Automatically mark Secret data and stringData as secret

CHANGELOG.md

@@ -8,6 +8,7 @@
 
 ### Improvements
 
+-   Automatically mark Secret data and stringData as secret. (https://github.com/pulumi/pulumi-kubernetes/pull/803).
 -   Provide detailed error for removed apiVersions. (https://github.com/pulumi/pulumi-kubernetes/pull/809).
 
 ## 1.1.0 (September 18, 2019)

pkg/gen/additionalComments.go

@@ -23,39 +23,38 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 )
 
-func timeoutComment(kind kinds.Kind) string {
-	const timeoutOverride = `setting the 'customTimeouts' option on the resource.`
-
-	var v int
-	switch kind {
-	case kinds.Deployment:
-		v = await.DefaultDeploymentTimeoutMins
-	case kinds.Ingress:
-		v = await.DefaultIngressTimeoutMins
-	case kinds.Pod:
-		v = await.DefaultPodTimeoutMins
-	case kinds.Service:
-		v = await.DefaultServiceTimeoutMins
-	case kinds.StatefulSet:
-		v = await.DefaultStatefulSetTimeoutMins
-	default:
-		// No timeout defined for other resource Kinds.
-		return ""
-	}
-	timeoutStr := strconv.Itoa(v) + " minutes"
-
-	return fmt.Sprintf(`
-If the %s has not reached a Ready state after %s, it will
-time out and mark the resource update as Failed. You can override the default timeout value
-by %s`, kind, timeoutStr, timeoutOverride)
-}
-
 func awaitComments(kind kinds.Kind) string {
 	const preamble = `This resource waits until it is ready before registering success for
 create/update and populating output properties from the current state of the resource.
 The following conditions are used to determine whether the resource creation has
 succeeded or failed:
 `
+	timeoutComment := func(kind kinds.Kind) string {
+		const timeoutOverride = `setting the 'customTimeouts' option on the resource.`
+
+		var v int
+		switch kind {
+		case kinds.Deployment:
+			v = await.DefaultDeploymentTimeoutMins
+		case kinds.Ingress:
+			v = await.DefaultIngressTimeoutMins
+		case kinds.Pod:
+			v = await.DefaultPodTimeoutMins
+		case kinds.Service:
+			v = await.DefaultServiceTimeoutMins
+		case kinds.StatefulSet:
+			v = await.DefaultStatefulSetTimeoutMins
+		default:
+			// No timeout defined for other resource Kinds.
+			return ""
+		}
+		timeoutStr := strconv.Itoa(v) + " minutes"
+
+		return fmt.Sprintf(`
+If the %s has not reached a Ready state after %s, it will
+time out and mark the resource update as Failed. You can override the default timeout value
+by %s`, kind, timeoutStr, timeoutOverride)
+	}
 
 	comment := preamble
 	switch kind {
@@ -128,13 +127,34 @@ out. To work around this limitation, set 'pulumi.com/skipAwait: "true"' on
 	return comment
 }
 
-func AwaitComment(kind string) string {
+func helpfulLinkComments(kind kinds.Kind) string {
+	switch kind {
+	case kinds.Secret:
+		return `Note: While Pulumi automatically encrypts the 'data' and 'stringData'
+fields, this encryption only applies to Pulumi's context, including the state file, 
+the Service, the CLI, etc. Kubernetes does not encrypt Secret resources by default,
+and the contents are visible to users with access to the Secret in Kubernetes using
+tools like 'kubectl'.
+
+For more information on securing Kubernetes Secrets, see the following links:
+https://kubernetes.io/docs/concepts/configuration/secret/#security-properties
+https://kubernetes.io/docs/concepts/configuration/secret/#risks`
+	default:
+		return ""
+	}
+}
+
+// PulumiComment adds additional information to the docs generated automatically from the OpenAPI specs.
+// This includes information about Pulumi's await behavior, deprecation information, etc.
+func PulumiComment(kind string) string {
 	const prefix = "\n\n"
 
 	k := kinds.Kind(kind)
 	switch k {
 	case kinds.Deployment, kinds.Ingress, kinds.Job, kinds.Pod, kinds.Service, kinds.StatefulSet:
 		return prefix + awaitComments(k)
+	case kinds.Secret:
+		return prefix + helpfulLinkComments(k)
 	default:
 		return ""
 	}

pkg/gen/nodejs-templates/kind.ts.mustache

@@ -8,7 +8,7 @@ import * as outputs from "../../types/output";
 import { getVersion } from "../../version";
 
