lemon-monkey-228
05/25/2021, 7:46 AMpulumi refresh
and that seems to have removed these resources from the state, but now I can’t pulumi up
because there are still other resources (eg. PVCs) still hanging aroundlemon-monkey-228
05/25/2021, 7:47 AMbored-table-20691
05/26/2021, 12:20 AMpulumi.NewFileAsset
if I want to use it as an input to StringData
for a secret?lemon-monkey-228
05/26/2021, 1:26 PMlemon-monkey-228
05/26/2021, 1:27 PMglamorous-australia-21342
05/26/2021, 2:16 PMglamorous-australia-21342
05/26/2021, 2:16 PMpurple-plumber-90981
05/28/2021, 2:16 AM<https://github.com/kubernetes-sigs/aws-efs-csi-driver/tree/master/charts/aws-efs-csi-driver>
as a pulumi_kubernetes.helm.v3.Chart but it fails because <http://csidrivers.storage.k8s.io|csidrivers.storage.k8s.io> "<http://efs.csi.aws.com|efs.csi.aws.com>" already exists
…. this happens because the chart includes a pre-install helm hook to remove the existing efs-csi driver and pulumi doesnt support helm-hooks (<https://github.com/pulumi/pulumi-kubernetes/issues/555>
) . . . what is the best way for me to work around this ?bored-table-20691
05/28/2021, 6:48 PMappsv1.NewDeployment(ctx, "myDeployment", &appsv1.DeploymentArgs{
and I want to change it to
appsv1.NewDeployment(ctx, "my-deployment", &appsv1.DeploymentArgs{
If I do that, it fails because it says the Deployment already exists with that name (note that I have given it an explicit name, so it is not using autonaming)ripe-shampoo-80285
05/28/2021, 11:03 PMicy-jordan-58549
05/31/2021, 2:34 PMerror: no resource plugin 'kubernetes-v1.1.0' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource kubernetes v1.1.0`
adamant-translator-31969
05/31/2021, 2:47 PMError: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to pull chart: could not find protocol handler for: s3
My cluster is in 1.16 ...steep-portugal-37539
06/01/2021, 7:32 PM<https://aws.github.io/eks-charts>
steep-portugal-37539
06/01/2021, 7:32 PMsteep-portugal-37539
06/01/2021, 7:32 PMsteep-portugal-37539
06/01/2021, 7:34 PMsteep-portugal-37539
06/01/2021, 7:34 PMsteep-portugal-37539
06/01/2021, 7:35 PMsteep-portugal-37539
06/01/2021, 7:37 PMsteep-portugal-37539
06/01/2021, 7:38 PMsteep-portugal-37539
06/01/2021, 7:46 PMpurple-plumber-90981
06/02/2021, 1:06 AMFile "/Users/bmeehan/repos/itplat-pulumi-infrastructure/.venv/lib/python3.8/site-packages/pulumi_kubernetes/apiextensions/v1/CustomResourceDefinition.py", line 121, in __init__
__self__._internal_init(resource_name, *args, **kwargs)
TypeError: _internal_init() got an unexpected keyword argument 'status'
error: an unhandled error occurred: Program exited with non-zero exit code: 1
details in thread, help pleasebetter-shampoo-48884
06/02/2021, 9:48 AMk8s.yaml.ConfigFile/ConfigGroup
apply the resources to a namespace? I don't want to muck with the files, and they don't have a namespace declared in the yaml, so the transformation I've got seems to fail..
For instance:
const keyCloakAccounts = new k8s.yaml.ConfigGroup("keycloak-roles-accounts-bindings", {
files: [
`${pathToKeyCloakOper}/role.yaml`,
`${pathToKeyCloakOper}/role_binding.yaml`,
`${pathToKeyCloakOper}/service_account.yaml`
],
transformations: [
(obj: any, opts: pulumi.CustomResourceOptions) => {
obj.meta.namespace = keyCloakNamespace.metadata.name;
}
]
},{
provider: args.providers.kubernetes,
parent: this,
dependsOn: keyCloakNamespace
})
Which fails with:
TypeError: Cannot set property 'namespace' of undefined
at Foundation.k8s.yaml.ConfigGroup.transformations (<path>\pulumi\baseline-k8s\components\kubernetes-components\foundation.ts:128:44)
at parseYamlObject (<path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2925:9)
at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:25
at Array.map (<anonymous>)
at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:14
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
colossal-australia-65039
06/02/2021, 11:32 PMpulumi up
. Has this been an issue for anyone else? Or should I file a bug ticketbored-table-20691
06/03/2021, 5:20 AMSpec: &corev1.PodSpecArgs{
ServiceAccountName: tenant.serviceAccount.Metadata.Name(),
Let’s say I had the above, and then I just deleted the ServiceAccountName line. Pulumi seems to recognize that it should do an update, but nothing happens on the Kubernetes side (the Deployment is not updated, the pod does not restart), and Pulumi hangs waiting for something to happen ([diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available (1/1 Pods available)
).
