I tried

pulumi refresh

and that seems to have removed these resources from the state, but now I can’t

pulumi up

because there are still other resources (eg. PVCs) still hanging around

I’ve read https://gist.github.com/clstokes/62d8ff84ada8cd414a88d4f1030f5ddc on resource adoption but it seems counter-intuitive for me to change my stack to look up the resources, then revert it

What’s the right way to work with

pulumi.NewFileAsset

if I want to use it as an input to

StringData

for a secret?

Is there an annotation or something I can use to force recreation of some resources?

I found that I had a deployed statefulset with a container that wouldn’t start up (because I’d messed up a volume name) and when I tried to redeploy the fix, it was just waiting for the pod to go away

Anybody know how to import these custom resources (like these above)? I'm looking to just do them one by one on the CLI no code. I can import standard resources, but I'm not sure what the syntax is for the CLI for custom resources.

i am trying to deploy

<https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/charts/aws-efs-csi-driver>

as a pulumi_kubernetes.helm.v3.Chart but it fails because

<http://csidrivers.storage.k8s.io|csidrivers.storage.k8s.io> "<http://efs.csi.aws.com|efs.csi.aws.com>" already exists

…. this happens because the chart includes a pre-install helm hook to remove the existing efs-csi driver and pulumi doesnt support helm-hooks (

<https://github.com/pulumi/pulumi-kubernetes/issues/555>

) . . . what is the best way for me to work around this ?

What’s the typical way of renaming a resource? Specifically, let’s say I have:

appsv1.NewDeployment(ctx, "myDeployment", &appsv1.DeploymentArgs{

and I want to change it to

appsv1.NewDeployment(ctx, "my-deployment", &appsv1.DeploymentArgs{

If I do that, it fails because it says the Deployment already exists with that name (note that I have given it an explicit name, so it is not using autonaming)

Not sure if this is the right place to ask. I have EKS setup with pulumi, but I would like to deploy a set of infrastructure application as part of the cluster configuration. Instead of install each individual helm charts using pulumi helm chart provider, I am trying to deploy them using Helmfile. Is there any way that I can integrate helmfile into pulumi workflow, say I want to automatically trigger "helmfile sync" as part of "pulumi up" and "helmfile destroy" as part of "pulumi destroy"? Has anybody done this before? How do you do it?

any ideas why I am getting this error?

error: no resource plugin 'kubernetes-v1.1.0' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource kubernetes v1.1.0`

Hi! I have a helm repo in my S3 storage. I want to apply this helm charts with k8s.helm.v3.chart but next error appear.

Error: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to pull chart: could not find protocol handler for: s3

My cluster is in 1.16 ...

Hey all, I am having trouble deploying ingresses in EKS using the alb aws load balancer controller

<https://aws.github.io/eks-charts>

The error that I am getting looks like this:

i notice that on every pulumi up, pulumi deletes and creates a new secret for the alb chart’s tls cert

i don’t know why in the first place pulumi is doing this. There are no changes to the alb chart i have deployed. The only changes that go on are deploying ingresses

The alb chart code itself seems fine. Nobody has any issues with it. I believe (could be wrong) that pulumi is introducing something that is breaking it

What is interesting is that if we keep refreshing and upping, we eventually get past some ing’s errors and some will deploy. Sometimes only 1 out of the few expected ing’s will deploy while the rest error out.

Any help on this would be much appreciated! Thank you

while we are talking about aws=load-balancer-controller . . . when i deploy this manually with helm into my eks there is no problem, when i do so with pulumi :-

File "/Users/bmeehan/repos/itplat-pulumi-infrastructure/.venv/lib/python3.8/site-packages/pulumi_kubernetes/apiextensions/v1/CustomResourceDefinition.py", line 121, in __init__
        __self__._internal_init(resource_name, *args, **kwargs)
    TypeError: _internal_init() got an unexpected keyword argument 'status'
    error: an unhandled error occurred: Program exited with non-zero exit code: 1

details in thread, help please

A really really probably simple thing here.. Is there any way of making

k8s.yaml.ConfigFile/ConfigGroup

apply the resources to a namespace? I don't want to muck with the files, and they don't have a namespace declared in the yaml, so the transformation I've got seems to fail.. For instance:

const keyCloakAccounts = new k8s.yaml.ConfigGroup("keycloak-roles-accounts-bindings", {
                files: [
                    `${pathToKeyCloakOper}/role.yaml`, 
                    `${pathToKeyCloakOper}/role_binding.yaml`,
                    `${pathToKeyCloakOper}/service_account.yaml`
                ],
                transformations: [
                    (obj: any, opts: pulumi.CustomResourceOptions) => {
                        obj.meta.namespace = keyCloakNamespace.metadata.name;
                    }
                ]
            },{
                provider: args.providers.kubernetes,
                parent: this,
                dependsOn: keyCloakNamespace
            })

Which fails with:

TypeError: Cannot set property 'namespace' of undefined
        at Foundation.k8s.yaml.ConfigGroup.transformations (<path>\pulumi\baseline-k8s\components\kubernetes-components\foundation.ts:128:44)
        at parseYamlObject (<path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2925:9)
        at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:25
        at Array.map (<anonymous>)
        at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:14
        at runMicrotasks (<anonymous>)
        at processTicksAndRejections (internal/process/task_queues.js:93:5)

I'm finding that if I use Pulumi to build a docker image and have a deployment/statefulset/etc reference that image, the deployment will update even before the image is built. If the image takes a while to build/push, this will guarantee a failed

pulumi up

. Has this been an issue for anyone else? Or should I file a bug ticket

I’m encountering an issue when adding/removing a service account from a pod spec (in a Deployment):

Spec: &corev1.PodSpecArgs{
					ServiceAccountName: tenant.serviceAccount.Metadata.Name(),

Let’s say I had the above, and then I just deleted the ServiceAccountName line. Pulumi seems to recognize that it should do an update, but nothing happens on the Kubernetes side (the Deployment is not updated, the pod does not restart), and Pulumi hangs waiting for something to happen (

[diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available (1/1 Pods available)

). Any ideas what might be going on?

