but like, are the APIs mostly set?

We're using Pulumi to build a Kubernetes cluster on GCP, with the Istio integration enabled (https://cloud.google.com/istio/docs/istio-on-gke/overview). Istio on GKE creates all the necessary k8s resources to run Istio, we do not have a reference to them in Pulumi. In order to setup TLS and configure domains, the docs recommend us to edit the existing resources. We can do this with Pulumi via an import, but (if I've understood correctly) this means we cannot build our setup with a single

pulumi up

. Instead, we need one

pulumi up

where the

import

simply reflects the existing resource, and then another one where we edit the code to change the resource. We've verified this multi-stage flow works, but it feels clunky (currently we have to manually edit the code between the first and second pulumi up). Are there any tricks we can use to combine into a single stage? One thought was that maybe there is a variable that denotes whether or not the resource is already referenced. Then we could run pulumi twice, and use a switch statement to distinguish the two cases. Feels very hacky though.

Am trying to install cert-manager using its default manifest:

const certManagerResources = new k8s.yaml.ConfigFile("cm", { 
    file: `<https://github.com/jetstack/cert-manager/releases/download/v0.13.0/cert-manager.yaml>`
})

Am finding that the preview hangs. v1.9.0. Thoughts?

I’m creating a Kubernetes Secret with Pulumi, and the secret information is added to the Secret in clear text as an annotation. Is this Pulumi who does this??? Code:

const privatePullCredentials = new kubernetes.core.v1.Secret('dockerprivatepull', {
    type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
    metadata: {
        namespace: namespace.metadata.name
    },
    stringData: {
        ".dockerconfigjson": config
            .requireSecret("docker-hub-token")
            .apply(value => {
                return JSON.stringify({
                    auths: {
                        "<https://index.docker.io/v1/>": {
                            auth: value
                        }
                    }
                })
            })
    }
});

Output:

kubectl get secret dockerprivatepull-s2nimzmf --namespace=apps --output=yaml                                             master ● ↓2  10:43:53
apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2luZGV4LmRvY2tlci5pby92MS8iOnsiYXV0aCI6ImRlOWM1NTgyLTM4ZTMtNGY1Mi04ZTFhLTk0NzgzNWQ2ZTc5YyJ9fX0=
kind: Secret
metadata:
  annotations:
    <http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>: |
      {"apiVersion":"v1","kind":"Secret","metadata":{"annotations":{"<http://pulumi.com/autonamed|pulumi.com/autonamed>":"true"},"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"pulumi"},"name":"dockerprivatepull-s2nimzmf","namespace":"apps"},"stringData":{".dockerconfigjson":"{\"auths\":{\"<https://index.docker.io/v1/>\":{\"auth\":\"<clear text secret here!!!>"}}}"},"type":"<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>"}
    <http://pulumi.com/autonamed|pulumi.com/autonamed>: "true"
  creationTimestamp: "2020-01-28T09:43:00Z"
  labels:
    <http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>: pulumi
  name: dockerprivatepull-s2nimzmf
  namespace: osimis
  resourceVersion: "935549"
  selfLink: /api/v1/namespaces/osimis/secrets/dockerprivatepull-s2nimzmf
  uid: c19731a4-45e9-414a-8a04-fb92ce5f05bd
type: <http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>

It must be because when I create the Secret via

kubectl

, the whole annotation isn’t there (as it should be)

Hi all, I’ve been trying to share a generated kubeconfig practically copied from https://github.com/pulumi/examples/blob/master/gcp-ts-gke/cluster.ts between stacks. Following the https://www.pulumi.com/docs/intro/concepts/organizing-stacks-projects/#inter-stack-dependencies guide gets me the right kubeconfig variable in another stack. Only when I try to connect to the same cluster from the other stack I get the following error:

error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get https://<DIFFERENT_IP_THAN_CLUSTER>/openapi/v2?timeout=32s: dial tcp <DIFFERENT_IP_THAN_CLUSTER>:443: i/o timeout

. It seems like I’m missing a step, did anyone encounter this before?

Did @pulumi/eks

0.18.19

release inadvertently?

is there a way to get a clusterip service's internal ip, or can you only get the ip of a loadbalancer service?

Is it possible to obtain the value of an externally-managed

Secret

resource, to be used as a

pulumi.Input<>

in my program? (without using stack references)

Hi there! , somebody know how to add annotations using helm + k8s , I'm using nginx-ingress chart , and I need to add these:

service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "True" service.beta.kubernetes.io/aws-load-balancer-internal: "true" service.beta.kubernetes.io/aws-load-balancer-type: nlb

you can use a transformation on the chart

Thanks Oliverh , Do you have some example to follow?

i was just trying to find one but couldnt sorry

ah: https://github.com/pulumi/pulumi-kubernetes/issues/217#issuecomment-459105809

thanks I will try

very complicated , I just found another solution

values : { controller: { service: { annotations: { "service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled": "True", "service.beta.kubernetes.io/aws-load-balancer-internal": "true", "service.beta.kubernetes.io/aws-load-balancer-type": "nlb" } } } }

just if someone needs

are there any k8s friendly pulumi DevOps engineers looking for a remote gig?

message has been deleted

Any idea when the next release will ship? Really looking forward to the YAML rendering for the k8s resources PR that just got merged 2 days ago. https://github.com/pulumi/pulumi-kubernetes/pull/936

How is a change on a resource that comes with helm chart version update determined as replace or update?

This should be working code from @gorgeous-egg-16927. But when I create a secret using a Docker Hub Personal Access Token as the Pulumi secret

docker-hub-token

and refer to it from my deployment, I get an error:

Failed to pull image "<my private image name here>": illegal base64 data at input byte 8

Am I still missing something?

message has been deleted

Hello, I’m having a problem where K8s resources are being needlessly replaced during an update. Pulumi 0.10.1. Ideas? The output suggests that the

k8s.Provider

that I supply to those resources is being flagged as changing. For example:

├─ kubernetes:core:Namespace           foobar        replace     [diff: ~provider]

Seems the provider urn is changing:

[provider: urn:pulumi:proto::example::pulumi:providers:kubernetes::cluster-proto::35fb4c9f-c17e-4685-9459-ad432be24927 => urn:pulumi:proto::example::pulumi:providers:kubernetes::cluster-proto::f0e50e3c-7584-479a-bf2f-484379ca4f24]

To be clear, the program flow is to create a GKE cluster, synthesize a kubeconfig, create a

Provider

based on it, and then create a

Namespace

with

{provider: ...}

.

Hello, I have a eks cluster with helm charts creating statefulsets. I need help in 2 things regarding aws tags: 1. How can I add aws tags for resources creating by pulumi? This also includes ebs volumes created by pulumi. 2. Also, is there any way to add aws tags for statefulsets? Stateful sets are managed by us. When I add tags to eks.Cluster. I can see it adding to only ec2.

Another question: Is there any way to instruct in pulumi to also remove PV's created by statefulset? if not, do you recommend us to delete the statefulset, pv using kubectl and then execute pulumi destroy?