     /**
-     * {{{Comment}}}{{{AwaitComment}}}
+     * {{{Comment}}}{{{PulumiComment}}}
      */
     export class {{Kind}} extends pulumi.CustomResource {
       {{#Properties}}
@@ -72,6 +72,14 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              {{#AdditionalSecretOutputs}}
+              "{{.}}",
+              {{/AdditionalSecretOutputs}}
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super({{Kind}}.__pulumiType, name, props, opts);
       }
     }

pkg/gen/nodejs.go

@@ -81,9 +81,10 @@ func NodeJSClient(swagger map[string]interface{}, templateDir string,
 						"Properties":              kind.Properties(),
 						"RequiredInputProperties": kind.RequiredInputProperties(),
 						"OptionalInputProperties": kind.OptionalInputProperties(),
+						"AdditionalSecretOutputs": kind.AdditionalSecretOutputs(),
 						"URNAPIVersion":           kind.URNAPIVersion(),
 						"Version":                 version.Version(),
-						"AwaitComment":            kind.awaitComment,
+						"PulumiComment":           kind.pulumiComment,
 					})
 				if err != nil {
 					return "", "", "", "", "", nil, err

pkg/gen/python-templates/kind.py.mustache

@@ -13,7 +13,7 @@ from ... import tables, version
 
 class {{Kind}}(pulumi.CustomResource):
     """
-    {{{Comment}}}{{{AwaitComment}}}
+    {{{Comment}}}{{{PulumiComment}}}
     """
 
     apiVersion: pulumi.Output[str]
@@ -76,6 +76,15 @@ class {{Kind}}(pulumi.CustomResource):
 
         __props__['status'] = None
 
+        additional_secret_outputs = [
+        {{#AdditionalSecretOutputs}}
+            "{{.}}",
+        {{/AdditionalSecretOutputs}}
+        ]
+
+        opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(
+            version=version.get_version(), additional_secret_outputs=additional_secret_outputs))
+
         opts = pulumi.ResourceOptions.merge(opts, pulumi.ResourceOptions(version=version.get_version()))
 
         super({{Kind}}, self).__init__(

pkg/gen/typegen.go

@@ -22,6 +22,7 @@ import (
 	"github.com/ahmetb/go-linq"
 	"github.com/jinzhu/copier"
 	"github.com/mitchellh/go-wordwrap"
+	"github.com/pulumi/pulumi-kubernetes/pkg/kinds"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/sets"
 
@@ -134,10 +135,11 @@ func (vc *VersionConfig) RawAPIVersion() string { return vc.rawAPIVersion }
 type KindConfig struct {
 	kind                    string
 	comment                 string
-	awaitComment            string
+	pulumiComment           string
 	properties              []*Property
 	requiredInputProperties []*Property
 	optionalInputProperties []*Property
+	additionalSecretOutputs []string
 
 	gvk           *schema.GroupVersionKind // Used for sorting.
 	apiVersion    string
@@ -152,8 +154,8 @@ func (kc *KindConfig) Kind() string { return kc.kind }
 // Comment returns the comments associated with some Kubernetes API kind.
 func (kc *KindConfig) Comment() string { return kc.comment }
 
-// AwaitComment returns the await logic documentation associated with some Kubernetes API kind.
-func (kc *KindConfig) AwaitComment() string { return kc.awaitComment }
+// PulumiComment returns the await logic documentation associated with some Kubernetes API kind.
+func (kc *KindConfig) PulumiComment() string { return kc.pulumiComment }
 
