steep-portugal-37539
06/01/2021, 7:38 PMsteep-portugal-37539
06/01/2021, 7:46 PMpurple-plumber-90981
06/02/2021, 1:06 AMFile "/Users/bmeehan/repos/itplat-pulumi-infrastructure/.venv/lib/python3.8/site-packages/pulumi_kubernetes/apiextensions/v1/CustomResourceDefinition.py", line 121, in __init__
__self__._internal_init(resource_name, *args, **kwargs)
TypeError: _internal_init() got an unexpected keyword argument 'status'
error: an unhandled error occurred: Program exited with non-zero exit code: 1
details in thread, help pleasebetter-shampoo-48884
06/02/2021, 9:48 AMk8s.yaml.ConfigFile/ConfigGroup
apply the resources to a namespace? I don't want to muck with the files, and they don't have a namespace declared in the yaml, so the transformation I've got seems to fail..
For instance:
const keyCloakAccounts = new k8s.yaml.ConfigGroup("keycloak-roles-accounts-bindings", {
files: [
`${pathToKeyCloakOper}/role.yaml`,
`${pathToKeyCloakOper}/role_binding.yaml`,
`${pathToKeyCloakOper}/service_account.yaml`
],
transformations: [
(obj: any, opts: pulumi.CustomResourceOptions) => {
obj.meta.namespace = keyCloakNamespace.metadata.name;
}
]
},{
provider: args.providers.kubernetes,
parent: this,
dependsOn: keyCloakNamespace
})
Which fails with:
TypeError: Cannot set property 'namespace' of undefined
at Foundation.k8s.yaml.ConfigGroup.transformations (<path>\pulumi\baseline-k8s\components\kubernetes-components\foundation.ts:128:44)
at parseYamlObject (<path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2925:9)
at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:25
at Array.map (<anonymous>)
at <path>\pulumi\baseline-k8s\node_modules\@pulumi\yaml\yaml.ts:2903:14
at runMicrotasks (<anonymous>)
at processTicksAndRejections (internal/process/task_queues.js:93:5)
colossal-australia-65039
06/02/2021, 11:32 PMpulumi up
. Has this been an issue for anyone else? Or should I file a bug ticketbored-table-20691
06/03/2021, 5:20 AMSpec: &corev1.PodSpecArgs{
ServiceAccountName: tenant.serviceAccount.Metadata.Name(),
Let’s say I had the above, and then I just deleted the ServiceAccountName line. Pulumi seems to recognize that it should do an update, but nothing happens on the Kubernetes side (the Deployment is not updated, the pod does not restart), and Pulumi hangs waiting for something to happen ([diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available (1/1 Pods available)
).
Any ideas what might be going on?ancient-megabyte-79588
06/03/2021, 1:40 PMconfigured Kubernetes cluster is unreachable: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable
bored-table-20691
06/03/2021, 4:13 PMeksCluster, err := eks.LookupCluster(ctx, &eks.LookupClusterArgs{
Name: "my-eks-cluster",
})
if err != nil {
return err
}
ctx.Export("eks-oidc-url", pulumi.String(eksCluster.Identities[0].Oidcs[0].Issuer))
This is using the aws/eks
package (not pulumi-eks
). However, Issuer
is just the URL string, and does not include the ARN. I wanted to do something like a lookup on the iam.OpenIdConnectProvider
, but it doesn’t look like it is a supported operation (https://www.pulumi.com/docs/reference/pkg/aws/iam/openidconnectprovider), as I am only able to lookup an existing resource, but this is already pre-created.
