the kubernetes JobTemplateSpec is weird, it lets you put volumes and volumeMounts in loads of different places. I got them in the wrong ones.

Is there a way for a (kubernetes) resource to depend on a

Promise<void>

(i.e. it doesn't return anything, it only waits for a condition), other than doing something like

new k8s.some.v1.Resource(name, {
  metadata: {
    annotations: {
      someDummyAnnotation: waitForCondition() // should return Promise<string>
    }
  }
});

?

Aloha Pulumi people! I'll be in Seattle (Microsoft campus) next week for the MVP Summit. Is that somewhat reachable from your HQ? Would love to meet IRL for a coffee or whatever.

I’ll also be in Seattle next week!

@tall-librarian-49374 (and anyone else in town for the Microsoft MVP Summit) - yes - we'd love to meet up while you are here. We're in downtown Seattle - so if you have an afternoon free anytime and are in Seattle - drop me a note and we'll find some time.

I’m trying to setup cert manager and think I’m on my last hurdle. I’m using a restricted gcp service account for app deployments (from kube the prod way) and I’m bumping into:

<http://clusterroles.rbac.authorization.k8s.io|clusterroles.rbac.authorization.k8s.io> is forbidden: User "<mailto:ci-app@xxx.iam.gserviceaccount.com|ci-app@xxx.iam.gserviceaccount.com>" cannot create resource "clusterroles" in API group "<http://rbac.authorization.k8s.io|rbac.authorization.k8s.io>" at the cluster scope

I assume I have to run the equivalent of:

kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin --user [USER_ACCOUNT]

But isn’t that the same as just granting gcp

roles/container.clusterAdmin

? Here’s a gist of the current setup: https://gist.github.com/rosskevin/e80dabe6347fa34c179b3885e4f4a3a0 I’m a bit confused as to the right thing to do here and keep with the minimal permissions for the service account.

Plugins are installed automatically correct? I am somehow running into an issue running in CI (Jenkins) where I get the error

error: could not load plugin for aws provider

when trying to do a

pulumi preview

.

I need to add a label to an existing namespace, the kubectl equivalent:

kubectl label namespace <deployment-namespace> <http://certmanager.k8s.io/disable-validation=%22true%22|certmanager.k8s.io/disable-validation="true">

How can I add I mutate the namespace labels from my pulumi code?

I’ve got some issues with the

dependsOn

mechanism, it seems like it is not being respected by a helm chart that is the child of my

Component

. Details inside ->

Hi I was wondering if there is a way to map a port. I have something like this:``` let service = new cloud.Service("MyService", { containers: { Api: { image: "MY_IMAGE", memory: 256, ports: [{ port: 8081 }], }, }, replicas: 1, });``` I am willing to use the port 80 instead of 8081 which is the port exposed by the container.

Any Azure DevOps users? Are you able to see the nicely colorized output of pulumi runs in ADO pipelines?

Getting dreaded

Calling [toString] on an [Output<T>] is not supported

in my transformer. The transformer is shared code and may be used with a namespace instance or string. What have I messed up here:

/**
 * May be needed to get helm to behave.
 *
 *  Usage: `transformations: [createTransformAddNamespace(namespace)]`
 *
 * @see <https://github.com/pulumi/pulumi-kubernetes/issues/217#issuecomment-459105809>
 * @see <https://github.com/pulumi/pulumi-kubernetes/issues/415#issuecomment-469118560>
 */
export function createTransformAddNamespace(
  namespaceStringOrResource: string | k8s.core.v1.Namespace,
) {
  return <T extends { metadata?: Input<meta.v1.ObjectMeta> }>(o: T) => {
    let namespace: Input<string>
    if (typeof namespaceStringOrResource === 'string') {
      namespace = namespaceStringOrResource
    } else {
      namespace = namespaceStringOrResource.metadata.name.apply(v => v)
    }

    if (o) {
      if (o.metadata !== undefined) {
        o.metadata['namespace'] = namespace
      } else {
        o.metadata = { namespace: namespace }
      }
    }
  }
}

I need to

pulumi.all

several different items. When I add more than 8 items to my

pulumi.all

, I get a Typescript error about numbers not being assignable to strings. Looking at the source for

pulumi.all

, I see signatures for calls with up to 8 types. I tried switching to a map format as well but it has the same problem. How can you create a single Output object from more than 8 Input objects given Input Objects having varying types?

