Automatically mark Secret data and stringData as secret

Pulumi can make fields in the state as secret to encrypt them in the checkpoint, and prevent them from appearing in plaintext. Kubernetes Secret resources are used to store secrets, so mark the relevant `data` and `stringData` fields as secret in Pulumi by default.
pulumi · Sep 13, 2019 · 1b3f01a · 1b3f01a
1 parent 0824fe8
commit 1b3f01a
Show file tree

Hide file tree

Showing 349 changed files with 1,936 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,10 @@
 - v1.14.x
 - v1.13.x
 
+### Improvements
+
+-   Automatically mark Secret data and stringData as secret. (https://github.com/pulumi/pulumi-kubernetes/pull/803).
+
 ## 1.0.1 (Septemeber 11, 2019)
 
 ### Supported Kubernetes versions

diff --git a/pkg/gen/nodejs-templates/kind.ts.mustache b/pkg/gen/nodejs-templates/kind.ts.mustache
@@ -72,6 +72,14 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              {{#AdditionalSecretOutputs}}
+              "{{.}}",
+              {{/AdditionalSecretOutputs}}
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super({{Kind}}.__pulumiType, name, props, opts);
       }
     }
diff --git a/pkg/gen/nodejs.go b/pkg/gen/nodejs.go
@@ -81,6 +81,7 @@ func NodeJSClient(swagger map[string]interface{}, templateDir string,
 						"Properties":              kind.Properties(),
 						"RequiredInputProperties": kind.RequiredInputProperties(),
 						"OptionalInputProperties": kind.OptionalInputProperties(),
+						"AdditionalSecretOutputs": kind.AdditionalSecretOutputs(),
 						"URNAPIVersion":           kind.URNAPIVersion(),
 						"Version":                 version.Version(),
 						"AwaitComment":            kind.awaitComment,

diff --git a/pkg/gen/python-templates/kind.py.mustache b/pkg/gen/python-templates/kind.py.mustache
@@ -76,6 +76,15 @@ class {{Kind}}(pulumi.CustomResource):
 
         __props__['status'] = None
 
+        additional_secret_outputs = [
+        {{#AdditionalSecretOutputs}}
+            "{{.}}",
+        {{/AdditionalSecretOutputs}}
+        ]
+
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(
+            version=version.get_version(), additional_secret_outputs=additional_secret_outputs))
+
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(version=version.get_version()))
 
         super({{Kind}}, self).__init__(

diff --git a/pkg/gen/typegen.go b/pkg/gen/typegen.go
@@ -22,6 +22,7 @@ import (
 	"github.com/ahmetb/go-linq"
 	"github.com/jinzhu/copier"
 	"github.com/mitchellh/go-wordwrap"
+	"github.com/pulumi/pulumi-kubernetes/pkg/kinds"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -138,6 +139,7 @@ type KindConfig struct {
 	properties              []*Property
 	requiredInputProperties []*Property
 	optionalInputProperties []*Property
+	additionalSecretOutputs []string
 
 	gvk           *schema.GroupVersionKind // Used for sorting.
 	apiVersion    string
@@ -167,6 +169,10 @@ func (kc *KindConfig) RequiredInputProperties() []*Property { return kc.required
 // Kubernetes API kind (i.e., things that we will want to provide, like `thing.metadata`, etc.).
 func (kc *KindConfig) OptionalInputProperties() []*Property { return kc.optionalInputProperties }
 
+// AdditionalSecretOutputs returns the list of strings to set as additionalSecretOutputs on some
+// Kubernetes API kind.
+func (kc *KindConfig) AdditionalSecretOutputs() []string { return kc.additionalSecretOutputs }
+
 // APIVersion returns the fully-qualified apiVersion (e.g., `storage.k8s.io/v1` for storage, etc.)
 func (kc *KindConfig) APIVersion() string { return kc.apiVersion }
 