Is there a way to do this, or do I have to use the AWS SDK for this?bored-table-20691
06/03/2021, 6:36 PMProviderCredentialOpts
. For example, I have a Pulumi stack in which I set (via config) the AWS access token and secret, as it is in a different account than the one my AWS CLI (i.e. ~/.aws
) is configured with. I then create a cluster like this:
cluster, err := eks.NewCluster(ctx, "my-cluster", &eks.ClusterArgs{
VpcId: vpc.ID(),
PublicSubnetIds: pulumi.ToStringArrayOutput(publicSubnetIDs),
PrivateSubnetIds: pulumi.ToStringArrayOutput(privateSubnetIDs),
EnabledClusterLogTypes: pulumi.StringArray{
pulumi.String("api"),
pulumi.String("audit"),
pulumi.String("authenticator"),
},
SkipDefaultNodeGroup: pulumi.BoolPtr(true),
InstanceRoles: iam.RoleArray{
// role0,
// role1,
role2,
},
NodeAssociatePublicIpAddress: pulumi.Bool(false),
Version: pulumi.String("1.20"),
UseDefaultVpcCni: pulumi.Bool(true),
})
if err != nil {
return err
}
This works fine, but I get an error at the end basically saying that it could not connect to the cluster (I believe to do the CNI or other settings) as it could not authenticate. In order to enable authentication, I had to:
1. Create a new profile in my ~/.aws
folder that had the credentials set for this new account (I called it ssa
)
2. Add the following to the above cluster create:
ProviderCredentialOpts: eks.KubeconfigOptionsArgs{
ProfileName: pulumi.String("ssa"),
},
Now it could connect properly/errors were gone. However, I am not quite sure I am following why this is necessary, and the docs/examples are a bit sparse. Specifically, I am a bit concerned that I have to specify a specific profile to use (one that I have to configure out of band on whatever machine is running Pulumi), which doesn’t seem easily repeatable. Given Pulumi already has the AWS credentials to use to authenticate to create the cluster, why can’t it use those when talking to Kubernetes proper?ripe-shampoo-80285
06/04/2021, 1:33 AMsteep-portugal-37539
06/04/2021, 1:56 PMaws-load-balancer-tls
I use a transformation in the LB controller to tell Pulumi to ignoreChanges on the LB ctrl tls secret. Subsequent ups regenerate the secret causing problems with the ing’s. I also make all ing’s dependsOn the cntrl. This is bec the cntrl pods don’t spin up fast enough, and the ing is still attempted to be created. I get a service not found error. So it is a race condition.
This is the current context of my setup.
I want to try auto tls discovery via host used in ing rules. I tried removing tls section but it wouldn’t find certs. Even though I have certs created in ACM. Perhaps it can’t find ACM certs? the error I get: Failed build model due to ingress: waterrecharge/waterrecharge-ingress: none certificate found for host: <http://waterrecharge-pulumi-api-aryeh.tqhosted.com|waterrecharge-pulumi-api-aryeh.tqhosted.com>"
That’s referring to the ACM cert i’ve created, right? It can’t find it?
I try putting back the tls section in the ing, and I still have the same issue. What’s happening is bec of that error, the ing doesn’t resolve in pulumi. I can’t get the hostname. So the record alias can’t be created. I get: error: aws:route53/record:Record resource '<http://waterrecharge-pulumi-aryeh.tqhosted.com|waterrecharge-pulumi-aryeh.tqhosted.com>' has a problem: Required attribute is not set. Examine values at 'Record.Aliases'.
I have to do a refresh for pulumi to get the ing data and be able to resolve the hostname.steep-portugal-37539
06/04/2021, 1:57 PMsteep-portugal-37539
06/07/2021, 4:47 PMFailed build model due to ingress: waterrecharge/waterrecharge-ingress: none certificate found for host: <http://waterrecharge-pulumi-api-aryeh.tqhosted.com|waterrecharge-pulumi-api-aryeh.tqhosted.com>"
bored-table-20691
06/07/2021, 4:53 PMpulumi-eks
updated as well to handle https://github.com/pulumi/pulumi-eks/issues/566 and https://github.com/pulumi/pulumi-eks/issues/577?better-shampoo-48884
06/08/2021, 8:41 AMbumpy-laptop-30846
06/08/2021, 7:18 PMbored-table-20691
06/09/2021, 1:41 AMerror: pre-step event returned an error: failed to verify snapshot: resource urn:pulumi:ssa-us-west-2::okera-infra-regions::kubernetes:yaml:ConfigFile$kubernetes:core/v1:ServiceAccount::cert-manager/cert-manager-webhook refers to unknown provider urn:pulumi:ssa-us-west-2::okera-infra-regions::pulumi:providers:kubernetes::k8s-ssa-provider::460da6b8-808b-4d03-b8f8-ee2fdc9ec693
I get this during pulumi up -f
, but same issue with if I do pulumi refresh
bored-table-20691
06/09/2021, 8:04 PMpulumi up
, and it created resources on my new cluster just fine, but is failing to delete the old resources since that EKS cluster no longer exists.
