limited-laptop-54862
06/29/2022, 8:11 AMimport * as pulumi from "@pulumi/pulumi";
import * as gcp from "@pulumi/gcp";
import * as k8s from "@pulumi/kubernetes";
let config = new pulumi.Config();
const dbUser = new gcp.sql.User(
"users",
{
name: "testUser",
instance: "my-instance",
password: config.requireSecret("secret-db-password"),
}
);
const deployment = new k8s.apps.v1.Deployment("my-test-app", {
apiVersion: "apps/v1",
kind: "Deployment",
metadata: {
name: "my-test-app",
},
spec: {
selector: {
matchLabels: {
app: "my-test-app",
},
},
template: {
spec: {
containers: [
{
env: [
{
name: "SECRET_DB_PASS",
value: config.requireSecret("secret-db-password"),
},
],
name: "my-test-app",
},
],
},
},
},
});
export const databaseUser = dbUser.name;
export const deploymentName = deployment.metadata.name;
I’m trying to figure out why the deploymentName
output is marked as [secret]
while the databaseUser
output isn’t. My original assumption was that Pulumi’s Output
unwrapping might just be marking things as secret if they’re constructed with a secret (config.requireSecret("secret-db-password")
in this case), however this doesn’t seem to be the case given that the databaseUser
output isn’t marked as [secret]
. Any idea what might be happening here? Is this behaviour unique to the output of kubernetes deployments?witty-candle-66007
06/29/2022, 3:31 PMname
property of dbUser
it is not marked as a secret.
As you noted the password is marked as a secret due to its origin as config.requireSecret
.
If you want databaseUser
to be secret, you can programmatically mark it as such using
databaseUser = pulumi.secret(dbUser.name)
See: https://www.pulumi.com/docs/intro/concepts/secrets/#
Or, use the additionalSecretOutpus
resource option for the name
property of dbUser
as per:
https://www.pulumi.com/docs/intro/concepts/resources/options/additionalsecretoutputs/limited-laptop-54862
06/29/2022, 4:20 PMname
property of dbUser
not being marked as secret actually makes sense to me! It’s the deployment.metadata.name
property being marked as secret that’s giving me a bit of confusion - I don’t want it to be outputting as a secret and I’m not sure why it is. I know that one workaround would be to surround it in a pulumi.unsecret()
but that feels somewhat hacky, and it’d simply be a bandaid fix over an underlying mechanism I’d rather understand.witty-candle-66007
06/29/2022, 4:47 PMdeployment.metadata.name
is marked as a secret like that. Let me ask the team about that.I would recommend not putting secret values directly in the Deployment spec, and instead using a k8s core.v1/Secret for that. This code isn't good practice for k8s
You can reference the k8s Secret in the env instead, and then it won't show up in plaintext in k8s manifests
limited-laptop-54862
06/30/2022, 8:36 AM