Does anyone know how to access the Status of a CustomResource in Pulumi?

I’m using Knative and trying to obtain the external URL generated (in Status) once a knative service is created using Pulumi’s CustomResource

I’m wondering about something to improve our CI build and deploy speeds. Rigth now we are building a bunch of docker images (outside of pulumi) and tagging them with both the branch name and the sha of the git repo. By using registry caching in buildx this is as optimal as it can be. But we can also only build the containers that are changed, which is much faster, but then i have a deployment (with pulumi) problem. I now pass in an env var with the current SHA and use that throughout the deploy, updating the deployments on k8s. Using the branch name this would not do anything since the cluster already has the image. So i’m looking for a way to get the latest sha in the github container registry for a branch tagged container in pulumi to use that instead of the git sha. Using the docker provider’s getRegistryImage i thought i was going to get there, but i can’t get it to be authenticated to ghcr. Ahs anyone done something like this before?

I’m currently working on fetching pulumi

secret

from stack, and generating kubernetes manifest from it (e.g. environment variable). But it doesn’t seem to be replaced into string value. I’m aware of that the return value of

require_secret

is

Output[T]

but having some passthrough

apply(lambda val: val)

doesn’t work. I think the main problem is that

secret

object is not a direct argument of subsequent resource. Any kind of piece of advice would be very appreciated

Hi Guys, I’m using a

azure-native.containerservice

lib to create AKS cluster and I also would like deploy k8s RBAC objects with

kubernetes

lib. I have something like:

# Creating AKS
const cluster = new containerservice.ManagedCluster(...)

# Getting a kubectlconfig
const creds = pulumi.all([cluster.name, resourceGroup.name]).apply(([clusterName, rgName]) => {
  return containerservice.listManagedClusterUserCredentials({
      resourceGroupName: rgName,
      resourceName: clusterName,
  });
});
const encoded = creds.kubeconfigs[0].value;
const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());

# Creating provider
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})

# And deploying a role
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...})

When run it locally with

pulumi up

I got auth request:

To sign in, use a web browser to open the page <https://microsoft.com/devicelogin>".

Am I missing something?

Hi everyone! I currently have Kubernetes setup in a stack (call it kubernetes stack) and i need to reference the provider in kubernetes stack from another stack (call the second stack meta-stack). Also to add, I don't want to export

cluster.KubeConfig

as I don't want its value to be printed to the command line. I just need to make the provider in

meta-stack

call from

kubernetes stack

Hi all, I am trying to add EC2 root volume encryption for EKS nodes created by eks.ManagedNodeGroup. The below does not work. Perhaps someone here knows the trick? https://www.pulumi.com/registry/packages/eks/api-doc Thanks for your help.

cluster:eks.Cluster = eks.Cluster(f"{cluster_name}-cluster",
        name=cluster_name,
        ....
        node_group_options=eks.ClusterNodeGroupOptionsArgs(
            cloud_formation_tags={
                "Name": "EKS Worker Node"
            },
            encrypt_root_block_device=True,
        ),
        ...
    )   

    eks.ManagedNodeGroup(f"{cluster_name}-node-group-" + str(i),
            cluster=cluster.core,
            node_group_name=f"{cluster_name}-managed-node-group-" + str(i),
            ....
        ))

Hi all, What is the best way to patch an existing deployment with pulumi? for example, I want to 'translate' the following

kubectl

command to python-pulumi:

coredns

:

kubectl patch deployment coredns \
    -n kube-system \
    --type json \
    -p='[{"op": "remove", "path": "/spec/template/metadata/annotations/eks.amazonaws.com~1compute-type"}]'

thanks!

Hi all, please how can I added a new node to an existing cluster using the Pulumi typescript library

I am having a really strange issue trying to create eks. The code used to work well, but now failed with a weird dependency refers to missing resource issue:

This can happen for different resource creations:

This is when I retry "pulumi up"

It is kind of strange why it try to create a new aws provider (default_4_9_1), I think it should already have a aws provider "default".

