/jaxxstorm/pulumi-examples/blob/2519023cd4f22acd564783f6f4445a44dd82df65/typescript/aws/eks-platform/metricbeat/index.ts#L51
billowy-army-68599
02/28/2022, 11:43 PM
this is just base64 encoding a string, but the principal should be the same.
b
busy-journalist-6936
03/01/2022, 12:02 AMHmm, yeah that gives me an idea thank you
s
steep-toddler-94095
03/01/2022, 6:28 PMlikely you do not want to be putting an unencrypted secret value in your deployment annotation. it defeats the purpose of using the secret.
Pulumi will automatically reroll the deployment pods when a secret is updated if it's connected in a certain way. I forget exactly but I think it's if you reference the secret object inside the deployment (e.g. through env var assignment) and the secret doesn't have an explicit name assigned or something like that
b
busy-journalist-6936
03/02/2022, 4:01 AM@steep-toddler-94095 I would not use a base64 encoded version of the secret in the deployment for those exact concerns.
busy-journalist-6936
03/02/2022, 4:01 AMI would have liked to believe that changing the secret's value would re-roll the pods but that is not happening in this case.
s
steep-toddler-94095
03/02/2022, 4:02 AMOh yeah sorry i misinterpreted your original message!
b
busy-journalist-6936
03/02/2022, 4:02 AMI wonder if the failure to roll pods is due to using k8s helm release rather than a deployment spec natively in pulumi which limits this behavior
2 Views