I’m having difficulty finding the information so here goes. I’m trying to create a Database (instance, user, password) and a Kubernetes Secret from my Pulumi Config:

$ pulumi config set --secret pulumi-product-k8s-minikube:db_user_password letmein

const user = new postgresql.Role("product_admin_user", {
    createDatabase: true,
    login: true,
    name: "product_admin_user",
    password: config.requireSecret("db_user_password")
});

const productSecretMap = new k8s.core.v1.Secret("product-api-secrets", {
    metadata: {
        namespace: productNamespace.metadata.name
    },
    data: {
        database_password: config.requireSecret("db_user_password").apply(val => val)
    }
});

Problem is, the k8s Secret needs the base64 encoded value that, I think, is being retrieved as the salt encoded value from the config. What exactly is the standard practice here (aside from using a secret manager) to transfer the database password from the config to both the Database Role and Kubernetes Secret? I figured I could store 2 password values (one base64, the other in the salt encoded) but it doesn’t feel right.

you can base64 encode the value insead the

apply

or use

stringData

which will base64 encode it for you https://www.pulumi.com/registry/packages/kubernetes/api-docs/core/v1/secret/#stringdata_nodejs

Oh cool. Thanks for that @billowy-army-68599. I'll give it a try.