 // Properties returns the list of properties that exist on some Kubernetes API kind (i.e., things
 // that we will want to `.` into, like `thing.apiVersion`, `thing.kind`, `thing.metadata`, etc.).
@@ -167,6 +169,10 @@ func (kc *KindConfig) RequiredInputProperties() []*Property { return kc.required
 // Kubernetes API kind (i.e., things that we will want to provide, like `thing.metadata`, etc.).
 func (kc *KindConfig) OptionalInputProperties() []*Property { return kc.optionalInputProperties }
 
+// AdditionalSecretOutputs returns the list of strings to set as additionalSecretOutputs on some
+// Kubernetes API kind.
+func (kc *KindConfig) AdditionalSecretOutputs() []string { return kc.additionalSecretOutputs }
+
 // APIVersion returns the fully-qualified apiVersion (e.g., `storage.k8s.io/v1` for storage, etc.)
 func (kc *KindConfig) APIVersion() string { return kc.apiVersion }
 
@@ -824,10 +830,11 @@ func createGroups(definitionsJSON map[string]interface{}, opts groupOpts) []*Gro
 					// NOTE: This transformation assumes git users on Windows to set
 					// the "check in with UNIX line endings" setting.
 					comment:                 fmtComment(d.data["description"], "    ", true, opts, d.gvk),
-					awaitComment:            fmtComment(AwaitComment(d.gvk.Kind), prefix, true, opts, d.gvk),
+					pulumiComment:           fmtComment(PulumiComment(d.gvk.Kind), prefix, true, opts, d.gvk),
 					properties:              properties,
 					requiredInputProperties: requiredInputProperties,
 					optionalInputProperties: optionalInputProperties,
+					additionalSecretOutputs: additionalSecretOutputs(d.gvk),
 					gvk:                     &d.gvk,
 					apiVersion:              fqGroupVersion,
 					rawAPIVersion:           defaultGroupVersion,
@@ -900,3 +907,14 @@ func createGroups(definitionsJSON map[string]interface{}, opts groupOpts) []*Gro
 
 	return groups
 }
+
+func additionalSecretOutputs(gvk schema.GroupVersionKind) []string {
+	kind := kinds.Kind(gvk.Kind)
+
+	switch kind {
+	case kinds.Secret:
+		return []string{"data", "stringData"}
+	default:
+		return []string{}
+	}
+}

sdk/nodejs/admissionregistration/v1/MutatingWebhookConfiguration.ts

@@ -93,6 +93,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1/MutatingWebhookConfigurationList.ts

@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1/ValidatingWebhookConfiguration.ts

@@ -93,6 +93,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1/ValidatingWebhookConfigurationList.ts

@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfiguration.ts

@@ -94,6 +94,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1beta1/MutatingWebhookConfigurationList.ts

@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(MutatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfiguration.ts

@@ -94,6 +94,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfiguration.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/admissionregistration/v1beta1/ValidatingWebhookConfigurationList.ts

@@ -92,6 +92,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(ValidatingWebhookConfigurationList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/apiextensions/v1/CustomResourceDefinition.ts

@@ -95,6 +95,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinition.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/apiextensions/v1/CustomResourceDefinitionList.ts

@@ -89,6 +89,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinitionList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinition.ts

@@ -96,6 +96,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinition.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/apiextensions/v1beta1/CustomResourceDefinitionList.ts

@@ -89,6 +89,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(CustomResourceDefinitionList.__pulumiType, name, props, opts);
       }
     }

sdk/nodejs/apiregistration/v1/APIService.ts

@@ -94,6 +94,11 @@ import { getVersion } from "../../version";
           if (!opts.version) {
               opts.version = getVersion();
           }
+
+          opts.additionalSecretOutputs = [
+              ...((opts && opts.additionalSecretOutputs) || []),
+
+          ];
           super(APIService.__pulumiType, name, props, opts);
       }
     }