This message was deleted.
# typescript
s
This message was deleted.
w
Since databaseUser is based on the
name
property of
dbUser
it is not marked as a secret. As you noted the password is marked as a secret due to its origin as
config.requireSecret
. If you want
databaseUser
to be secret, you can programmatically mark it as such using
databaseUser = pulumi.secret(dbUser.name)
See: https://www.pulumi.com/docs/intro/concepts/secrets/# Or, use the
additionalSecretOutpus
resource option for the
name
property of
dbUser
as per: https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/
l
Thanks for the reply @witty-candle-66007! I might not have been clear in my original post. The
name
property of
dbUser
not being marked as secret actually makes sense to me! It’s the
deployment.metadata.name
property being marked as secret that’s giving me a bit of confusion - I don’t want it to be outputting as a secret and I’m not sure why it is. I know that one workaround would be to surround it in a
pulumi.unsecret()
but that feels somewhat hacky, and it’d simply be a bandaid fix over an underlying mechanism I’d rather understand.
w
Ah - yes - I didn’t read your original post closely enough. Sorry about that. I am a bit surprised as well, tbh, that the
deployment.metadata.name
is marked as a secret like that. Let me ask the team about that.
👍 1
OK - spoke to engineering and there is an issue tracking this: https://github.com/pulumi/pulumi-kubernetes/issues/787 In case it helps, they also suggested:
Copy code
I would recommend not putting secret values directly in the Deployment spec, and instead using a k8s core.v1/Secret for that. This code isn't good practice for k8s

You can reference the k8s Secret in the env instead, and then it won't show up in plaintext in k8s manifests
l
Of course, another fun Kubernetes quirk to add to my list 🥲 Thanks a bunch for your help @witty-candle-66007!