Any ideas what might be going on?ancient-megabyte-79588
06/03/2021, 1:40 PMconfigured Kubernetes cluster is unreachable: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
bored-table-20691
06/03/2021, 4:13 PMeksCluster, err := eks.LookupCluster(ctx, &eks.LookupClusterArgs{
Name: "my-eks-cluster",
})
if err != nil {
return err
}
ctx.Export("eks-oidc-url", pulumi.String(eksCluster.Identities[0].Oidcs[0].Issuer))
This is using the aws/eks
package (not pulumi-eks
). However, Issuer
is just the URL string, and does not include the ARN. I wanted to do something like a lookup on the iam.OpenIdConnectProvider
, but it doesn’t look like it is a supported operation (https://www.pulumi.com/docs/reference/pkg/aws/iam/openidconnectprovider), as I am only able to lookup an existing resource, but this is already pre-created.
Is there a way to do this, or do I have to use the AWS SDK for this?bored-table-20691
06/03/2021, 6:36 PMProviderCredentialOpts
. For example, I have a Pulumi stack in which I set (via config) the AWS access token and secret, as it is in a different account than the one my AWS CLI (i.e. ~/.aws
) is configured with. I then create a cluster like this:
cluster, err := eks.NewCluster(ctx, "my-cluster", &eks.ClusterArgs{
VpcId: vpc.ID(),
PublicSubnetIds: pulumi.ToStringArrayOutput(publicSubnetIDs),
PrivateSubnetIds: pulumi.ToStringArrayOutput(privateSubnetIDs),
EnabledClusterLogTypes: pulumi.StringArray{
pulumi.String("api"),
pulumi.String("audit"),
pulumi.String("authenticator"),
},
SkipDefaultNodeGroup: pulumi.BoolPtr(true),
InstanceRoles: iam.RoleArray{
// role0,
// role1,
role2,
},
NodeAssociatePublicIpAddress: pulumi.Bool(false),
Version: pulumi.String("1.20"),
UseDefaultVpcCni: pulumi.Bool(true),
})
if err != nil {
return err
}
This works fine, but I get an error at the end basically saying that it could not connect to the cluster (I believe to do the CNI or other settings) as it could not authenticate. In order to enable authentication, I had to:
1. Create a new profile in my ~/.aws
folder that had the credentials set for this new account (I called it ssa
)
2. Add the following to the above cluster create:
ProviderCredentialOpts: eks.KubeconfigOptionsArgs{
ProfileName: pulumi.String("ssa"),
},
Now it could connect properly/errors were gone. However, I am not quite sure I am following why this is necessary, and the docs/examples are a bit sparse. Specifically, I am a bit concerned that I have to specify a specific profile to use (one that I have to configure out of band on whatever machine is running Pulumi), which doesn’t seem easily repeatable. Given Pulumi already has the AWS credentials to use to authenticate to create the cluster, why can’t it use those when talking to Kubernetes proper?ripe-shampoo-80285
06/04/2021, 1:33 AMsteep-portugal-37539
06/04/2021, 1:56 PMaws-load-balancer-tls
I use a transformation in the LB controller to tell Pulumi to ignoreChanges on the LB ctrl tls secret. Subsequent ups regenerate the secret causing problems with the ing’s. I also make all ing’s dependsOn the cntrl. This is bec the cntrl pods don’t spin up fast enough, and the ing is still attempted to be created. I get a service not found error. So it is a race condition.
This is the current context of my setup.
I want to try auto tls discovery via host used in ing rules. I tried removing tls section but it wouldn’t find certs. Even though I have certs created in ACM. Perhaps it can’t find ACM certs? the error I get: Failed build model due to ingress: waterrecharge/waterrecharge-ingress: none certificate found for host: <http://waterrecharge-pulumi-api-aryeh.tqhosted.com|waterrecharge-pulumi-api-aryeh.tqhosted.com>"
That’s referring to the ACM cert i’ve created, right? It can’t find it?
I try putting back the tls section in the ing, and I still have the same issue. What’s happening is bec of that error, the ing doesn’t resolve in pulumi. I can’t get the hostname. So the record alias can’t be created. I get: error: aws:route53/record:Record resource '<http://waterrecharge-pulumi-aryeh.tqhosted.com|waterrecharge-pulumi-aryeh.tqhosted.com>' has a problem: Required attribute is not set. Examine values at 'Record.Aliases'.
I have to do a refresh for pulumi to get the ing data and be able to resolve the hostname.