Here is the code snippet for creating the EKS. Really not much to it and it worked before. Maybe an issue in newer version of pulumi release?

Does anyone have a working python example of how to create a namespace in kubernetes? I do not know where to put the provider info based on the documentation:

What’s the current best practice for handling

kubectl

commands that just don’t convert to Pulumi yet? (for example Helm Chart deploys with hooks)

hey, im getting the following after changing an

image

field in containers with

pulumi preview --diff

~ kubernetes:apps/v1:Deployment: (update)
        [id=default/selfservice-s99yer46]
        ...
      ~ spec: {
          ~ template: {
              ~ spec: {
                  ~ containers: [
                      ~ [0]: {
                            }
                        [1]: <null>
                      ~ [2]: {
                            }
                    ]
                }
            }
        }

how can pulumi show the actual image diff?

I wanted to use an api in my k8s config like monitoring.coreos.com/v1, the solution would be to write it as a yaml file and use yaml.configFile but i also want to insert some variables into it.... how would i approach this?

I'm trying to save my kubeconfig out to an S3 bucket so other team members have access to it...it doesn't seem like there are resources on this/perhaps discouraged? I did see https://github.com/pulumi/pulumi-kubernetes/issues/1032 and read the

Output

class in Python - which seems to suggest that it needs to stay in the

Output

type so that Pulumi objects are realized.... Is there a different approach I should be taking? Thanks!

Hey! Any idea on how to deal with this issue.

While setting up an AWS EKS cluster, I've tried using https://www.pulumi.com/blog/full-access-to-helm-features-through-new-helm-release-resource-for-kubernetes/ to install the

aws-load-balancer-controller

, but it doesn't seem to pass values properly.. I'm trying to override

image.repository

to use a repo in eu-west-1, but it's still using the default us-west-2 region (and failing to pull images).. Any ideas? Possibly a bug, or am I just not passing the value in the right way?

hi all, I am referring to k8s.core.v1.secret, regarding data field, can the key and value be variables? Another thing is the input secert.value, this should be a const from another resource instead of a string, I supposed I need to remove the double quotes before parsing to the secret class? here's my code:

if(helmConfigs.secret){
     let k8sSecret = new k8s.core.v1.Secret(${helmConfigs.secret.name}, {
        metadata: {
          name: helmConfigs.secret.name,
          namespace: helmConfigs.namespace
        },
      data: {
        helmConfigs.secret.key: helmConfigs.secret.value
      }
      });
    }

input:

helm: {
"cert-manager": {
      namespace: "cert-manager",
      version: "v1.5.3",
      repo: "<https://charts.jetstack.io>",
      chart: "cert-manager",
      values: require(`./google/helm_values/cert_manager`),
     secret: {}
    },
    "external-dns-public": {
      namespace: "external-dns",
      version: "3.1.1",
      repo: "<https://charts.bitnami.com/bitnami>",
      chart: "external-dns",
      values: require(`./google/helm_values/external_dns_public`),
     secret: {
         name: "external-dns-public"
         key: "credentials.json"
         value: "dnskey.privateKey"
     }
    }    
  }

Hi guys, I just started my job in a company and person who worked before used Pulumi and typescript to automate infrastructure in EKS. He configured 5 EKS clusters and when I try to add a resource under stack path, it is getting deployed into those 5 clusters. I am not able to figure out how to deploy the resource in single cluster. Can some one please guide me, thanks a lot in advance. I have attached the folder structure. Stack name and stack path are defined in a yaml file to deploy infrastructure using github actions.

