https://pulumi.com logo
Join Slack
Powered by
Hey pulumi gang, I’m hoping someone has an explana...
# typescript
l
Hey pulumi gang, I’m hoping someone has an explanation for some weird output issue I’m seeing with my example stack below:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";

let config = new pulumi.Config();

const dbUser = new gcp.sql.User(
    "users",
    {
        name: "testUser",
        instance: "my-instance",
        password: config.requireSecret("secret-db-password"),
    }
);

const deployment = new k8s.apps.v1.Deployment("my-test-app", {
    apiVersion: "apps/v1",
    kind: "Deployment",
    metadata: {
        name: "my-test-app",
    },
    spec: {
        selector: {
            matchLabels: {
                app: "my-test-app",
            },
        },
        template: {
            spec: {
                containers: [
                    {
                        env: [
                            {
                                name: "SECRET_DB_PASS",
                                value: config.requireSecret("secret-db-password"),
                            },
                        ],
                        name: "my-test-app",
                    },
                ],
            },
        },
    },
});

export const databaseUser = dbUser.name;
export const deploymentName = deployment.metadata.name;
I’m trying to figure out why the 
deploymentName
output is marked as 
[secret]
while the 
databaseUser
output isn’t. My original assumption was that Pulumi’s 
Output
unwrapping might just be marking things as secret if they’re constructed with a secret (
config.requireSecret("secret-db-password")
in this case), however this doesn’t seem to be the case given that the 
databaseUser
output isn’t marked as 
[secret]
. Any idea what might be happening here? Is this behaviour unique to the output of kubernetes deployments?
w
Since databaseUser is based on the 
name
property of 
dbUser
it is not marked as a secret. As you noted the password is marked as a secret due to its origin as 
config.requireSecret
. If you want 
databaseUser
to be secret, you can programmatically mark it as such using 
databaseUser = pulumi.secret(dbUser.name)
See: https://www.pulumi.com/docs/intro/concepts/secrets/# Or, use the 
additionalSecretOutpus
resource option for the 
name
property of 
dbUser
as per: https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/
l
Thanks for the reply @witty-candle-66007! I might not have been clear in my original post. The 
name
property of 
dbUser
not being marked as secret actually makes sense to me! It’s the 
deployment.metadata.name
property being marked as secret that’s giving me a bit of confusion - I don’t want it to be outputting as a secret and I’m not sure why it is. I know that one workaround would be to surround it in a 
pulumi.unsecret()
but that feels somewhat hacky, and it’d simply be a bandaid fix over an underlying mechanism I’d rather understand.
w
Ah - yes - I didn’t read your original post closely enough. Sorry about that. I am a bit surprised as well, tbh, that the 
deployment.metadata.name
is marked as a secret like that. Let me ask the team about that.
👍 1
OK - spoke to engineering and there is an issue tracking this: https://github.com/pulumi/pulumi-kubernetes/issues/787 In case it helps, they also suggested:
Copy code
I would recommend not putting secret values directly in the Deployment spec, and instead using a k8s core.v1/Secret for that. This code isn't good practice for k8s

You can reference the k8s Secret in the env instead, and then it won't show up in plaintext in k8s manifests
l
Of course, another fun Kubernetes quirk to add to my list 🥲 Thanks a bunch for your help @witty-candle-66007!
3 Views
Open in Slack
PreviousNext
Powered by