Has anyone encountered this in the CI pipelines (AzDO) recently? Nothing else changed other than pipelines are failing now. Running the pulumi apps from the console still works, so we are doing this manually now.

configured Kubernetes cluster is unreachable: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

Question that spans Kubernetes and AWS: I have an existing EKS cluster I do not wish to import, but I would like to get the OIDC info for it. I’ve successfully been able to get the URL like this:

eksCluster, err := eks.LookupCluster(ctx, &eks.LookupClusterArgs{
			Name: "my-eks-cluster",
		})
		if err != nil {
			return err
		}
		ctx.Export("eks-oidc-url", pulumi.String(eksCluster.Identities[0].Oidcs[0].Issuer))

This is using the

aws/eks

package (not

pulumi-eks

). However,

Issuer

is just the URL string, and does not include the ARN. I wanted to do something like a lookup on the

iam.OpenIdConnectProvider

, but it doesn’t look like it is a supported operation (https://www.pulumi.com/docs/reference/pkg/aws/iam/openidconnectprovider), as I am only able to lookup an existing resource, but this is already pre-created. Is there a way to do this, or do I have to use the AWS SDK for this?

I’m having some challenges in understanding

ProviderCredentialOpts

. For example, I have a Pulumi stack in which I set (via config) the AWS access token and secret, as it is in a different account than the one my AWS CLI (i.e.

~/.aws

) is configured with. I then create a cluster like this:

cluster, err := eks.NewCluster(ctx, "my-cluster", &eks.ClusterArgs{
		VpcId:            vpc.ID(),
		PublicSubnetIds:  pulumi.ToStringArrayOutput(publicSubnetIDs),
		PrivateSubnetIds: pulumi.ToStringArrayOutput(privateSubnetIDs),
		EnabledClusterLogTypes: pulumi.StringArray{
			pulumi.String("api"),
			pulumi.String("audit"),
			pulumi.String("authenticator"),
		},
		SkipDefaultNodeGroup: pulumi.BoolPtr(true),
		InstanceRoles: iam.RoleArray{
			// role0,
			// role1,
			role2,
		},
		NodeAssociatePublicIpAddress: pulumi.Bool(false),
		Version:                      pulumi.String("1.20"),
		UseDefaultVpcCni:             pulumi.Bool(true),
	})
	if err != nil {
		return err
	}

This works fine, but I get an error at the end basically saying that it could not connect to the cluster (I believe to do the CNI or other settings) as it could not authenticate. In order to enable authentication, I had to: 1. Create a new profile in my

~/.aws

folder that had the credentials set for this new account (I called it

ssa

) 2. Add the following to the above cluster create:

ProviderCredentialOpts: eks.KubeconfigOptionsArgs{
			ProfileName: pulumi.String("ssa"),
		},

Now it could connect properly/errors were gone. However, I am not quite sure I am following why this is necessary, and the docs/examples are a bit sparse. Specifically, I am a bit concerned that I have to specify a specific profile to use (one that I have to configure out of band on whatever machine is running Pulumi), which doesn’t seem easily repeatable. Given Pulumi already has the AWS credentials to use to authenticate to create the cluster, why can’t it use those when talking to Kubernetes proper?

I created a EKS cluster in one project (say infra/dev) and try to use it from another project (say app/dev) using stackReference. I can retrieve kubeconfig which is exported in the infra/dev stack. I can create a k8sprovider with it, I can then use the k8sprovider to create additional resource, for example, namespace/serviceaccount for the app/dev. But how do I get the EKS cluster itself from it? I need the EKS cluster to retrieve OidcProvider.

Hey all! I have an ingress that is managed via the aws LB controller. I use its tls cert as the secretName in the tls section of the ingress, and list the three hosts that are in the rules section of the ing.

aws-load-balancer-tls

I use a transformation in the LB controller to tell Pulumi to ignoreChanges on the LB ctrl tls secret. Subsequent ups regenerate the secret causing problems with the ing’s. I also make all ing’s dependsOn the cntrl. This is bec the cntrl pods don’t spin up fast enough, and the ing is still attempted to be created. I get a service not found error. So it is a race condition. This is the current context of my setup. I want to try auto tls discovery via host used in ing rules. I tried removing tls section but it wouldn’t find certs. Even though I have certs created in ACM. Perhaps it can’t find ACM certs? the error I get:

Failed build model due to ingress: waterrecharge/waterrecharge-ingress: none certificate found for host: <http://waterrecharge-pulumi-api-aryeh.tqhosted.com|waterrecharge-pulumi-api-aryeh.tqhosted.com>"

That’s referring to the ACM cert i’ve created, right? It can’t find it? I try putting back the tls section in the ing, and I still have the same issue. What’s happening is bec of that error, the ing doesn’t resolve in pulumi. I can’t get the hostname. So the record alias can’t be created. I get:

error: aws:route53/record:Record resource '<http://waterrecharge-pulumi-aryeh.tqhosted.com|waterrecharge-pulumi-aryeh.tqhosted.com>' has a problem: Required attribute is not set. Examine values at 'Record.Aliases'.

I have to do a refresh for pulumi to get the ing data and be able to resolve the hostname.