Hi there! 👋 I’m trying to import a StatefulSet into my stack, and the differ and/or preview are acting really weird: They’re somehow showing data from the very first version of the StatefulSet, even though the StatefulSet has been edited several times using

kubectl edit

. My StatefulSet is called

prometheus-grafana

, and runs in a namespace called

monitoring

. The Kubernetes cluster runs in GCP on version 1.20.10-gke.1600.

kubectl

tells me a few things (of particular interest, that the

apiVersion

is

apps/v1

):

$ kubectl get statefulset --context dev -n monitoring prometheus-grafana -o json
{
    "apiVersion": "apps/v1",
    "kind": "StatefulSet",
    […]
}

when I try to import the resource with Pulumi, however, the preview shows me some really old data:

// index.ts
new kubernetes.apps.v1.StatefulSet(
  'prometheus-grafana',
  {},
  { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
);

$ pulumi preview --stack dev --diff

[…]

 =   ├─ kubernetes:apps/v1:StatefulSet  prometheus-grafana  import     [diff: -spec~apiVersion,metadata]; 1 warni
    = kubernetes:apps/v1:StatefulSet: (import)
        [id=monitoring/prometheus-grafana]
        [urn=urn:pulumi:dev::folio::kubernetes:apps/v1:StatefulSet::prometheus-grafana]

[…]
    [provider=urn:pulumi:dev::folio::pulumi:providers:kubernetes::kubernetes_provider::a326d7af-28d0-4aa9-b5e1-7017e0244985]
      ~ apiVersion: "apps/v1beta2" => "apps/v1"
      […]

This is especially surprising because I’m using

new kubernetes.apps.v1.StatefulSet(…)

, which I believe shouldn’t see anything with

apiVersion

apps/v1beta2

. From the looks of it, the Pulumi preview shows me the very first version of the statefulset that was deployed three years ago: I’ve also modified one of the containers to add an environment variable, and updated the Docker image multiple times using

kubectl edit

. I figured that was really weird, so I decided to log the imported StatefulSet to see if it’s somehow an issue with the diffing and/or preview:

const statefulSet = new kubernetes.apps.v1.StatefulSet(
  'prometheus-grafana',
  {},
  { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
);

statefulSet.apiVersion.apply(apiVersion =>
  console.log({ apiVersion })
);

$ pulumi up --stack dev

[…]

Diagnostics:
  pulumi:pulumi:Stack (folio-dev):
    { apiVersion: 'apps/v1' }

I double-checked that this code is indeed printing the imported resource by logging the

metadata

and containers as well. It sure seems to me like the code is doing what I intended. On a related note, I also see the correct data with this code:

const res = kubernetes.apps.v1.StatefulSet.get(
  'p-g',
  'monitoring/prometheus-grafana',
  { provider: kubernetesProvider }
);

res.apiVersion.apply(apiVersion => console.log({ apiVersion }));

If I’m right so far, I believe it means that the imported resource has its

apiVersion

set to

apps/v1

, but the Pulumi resource differ and/or preview for some reason believe they’re working with the Very First Version of the StatefulSet that was deployed in 2018. I know that the Kubernetes API does some caching, particularly on requests to

watch

a resource, by checking the

resourceVersion

property on the objects. I verified that the StatefulSet’s

resourceVersion

gets updated when I change the container spec’s

image

with

kubectl edit

, though. I have no idea if it matters, but the StatefulSet was deployed by Cloud Marketplace (https://console.cloud.google.com/marketplace/product/google/prometheus), which means it has some

ownerReferences

set. Still, I don’t really see that triggering this behaviour, since my diagnostics/logs show that Pulumi has the correct data to work with. I’ve put quite a few hours into debugging this, and now I’m at a complete loss. Am I missing something obvious? 😅

Hello 👋 I am stuck with setting up SSL certificate for the ingress controller. I created a certificate for my domain and completed the DNS challenge using ACM. What I'm trying now is to use that created certificate for my nginx-ingress controller but I can't make it work. This is my code:

const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);

I tried a lot of variations but none of them worked for me. I end up getting error:

400 Bad Request "Play HTTP request was sent to HTTPS port"

or another case, I get auto-generated

Kubernetes Ingress Controller Fake Certificate

which shows me

Not secure

flag in the browser because that certificate is not signed by authority that browser trusts. Has anyone else set nginx-ingress working with certificate generated by ACM?

Does anyone have a small Typescript example on how correctly add an environment variable to a container in a

Deployment

using a transformation? I seem to fail on setting it the correct way.