1. Is this expected?
2. How should I get out of this situation? The old resources can’t really exist by definition anymore since the EKS cluster is gone. pulumi refresh
errors out in the same way.icy-jordan-58549
06/10/2021, 11:40 AMerror: no resource plugin 'kubernetes-v1.1.1' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource kubernetes v1.1.1`
and by doing so, I get
error: [resource plugin kubernetes-1.1.1] downloading from : 403 HTTP error fetching plugin from <https://get.pulumi.com/releases/plugins/pulumi-resource-kubernetes-v1.1.1-darwin-amd64.tar.gz>
ripe-kite-37642
06/11/2021, 4:16 PM+ │ ├─ kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart> iaaksuksouthmm13005-cert-manager created
+ │ │ ├─ kubernetes:core/v1:ServiceAccount nginx-ingress/iaaksuksouthmm13005-cert-manager-cainjector created
+ │ │ ├─ kubernetes:core/v1:ServiceAccount nginx-ingress/iaaksuksouthmm13005-cert-manager created
+ │ │ ├─ kubernetes:core/v1:Service nginx-ingress/iaaksuksouthmm13005-cert-manager **creating failed** 1 error
+ │ │ ├─ kubernetes:core/v1:ServiceAccount nginx-ingress/iaaksuksouthmm13005-cert-manager-webhook created
+ │ │ ├─ kubernetes:core/v1:Service nginx-ingress/iaaksuksouthmm13005-cert-manager-webhook **creating failed** 1 error
+ │ │ ├─ kubernetes:<http://admissionregistration.k8s.io/v1:MutatingWebhookConfiguration|admissionregistration.k8s.io/v1:MutatingWebhookConfiguration> iaaksuksouthmm13005-cert-manager-webhook created
+ │ │ ├─ kubernetes:<http://admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration|admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration> iaaksuksouthmm13005-cert-manager-webhook created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-cainjector created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-issuers created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-clusterissuers created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-certificates created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-orders created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-challenges created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-ingress-shim created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-view created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-edit created
+ │ │ ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-controller-approve:cert-manager-io created
+ │ │ └─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole> iaaksuksouthmm13005-cert-manager-webhook:subjectaccessreviews created
Those services fail to deploy because it hasn’t deployed the deployments. If I re-run, it will then attempt to do the deploymentsstraight-cartoon-24485
06/12/2021, 7:23 PMconfig.require('kubernetes:context')
to ensure only the expected cluster gets modified by Pulumi, but this seems to be scoped to the stack
I want to make sure folks who fork my pulumi program don't mess up their default k8s context, whatever that happens to be on their machines... I'd like them to be explicit about the k8s cluster they want to targetstraight-cartoon-24485
06/13/2021, 12:33 AMworried-city-86458
06/16/2021, 5:34 AMripe-shampoo-80285
06/19/2021, 1:52 AM<http://k8s.io/cluster-autoscaler/|k8s.io/cluster-autoscaler/><cluster-name>
owned
<http://k8s.io/cluster-autoscaler/enabledTRUE|k8s.io/cluster-autoscaler/enabledTRUE>
straight-cartoon-24485
06/20/2021, 5:57 PMexport const getTokenWith = pulumi.interpolate `kubectl get secret/${dashboardServiceAccount.secrets[0].name} -n kube-system -o go-template='{{.data.token | base64decode}}'`
which "works" by returning:
getTokenWith: "kubectl get secret/admin-user-ys16knlv-token-xpqss -n kube-system -o go-template='{{.data.token | base64decode}}'"
which I then copy paste to get what I really need to log into the kubernetes dashboard with a token...proud-pizza-80589
06/22/2021, 2:43 PMproud-pizza-80589
06/22/2021, 2:45 PMancient-megabyte-79588
06/25/2021, 2:21 PMalert-mechanic-59024
06/25/2021, 4:03 PMbetter-shampoo-48884
06/25/2021, 6:34 PMbetter-shampoo-48884
06/25/2021, 6:34 PM