any ideas what is going on?

To summarize this, using .networking ingress, we get this error:

Failed build model due to ingress: waterrecharge/waterrecharge-ingress: none certificate found for host: <http://waterrecharge-pulumi-api-aryeh.tqhosted.com|waterrecharge-pulumi-api-aryeh.tqhosted.com>"

With the release of Pulumi 3.4.0 (which should include https://github.com/pulumi/pulumi/pull/7158), any chance we can get

pulumi-eks

updated as well to handle https://github.com/pulumi/pulumi-eks/issues/566 and https://github.com/pulumi/pulumi-eks/issues/577?

Anyone have any good thoughts on the best way to get istio installed and configured via pulumi at the moment? I feel like istio have doubled down on istioctl, at the same time the helm chart situation isn't exactly optimal..

Hi, Is there a way to update a kubernetes secret into a pulumi program? The secret is generated by a helm chart that is installed by pulumi and the program has to change its secret. It’s actually for ArgoCD.

What’s the best way to resolve this type of issue:

error: pre-step event returned an error: failed to verify snapshot: resource urn:pulumi:ssa-us-west-2::okera-infra-regions::kubernetes:yaml:ConfigFile$kubernetes:core/v1:ServiceAccount::cert-manager/cert-manager-webhook refers to unknown provider urn:pulumi:ssa-us-west-2::okera-infra-regions::pulumi:providers:kubernetes::k8s-ssa-provider::460da6b8-808b-4d03-b8f8-ee2fdc9ec693

I get this during

pulumi up -f

, but same issue with if I do

pulumi refresh

I’ve deleted the EKS cluster that a bunch of my resources were deployed onto and created a new one (this is all with Pulumi in a different project/stack). In the stack that was in charge of those resources, I am trying to do a

pulumi up

, and it created resources on my new cluster just fine, but is failing to delete the old resources since that EKS cluster no longer exists. 1. Is this expected? 2. How should I get out of this situation? The old resources can’t really exist by definition anymore since the EKS cluster is gone.

pulumi refresh

errors out in the same way.

error: no resource plugin 'kubernetes-v1.1.1' found in the workspace or on your $PATH, install the plugin using `pulumi plugin install resource kubernetes v1.1.1`

and by doing so, I get

error: [resource plugin kubernetes-1.1.1] downloading from : 403 HTTP error fetching plugin from <https://get.pulumi.com/releases/plugins/pulumi-resource-kubernetes-v1.1.1-darwin-amd64.tar.gz>

Has anyone faced an issue where the Helm chart for cert-manager doesn’t deploy the Deployment objects on the first try? (Using AKS, Python, latest pulumi & pulumi-kubernetes) - Or more broadly the case where a Helm chart is not deployed in it’s entirety?

+   │        ├─ kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart>                                                   iaaksuksouthmm13005-cert-manager                                                     created                 
 +   │        │  ├─ kubernetes:core/v1:ServiceAccount                                          nginx-ingress/iaaksuksouthmm13005-cert-manager-cainjector                            created                 
 +   │        │  ├─ kubernetes:core/v1:ServiceAccount                                          nginx-ingress/iaaksuksouthmm13005-cert-manager                                       created                 
 +   │        │  ├─ kubernetes:core/v1:Service                                                 nginx-ingress/iaaksuksouthmm13005-cert-manager                                       **creating failed**     1 error
 +   │        │  ├─ kubernetes:core/v1:ServiceAccount                                          nginx-ingress/iaaksuksouthmm13005-cert-manager-webhook                               created                 
 +   │        │  ├─ kubernetes:core/v1:Service                                                 nginx-ingress/iaaksuksouthmm13005-cert-manager-webhook                               **creating failed**     1 error
 +   │        │  ├─ kubernetes:<http://admissionregistration.k8s.io/v1:MutatingWebhookConfiguration|admissionregistration.k8s.io/v1:MutatingWebhookConfiguration>    iaaksuksouthmm13005-cert-manager-webhook                                             created                 
 +   │        │  ├─ kubernetes:<http://admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration|admissionregistration.k8s.io/v1:ValidatingWebhookConfiguration>  iaaksuksouthmm13005-cert-manager-webhook                                             created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-cainjector                                          created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-issuers                                  created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-clusterissuers                           created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-certificates                             created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-orders                                   created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-challenges                               created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-ingress-shim                             created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-view                                                created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-edit                                                created                 
 +   │        │  ├─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-controller-approve:cert-manager-io                  created                 
 +   │        │  └─ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRole|rbac.authorization.k8s.io/v1:ClusterRole>                        iaaksuksouthmm13005-cert-manager-webhook:subjectaccessreviews                        created

Those services fail to deploy because it hasn’t deployed the deployments. If I re-run, it will then attempt to do the deployments

How to disable ambient k8s? re: https://www.pulumi.com/docs/intro/cloud-providers/kubernetes/setup/#kubernetes-configuration I'd like to do a

config.require('kubernetes:context')

to ensure only the expected cluster gets modified by Pulumi, but this seems to be scoped to the stack I want to make sure folks who fork my pulumi program don't mess up their default k8s context, whatever that happens to be on their machines... I'd like them to be explicit about the k8s cluster they want to target

Will deleting a stack cascade-delete dependent stacks? Re: https://www.pulumi.com/docs/intro/concepts/stack/#stackreferences It seems it might in the example in the docs, but what if the output isn't a k8s provider kubeconfig? Say, I output an IP address that I use in a dependent stack as configuration for another resource, won't this corrupt my dependent stack's state?

