Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Pulumi preview/up --diff for kubernetes resources does not display diffs of properties in the same level of nesting if one references a fully-encrypted resource by its name

See original GitHub issue

Pulumi preview/up --diff does not display diffs of properties in the same level of nesting if one references a fully-encrypted resource by its name (or likely any other of its properties).

Expected behavior

If I change a deployment image I expect to see:

      ~ spec: {
          ~ template: {
              ~ spec: {
                  ~ containers: [
                      ~ [0]: {
                            ~ image: "oldimagename" => "newimagename"
                            }
                    ]
                }
            }
        }

Current behavior

If I change a deployment image I actually see:

    ~ kubernetes:apps/v1:Deployment: (update)
      ~ spec: {
          ~ template: {
              ~ spec: {
                  ~ containers: [
                      ~ [0]: {
                            }
                    ]
                }
            }
        }

Steps to reproduce

Create these resources

const secret = new Secret("secret", {
  stringData: {
    LALALA: pulumi.secret("lalalala"),
  },
})

const deployment = new Deployment("nginx", {
  metadata: {
    name: "nginx",
  },
  spec: {
    replicas: 1,
    selector: {
      matchLabels: { app: "nginx" },
    },
    template: {
      metadata: {
        labels: { app: "nginx" },
      },
      spec: {
        containers: [
          {
            envFrom: [
              {
                secretRef: { name: secret.metadata.name },
              },
            ],
            env: [
              {
                name: "LOLOLO",
                value: "lolololo",
              },
            ],
            name: "nginx",
            image: "nginx",
          },
        ],
      },
    },
  },
})

Then change "lolololo" to any other string. See that the preview diff does not contain useful info.

Then remove secretRef: { name: secret.metadata.name },. Apply the change. Then change the env var in the deployment again and see that the diff now displays correctly

Workaround

Wrap the “false” secrets in unsecret()

Issue Analytics

  • State:open
  • Created 2 years ago
  • Reactions:3
  • Comments:13 (6 by maintainers)

github_iconTop GitHub Comments

3reactions
lblackstonecommented, Jun 16, 2021

Sorry for the delay. This is still high on the priority list, and I expect to continue work on it soon.

2reactions
lblackstonecommented, Dec 2, 2021

@aaronlevy It’s still in progress, but my understanding is that you can use the unsecret() function around any .metadata.name reference to work around in the meantime.

The reason this is happening is fairly involved:

  1. Pulumi’s k8s provider currently uses the last-applied-configuration annotation (issue #1659)
  2. For Secret resources, we automatically encrypt inputs to avoid leaking sensitive values into the state and that annotation.
  3. Any secret value in a map or array causes Pulumi to treat the entire map or array as secret since the ordering is indeterminate.
  4. As a result of (3), If the last-applied-configuration annotation contains a secret value, then all of the other metadata is also marked as secret. This includes the .metadata.name property.
  5. If another resource references the .metadata.name property, then it transitively becomes secret as well. This unfortunately leads to the poor diff behavior you’re seeing since every field in the spec map becomes a “secret”.
Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshooting Guide - Pulumi
This guide covers common troubleshooting techniques when using Pulumi, such as tracing, manually editing deployments, and resolving common errors.
Read more >
PodPatch - Pulumi
Patch resources are used to modify existing Kubernetes resources by using Server-Side Apply updates. The name of the resource must be specified, ...
Read more >
Managing Resources with Server-Side Apply - Pulumi
It is now possible to “Upsert” resources; create the resource if it does not exist, or apply the configuration to an existing resource....
Read more >
Create DeploymentList Resource - Pulumi
Documentation for the kubernetes.apps/v1.DeploymentList resource with examples, input properties, output properties, lookup functions, and supporting types.
Read more >
CustomResourceDefinitionList - Pulumi
Documentation for the kubernetes.apiextensions.k8s.io/v1beta1. ... name This property is required. string: The unique name of the resource. args This ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

`yaml.ConfigGroup` raises exception when run with Pulumi 3.4.0 under Python

Next page

Changing a ConfigMap's data causes a replacement