2

I have a service with an inline plaintext config that requires certain information that is stored in Kubernetes secrets. What @pulumi/kubernetes API method can be used to access raw kubernetes secret values?

Korede Aderele
  • 157
  • 3
  • 9

3 Answers3

5

Use k8s.core.v1.Secret.get(pulumiName, secretName) (secretName can contain the namespace/ as prefix).

Every Pulumi resource has a get() method.

For example: Get the token from a kubernetes.io/service-account-token:

import * as k8s from "@pulumi/kubernetes";
​
type KubernetesSecretData = { [key: string]: string }
​
const namespace = 'kube-public'
const secretName = 'default-token-tdcdz'
​
export const token =
    k8s.core.v1.Secret.get('testSecret',`${namespace}/${secretName}`)
        .data.apply(v => {
        return (<KubernetesSecretData> v)["token"]
    })
Dominik
  • 2,283
  • 1
  • 25
  • 37
  • The token value is base64 encoded (today) so you need to do a `return Buffer.from(v["token"], 'base64').toString('ascii');` if you want the secret value decoded in your pulumi outputs. – Dave White Nov 07 '20 at 18:56
0

The short answer is that I think it doesn't let you see a secret but use a reference where you want to use it: Deployments, StatefulSets, DaemonSets, Pods, etc. It would make sense from the security point of view.

You can see an example of create a secret here

Rico
  • 58,485
  • 12
  • 111
  • 141
  • This is pretty much correct. You can also use `export secretData = secret.data;`, which will provide it as a "stack output", allowing you to run `pulumi stack output secretData`, which will print the base64-encoded secret to stdout. Obviously: PLEASE BE CAREFUL, as this data is obviously supposed to be secret. :) – apc Sep 26 '18 at 22:27
  • Got it. The problem is that i can't then use those references in a plain-text config... I suppose the solution is to have pulumi config secrets be the origin of those values that are then set in kubernetes but my current setup is just reading those values from the selected cluster on my machine (by reference as you have mentioned). – Korede Aderele Sep 26 '18 at 23:39
0

That API looks like it mirrors the Kubernetes API, and in particular there is a core/v1.Secret object that includes the secret data. The values are base64-encoded.

(Unless RBAC forbids it, you can generally kubectl get secret -o yaml secretname to see the same thing...Kubernetes secrets are only so secret.)

If you're running this in the context of a service it's probably easier to launch the service with environment variables set from the relevant secret values, using a YAML fragment like

env:
- name: SECRET_USERNAME
  valueFrom:
    secretKeyRef:
      name: test-secret
      key: username
David Maze
  • 130,717
  • 29
  • 175
  • 215
  • Thanks. More specifically, what i'm looking for is the method that returns one of those core/v1.Secret objects based on the current cluster in the environment. – Korede Aderele Sep 26 '18 at 23:29
  • I see. Reading the documentation a little more this looks a little outside its core model, and @Rico's answer is much closer to an actual answer, unless declaring a secret reference in an object you're creating via Pulumi will work for you (that is: don't try to retrieve the secret at all, but tell Kubernetes that you'd like to have it injected for you). – David Maze Sep 27 '18 at 00:09
  • This is right. Pulumi's SDK is generated from the Kubernetes OpenAPI spec, so the API is identical. – apc Sep 27 '18 at 17:53
  • This doesn't actually answer the question about how to do this via pulumi. @Dominik's answer is right. – Dave White Nov 07 '20 at 18:58