pulumi-kubernetes
pulumi-kubernetes copied to clipboard
pulumi
Secrets are exposed if secret creations fails
What happened?
I have a kubernetes secret that I tried to create where I think it failed due to unescaped characters in the secret. It is fine that it fails, but it isn't fine that the secrets are exposed as I experienced now.
Steps to reproduce
Not sure what failed when I created the secret, but I think it was a secret that had "!" in it, which probably should be escaped (not sure).
Expected Behavior
Error should be logged, but non of the values in the secret should be logged to the screen.
Actual Behavior
The secrets was logged.
Output of pulumi about
Running on github actions. So it is the version there.
Additional context
No response
Contributing
Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
Hi @mastoj
Do you mean via the pulumi CLI using something like pulumi config set X Y --secret ?
Paul
Hello @stack72 , I mean when creating a kubernetes.core.v1.Secret secret. I think my problem wasn't unescaped characters, it was me trying to use the value from a stack output directly that returned a number.
Here is my resource that I think failed:
const appSecrets = new kubernetes.core.v1.Secret(
secretName,
{
metadata: {
name: secretName,
},
stringData: {
[apiAppSecretKey]: apiAdAppSettings.clientSecret,
[productApiKey]: productApiConfig.require("apiKey"),
[productApiBaseUrlKey]: productApiConfig.require("baseUrl"),
[dbHostKey]: infraStack.getOutput("dbHost"),
[dbUserNameKey]: infraStack.getOutput("dbUserName"),
[dbPasswordKey]: infraStack.getOutput("dbPassword"),
[dbNameKey]: infraStack.getOutput("dbName"),
[dbPortKey]: infraStack.getOutput("dbPort"),
},
},
{ provider: kubernetesProvider }
);
For it to fail I think infraStack.getOutput("dbPort") must return a number and not a string. To fix it I did an apply and toString().
Can you post a fragment of the error message you mentioned included the secret value?
@viveklak sure
kubernetes:core/v1:Secret (campusoffers-secret):
error: resource iac-campusoffers/campusoffers-secret was not successfully created by the Kubernetes API server : Secret in version "v1" cannot be handled as a Secret: v1.Secret.StringData: ReadString: expects " or n, but found 5, error found in #10 byte of ...|db-port":5432,"db-us|..., bigger context ...|rd":"my super secret password","db-port":5432,"db-user":"docugen","product-api-base-url":"ht|...
I believe this is coming straight from the API server, not something that the provider or Pulumi is doing. You could confirm by trying to provide that same payload using kubectl
Might be so, but is there nothing to do to capture that and not print it if it is this specific resource. It is definitely unfortunate that it is being printed, especially given all the hard work you do in general to not print secrets.
@mastoj From what I could see, it would be a little messy and brittle to handle this within the provider I feel. The better approach might be to file an issue with the api server itself which would be a lot more robust going forward.