Hi all I m struggling to get Pulumi to ignore a secret creat Pulumi Community #kubernetes

Hi all! I’m struggling to get Pulumi to ignore a s...

steep-winter-68060

12/22/2022, 11:18 PM

Hi all! I’m struggling to get Pulumi to ignore a secret created by a Helm chart. I’m not sure what to put in the

ignoreChanges

list? I’ve tried these without any suscess:

ignoreChanges: ['data', 'data.token', 'metadata.managedFields[*]'],

Copy code

kubernetes:<http://helm.sh/v3:Chart$kubernetes:core/v1:Secret|helm.sh/v3:Chart$kubernetes:core/v1:Secret> (datadog/datadog-agent-cluster-agent)
++ kubernetes:core/v1:Secret (create-replacement)
    [id=datadog/datadog-agent-cluster-agent]
    [urn=urn:pulumi:development::eks-cluster::kubernetes:<http://helm.sh/v3:Chart$kubernetes:core/v1:Secret::datadog/datadog-agent-cluster-agent|helm.sh/v3:Chart$kubernetes:core/v1:Secret::datadog/datadog-agent-cluster-agent>]
    __fieldManager     : "pulumi-kubernetes-db5ac33a" => "pulumi-kubernetes-c6b496ec"
    metadata           : {
        managedFields    : [
            [0]: {
                fieldsV1  : {
                    f:data    : {
                        f:token: {}
                    }
                }
            }
            [1]: {
                apiVersion: "v1"
                fieldsType: "FieldsV1"
                fieldsV1  : {
                    f:data    : {
                        f:token: {}
                    }
                    f:metadata: {
                        f:labels: {
                            f:<http://app.kubernetes.io/instance|app.kubernetes.io/instance>  : {}
                            f:<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: {}
                            f:<http://app.kubernetes.io/name|app.kubernetes.io/name>      : {}
                            f:<http://app.kubernetes.io/version|app.kubernetes.io/version>   : {}
                            f:<http://helm.sh/chart|helm.sh/chart>               : {}
                        }
                    }
                    f:type    : {}
                }
                manager   : "pulumi-kubernetes-c6b496ec"
                operation : "Apply"
                time      : "2022-12-22T22:24:32Z"
            }
        ]
    }

many-telephone-49025

12/23/2022, 10:05 AM

Hi, Don't use the secret generation inside the Helm chart. Create the secret beforehand (via Pulumi Secret resource) and pass the secret to the Datadog Helm Chart (look for values like existingSecret or secretRef)

steep-winter-68060

12/23/2022, 6:25 PM

Hmm I don’t care about this secret (it’s for DD internal communication) and I believe DD Helm chart does its own secret rotation. It’s counter-intuitive to generate my own for something internal to DD

steep-winter-68060

12/23/2022, 6:27 PM

FYI I believe one of the recommended way is to use

ignoreChanges

in this document: https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/#handle-field-confl[…]existing-resources

gorgeous-egg-16927

01/03/2023, 5:37 PM

You can drop the secret entirely using a transformation. There’s an example of that in the API docs: https://www.pulumi.com/registry/packages/kubernetes/api-docs/helm/v3/chart/#chart-with-transformations

8 Views

Open in Slack

Previous Next