pulumi icon indicating copy to clipboard operation
pulumi copied to clipboard

Published 20 hours ago verified publisher icon pulumi

when use vault kubernetes, inputs.tokenReviewerJwt field in stack checkpoint json is not encrypted

Open kindy opened this issue 9 months ago • 2 comments

What happened?

as title said.

Example

steps:

  1. install pulumi
    • pulumi version -> v3.111.1
  2. setup pulumi project
    • check Pulumi.yaml
    • check go.mod for module version
    • check main.go
  3. init stack dev, with pass dev
    • config token with --secret (value k0-jwt-token)
    • pulumi config set k8s.clusters.k0.token k0-jwt-token -s dev --secret --path
    • check Pulumi.dev.yaml
  4. run vault vault server -dev -dev-root-token-id="dev-root"
  5. pulumi up -s dev (pass dev)
  6. open .state/.pulumi/stacks/pulumi-vault-test-02/dev.json
    • k0-jwt-token is searchable

code.tar.gz

Output of pulumi about

$ pulumi about 
CLI          
Version      3.111.1
Go Version   go1.22.1
Go Compiler  gc

Plugins
NAME   VERSION
go     unknown
vault  4.6.0

Host     
OS       darwin
Version  12.6
Arch     x86_64

This project is written in go: executable='/[***]/go/bin/go' version='go version go1.22.1 darwin/amd64'

Backend        
Name           M[***]V
URL            file://.state
User           q[***]
Organizations  
Token type     personal

Dependencies:
NAME                                   VERSION
github.com/pulumi/pulumi-vault/sdk/v4  v4.6.0
github.com/pulumi/pulumi/sdk/v3        v3.52.1

Pulumi locates its logs in /var/folders/_[***]p/T/ by default
warning: Failed to get information about the current stack: No current stack

Additional context

No response

Contributing

Vote on this issue by adding a 👍 reaction. To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

kindy avatar Apr 25 '24 14:04 kindy

Hi @kindy, sorry for the trouble and long delay getting back to you! Thanks for your patience.

When you read the config into your program with cfg.RequireObject, the values will be in plaintext. When passing those plaintext values as inputs elsewhere, the system won't know that they are secret values.

If you use cfg.RequireSecretObject instead, the secretness would be maintained, but you'd have to access the value inside an Apply and since you're using the value in a loop to create resources, I wouldn't recommend that, since we generally don't recommend creating resources inside an Apply because it can make previews unreliable.

Instead, in this case, I'd suggest continuing to use cfg.RequireObject, but explicitly making any values secret that should be secret when passed as inputs to other resources.

For example, instead of:

TokenReviewerJwt:     pulumi.StringPtr(cfg.Token),

explicitly make it a secret:

TokenReviewerJwt:     pulumi.ToSecret(pulumi.StringPtr(cfg.Token)).(pulumi.StringPtrOutput),

justinvp avatar May 06 '24 06:05 justinvp

Hi @justinvp, thanks for the reply, it helps a lot.

one more question: if user config some field/value as secret in stack config, should pulumi mark the value as secret automatically?

pulumi config set a.b.c some-value --secret --path

kindy avatar May 17 '24 06:05 kindy

The config value will be stored encrypted as a secret. But when you read it into the program, it's on you to ensure it's read-in as a secret via RequireSecretObject so that when it is passed elsewhere, the secretness flows with it.

justinvp avatar Jun 08 '24 17:06 justinvp