I'm installing the aws load balancer controller via the helm chart. Every time I run update it wants to create-replacement the tls secret.

How do I set managed node group tags for the underlying cluster at the cluster creation time? I'd like to set these 2 tags so cluster autoscaler can auto-discover the node group.

<http://k8s.io/cluster-autoscaler/|k8s.io/cluster-autoscaler/><cluster-name>

owned

<http://k8s.io/cluster-autoscaler/enabledTRUE|k8s.io/cluster-autoscaler/enabledTRUE>

How to access a service account's secret programmatically? Goal is to output the base64 decoded secret as an output variable, and refactor this hack:

export const getTokenWith = pulumi.interpolate `kubectl get secret/${dashboardServiceAccount.secrets[0].name} -n kube-system -o go-template='{{.data.token | base64decode}}'`

which "works" by returning:

getTokenWith: "kubectl get secret/admin-user-ys16knlv-token-xpqss -n kube-system -o go-template='{{.data.token | base64decode}}'"

which I then copy paste to get what I really need to log into the kubernetes dashboard with a token...

Has anyone done Volume Snapshots via Pulumi yet? https://kubernetes.io/docs/concepts/storage/volume-snapshots/

this is related to the following peculiar challenge: I have some statefulsets that need, before they first start, have their volume seeded with 3-400GB of data. (all stateful sets the same data). The best I could do atm is upload this data to S3 and have an init container that uses the aws cli to download this data. But this takes quite some time on start. The data needs to be in the volume as it is a “snapshot” that needs read/write when the main container starts and cannot be write many. So i’m looking to make this blazing fast.

@gorgeous-egg-16927 Hey Levi... Not sure whom else to ask.. but we run into this scenario a lot with our development clusters and was wondering how you felt or what you thought. We use pulumi in separate apps to: 1. Stand up the cluster 2. Install core k8s resources (fluentd, certmanager, nginx/traefik, etc) 3. Install LOB apps Since the clusters are for lower environments we tear them down occassionally. The challenge with this is unless we tear out all of the installed k8s resources first, the pulumi state for all of the k8s resources is never cleared out and we have to go do that manually. Which we understand but it still happens on occasion. Is there a feature or technique present in pulumi where if a "parent stack" is deleted, all child stacks state are automatically cleared out as well?

Hey guys. Currently using the latest versions of pulumi (python sdk) and pulumi-kubernetes, and seeing this: File “/pulumi/projects/venv/lib/python3.9/site-packages/pulumi_kubernetes/apiextensions/v1/CustomResourceDefinition.py”, line 121, in init self._internal_init(resource_name, *args, **kwargs) TypeError: _internal_init() got an unexpected keyword argument ‘status’ I’ve considered modifying the upstream yaml files to remove the offending code, but I’d prefer to either wait for the bug to be resolved, or roll back to an earlier version of pulumi - I believe v2 did not have this issue. Could anyone tell me if they have seen this issue and, if so, how they went about resolving? Alternatively, could someone offer up their requirements.txt file with a list of compatible python library versions? Thanks!

Anyone gotten aliases to work with helm charts? 😉 needing to rename quite a few (really quite a few) things in my program to make it reusable for multiple clusters (i.e. prefixing all names with cluster name) - so need to run through {aliases[{name "oldname"}]} for all my stuff - but it seems the helm things do not inherit the aliases 😕

thinking that the best option would be to create a component resource which is scoped (i.e. named per cluster) and have all the other stuff hang on that.

easier to set the parent as that definetely tracks 😉

aaand of course it doesn't. sigh.

is there a way to interrupt an update (manual timeout early?) often, I realize my mistake while I'm `pulumi up`'ing, but alas, I can't cleanly terminate what's going on as usually that invalidates the stack's state and creates dirtier problems...

there is customTimeouts on the CustomResourceOptions of the kubernetes provider..

https://www.pulumi.com/docs/reference/pkg/nodejs/pulumi/pulumi/#CustomResourceOptions which is opts of https://www.pulumi.com/docs/reference/pkg/kubernetes/provider/

how this might be modifiable at runtime though is a different question..

it's a bit frustrating that k8s helm always takes the pulumi resource name as its name input, all I can do is set a "prefix" and not override that. That means I have to do some string replacement on the variables I can use for component naming so they don't collide in the stack and are able to be created - but the names get horrible when the chart doesn't have a "fullNameOverride" value

I'm trying to add a

taint

to my

eks.ManagedNodeGroup

I see it under

Supporting Types

here . but I am not sure how to access it. am I missing something silly?

I have a kubernetes secret managed by Pulumi (as part of a larger stack). I want to stop managing the secret via Pulumi, is there a way to do that without having Pulumi nuke the secret?

I added Grafana's helm chart using pulumi, and while it works great, every

pulumi up

detects changes in a secret and in an annotation (checksum/secret). How do you use

ignoreChanges

with helm chart's sub resources?