@@ -817,6 +823,7 @@ func createGroups(definitionsJSON map[string]interface{}, opts groupOpts) []*Gro
 					properties:              properties,
 					requiredInputProperties: requiredInputProperties,
 					optionalInputProperties: optionalInputProperties,
+					additionalSecretOutputs: additionalSecretOutputs(d.gvk),
 					gvk:                     &d.gvk,
 					apiVersion:              fqGroupVersion,
 					rawAPIVersion:           defaultGroupVersion,
@@ -889,3 +896,14 @@ func createGroups(definitionsJSON map[string]interface{}, opts groupOpts) []*Gro
 
 	return groups
 }
+
+func additionalSecretOutputs(gvk schema.GroupVersionKind) []string {
+	kind := kinds.Kind(gvk.Kind)
+
+	switch kind {
+	case kinds.Secret:
+		return []string{"data", "stringData"}
+	default:
+		return []string{}
+	}
+}
diff --git a/sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfiguration.ts b/sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfiguration.ts
@@ -93,6 +93,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfigurationList.ts b/sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfigurationList.ts
@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfiguration.ts b/sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfiguration.ts
@@ -93,6 +93,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfigurationList.ts b/sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfigurationList.ts
@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinition.ts b/sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinition.ts
@@ -95,6 +95,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinition.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinitionList.ts b/sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinitionList.ts
@@ -89,6 +89,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinitionList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiregistration/v1/APIService.ts b/sdk/nodejs/apiregistration/v1/APIService.ts
@@ -94,6 +94,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(APIService.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiregistration/v1/APIServiceList.ts b/sdk/nodejs/apiregistration/v1/APIServiceList.ts
@@ -87,6 +87,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(APIServiceList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiregistration/v1beta1/APIService.ts b/sdk/nodejs/apiregistration/v1beta1/APIService.ts
@@ -94,6 +94,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(APIService.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apiregistration/v1beta1/APIServiceList.ts b/sdk/nodejs/apiregistration/v1beta1/APIServiceList.ts
@@ -87,6 +87,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(APIServiceList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/ControllerRevision.ts b/sdk/nodejs/apps/v1/ControllerRevision.ts
@@ -105,6 +105,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ControllerRevision.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/ControllerRevisionList.ts b/sdk/nodejs/apps/v1/ControllerRevisionList.ts
@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ControllerRevisionList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/DaemonSet.ts b/sdk/nodejs/apps/v1/DaemonSet.ts
@@ -100,6 +100,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(DaemonSet.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/DaemonSetList.ts b/sdk/nodejs/apps/v1/DaemonSetList.ts
@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(DaemonSetList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/Deployment.ts b/sdk/nodejs/apps/v1/Deployment.ts
@@ -120,6 +120,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(Deployment.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/DeploymentList.ts b/sdk/nodejs/apps/v1/DeploymentList.ts
@@ -91,6 +91,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(DeploymentList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/ReplicaSet.ts b/sdk/nodejs/apps/v1/ReplicaSet.ts
@@ -101,6 +101,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ReplicaSet.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/ReplicaSetList.ts b/sdk/nodejs/apps/v1/ReplicaSetList.ts
@@ -93,6 +93,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ReplicaSetList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/StatefulSet.ts b/sdk/nodejs/apps/v1/StatefulSet.ts
@@ -114,6 +114,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(StatefulSet.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1/StatefulSetList.ts b/sdk/nodejs/apps/v1/StatefulSetList.ts
@@ -87,6 +87,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(StatefulSetList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1beta1/ControllerRevision.ts b/sdk/nodejs/apps/v1beta1/ControllerRevision.ts
@@ -108,6 +108,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ControllerRevision.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1beta1/ControllerRevisionList.ts b/sdk/nodejs/apps/v1beta1/ControllerRevisionList.ts
@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ControllerRevisionList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1beta1/Deployment.ts b/sdk/nodejs/apps/v1beta1/Deployment.ts
@@ -123,6 +123,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(Deployment.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1beta1/DeploymentList.ts b/sdk/nodejs/apps/v1beta1/DeploymentList.ts
@@ -91,6 +91,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(DeploymentList.__pulumiType, name, props, opts);
       }
     }
diff --git a/sdk/nodejs/apps/v1beta1/StatefulSet.ts b/sdk/nodejs/apps/v1beta1/StatefulSet.ts
@@ -117,6 +117,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(StatefulSet.__pulumiType, name, props, opts);
       }
     }