I'm testing out Pulumi with k8s and am running into an issue with using a Docker image from ECR. After running

pulumi up

, I get this failure output:

* Timeout occurred for 'app-ions'
    * [MinimumReplicasUnavailable] Deployment does not have minimum availability.
    * Minimum number of live Pods was not attained
    * 2 Pods failed to run because: [ImagePullBackOff] Back-off pulling image "<http://734247230719.dkr.ecr.us-west-2.amazonaws.com/my-image:my-tag|734247230719.dkr.ecr.us-west-2.amazonaws.com/my-image:my-tag>"

Does Pulumi k8s work with ECR?

How is it recommended to deploy a new cluster? Would you install all helm charts via Pulumi or via CLI and then use Pulumi only for app deployments?

Hi Community, I am new here. Where would it be most logical to post a job here? Announcements or in general? Or is there a special channel for jobs, that I dont see? We want to automate our multitenant project with Pulumi.

i'm trying to follow this guide but i don't understand how i can remove the built in role assignment against a new service principal. https://docs.cert-manager.io/en/latest/tasks/acme/configuring-dns01/azuredns.html - any ideas?

Heads up folks, if anyone is running Pulumi in their CI systems and you see an error containing “failed to locate compatible plugin”, we’re tracking the issue here: https://github.com/pulumi/pulumi-azure/issues/200#issuecomment-472099761. There’s a workaround in this post that you can add to your CI system until Pulumi ships a fix.

Can anyone here help me with a container issue? I'm trying to setup my container with Pulumi in a way that allows me to SSH into the container once it's launched. I have set

cloud-aws:ecsAutoClusterPublicKey

to the value from my

~/.ssh/id_rsa.pub

file And then my container deploys like this:

new cloud.Service("container", {
  containers: {
    api: {
      build: ".",
      memory: 1638,
      cpu: 716, 
      ports: [{
        port: 443,
        targetPort: 3333,
        protocol: 'https'
      }]
    },
  }
});

This successfully launched my container, and the web interface is running correctly, but when I try to SSH into the instance, I get

ssh: connect to XXXXX port 22: Connection refused

After struggling with two different helm charts (cert-manager and kubernetes-dashboard), I’m finding that it is far easier to take the approach of using the

ConfigFile

with the published manifests, and optionally using a

transformation

. I had assumed the helm approach to be easier - but surprised to find it the other way around. If anyone has issues with those two components, let me know. I put in quite a bit of time learning the ins-and-outs of pulumi with them and getting them running properly, which actually ended up being quite easy in hindsight. My new approach to anything will be to look at the component and manifests first, then go from there.

Hi folks, how do we define multiple node groups for a single EKS cluster? Is there documentation and examples on how to do it with the

@pulumi/eks

package? The code currently uses

new eks.Cluster

but that only creates a single node group. We need to define some more node groups to add in to the cluster for differently-sized instances/node types, and with different sets of node annotations (i.e. for taints/tolerations)

Hi everybody! We are looking for DevOps engineer to automate our app deployment and infrastructure with Pulumi. Any takers? Pls see the project description here: https://www.upwork.com/jobs/~0197126531f338aab1

Would like to be able to delete the default network in a GCP project. I’m not finding any delete methods exposed. Am I going to need to craft my own API call to do this?

we’ve moved to private clusters, bastion host and gateway and our security team wants the default network gone

granted we won’t rebuild projects often or ever so removing it once manually is fine I guess but wanted to check

@orange-tailor-85423 You could do this in a multi-step process for now (using

get

first then converting it to a real resource), but the work on importing resources that @microscopic-florist-22719 is doing at the moment is the real way to do this

OTOH, if it’s just for a one-off deletion, I’m not sure I see the advantage over issuing a

gcloud

command - it’s not like it’s a repeatable thing you want codified

ok - I knew that feature was coming but was looking for a way around

yeah, I’ll just remove it manually - we’ll just know that if we create new projects for test or for personal stuff we will remove them