https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# typescript
s
This message was deleted.
w
Since databaseUser is based on the 
name
property of 
dbUser
it is not marked as a secret. As you noted the password is marked as a secret due to its origin as 
config.requireSecret
. If you want 
databaseUser
to be secret, you can programmatically mark it as such using 
databaseUser = pulumi.secret(dbUser.name)
See: https://www.pulumi.com/docs/intro/concepts/secrets/# Or, use the 
additionalSecretOutpus
resource option for the 
name
property of 
dbUser
as per: https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/
l
Thanks for the reply @witty-candle-66007! I might not have been clear in my original post. The 
name
property of 
dbUser
not being marked as secret actually makes sense to me! It’s the 
deployment.metadata.name
property being marked as secret that’s giving me a bit of confusion - I don’t want it to be outputting as a secret and I’m not sure why it is. I know that one workaround would be to surround it in a 
pulumi.unsecret()
but that feels somewhat hacky, and it’d simply be a bandaid fix over an underlying mechanism I’d rather understand.
w
Ah - yes - I didn’t read your original post closely enough. Sorry about that. I am a bit surprised as well, tbh, that the 
deployment.metadata.name
is marked as a secret like that. Let me ask the team about that.
👍 1
OK - spoke to engineering and there is an issue tracking this: https://github.com/pulumi/pulumi-kubernetes/issues/787 In case it helps, they also suggested:
Copy code
I would recommend not putting secret values directly in the Deployment spec, and instead using a k8s core.v1/Secret for that. This code isn't good practice for k8s

You can reference the k8s Secret in the env instead, and then it won't show up in plaintext in k8s manifests
l
Of course, another fun Kubernetes quirk to add to my list 🥲 Thanks a bunch for your help @witty-candle-66007!
3 Views
Open in Slack
PreviousNext
Powered by