sparse-intern-71089
06/29/2022, 8:11 AMwitty-candle-66007
06/29/2022, 3:31 PMname
property of dbUser
it is not marked as a secret.
As you noted the password is marked as a secret due to its origin as config.requireSecret
.
If you want databaseUser
to be secret, you can programmatically mark it as such using
databaseUser = pulumi.secret(dbUser.name)
See: https://www.pulumi.com/docs/intro/concepts/secrets/#
Or, use the additionalSecretOutpus
resource option for the name
property of dbUser
as per:
https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/limited-laptop-54862
06/29/2022, 4:20 PMname
property of dbUser
not being marked as secret actually makes sense to me! It’s the deployment.metadata.name
property being marked as secret that’s giving me a bit of confusion - I don’t want it to be outputting as a secret and I’m not sure why it is. I know that one workaround would be to surround it in a pulumi.unsecret()
but that feels somewhat hacky, and it’d simply be a bandaid fix over an underlying mechanism I’d rather understand.witty-candle-66007
06/29/2022, 4:47 PMdeployment.metadata.name
is marked as a secret like that. Let me ask the team about that.witty-candle-66007
06/29/2022, 5:02 PMI would recommend not putting secret values directly in the Deployment spec, and instead using a k8s core.v1/Secret for that. This code isn't good practice for k8s
You can reference the k8s Secret in the env instead, and then it won't show up in plaintext in k8s manifests
limited-laptop-54862
06/30/2022, 8:36 AM