https://pulumi.com logo
Docs
Join the conversationJoin Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
kubernetes
  • v

    victorious-exabyte-70545

    10/29/2021, 6:26 PM
    Does anyone have a working python example of how to create a namespace in kubernetes? I do not know where to put the provider info based on the documentation:
    b
    • 2
    • 18
  • m

    modern-city-46733

    10/30/2021, 3:31 PM
    What’s the current best practice for handling
    kubectl
    commands that just don’t convert to Pulumi yet? (for example Helm Chart deploys with hooks)
    s
    • 2
    • 3
  • c

    colossal-car-2729

    11/02/2021, 1:34 PM
    hey, im getting the following after changing an
    image
    field in containers with
    pulumi preview --diff
    ~ kubernetes:apps/v1:Deployment: (update)
            [id=default/selfservice-s99yer46]
            ...
          ~ spec: {
              ~ template: {
                  ~ spec: {
                      ~ containers: [
                          ~ [0]: {
                                }
                            [1]: <null>
                          ~ [2]: {
                                }
                        ]
                    }
                }
            }
    how can pulumi show the actual image diff?
  • a

    average-market-57523

    11/02/2021, 6:04 PM
    I wanted to use an api in my k8s config like monitoring.coreos.com/v1, the solution would be to write it as a yaml file and use yaml.configFile but i also want to insert some variables into it.... how would i approach this?
    b
    w
    • 3
    • 4
  • s

    salmon-raincoat-19475

    11/02/2021, 7:02 PM
    I'm trying to save my kubeconfig out to an S3 bucket so other team members have access to it...it doesn't seem like there are resources on this/perhaps discouraged? I did see https://github.com/pulumi/pulumi-kubernetes/issues/1032 and read the
    Output
    class in Python - which seems to suggest that it needs to stay in the
    Output
    type so that Pulumi objects are realized.... Is there a different approach I should be taking? Thanks!
    b
    • 2
    • 11
  • f

    future-window-78560

    11/02/2021, 7:07 PM
    Hey! Any idea on how to deal with this issue.
    w
    a
    • 3
    • 2
  • q

    quiet-leather-94755

    11/05/2021, 12:57 PM
    While setting up an AWS EKS cluster, I've tried using https://www.pulumi.com/blog/full-access-to-helm-features-through-new-helm-release-resource-for-kubernetes/ to install the
    aws-load-balancer-controller
    , but it doesn't seem to pass values properly.. I'm trying to override
    image.repository
    to use a repo in eu-west-1, but it's still using the default us-west-2 region (and failing to pull images).. Any ideas? Possibly a bug, or am I just not passing the value in the right way?
    f
    b
    • 3
    • 7
  • s

    square-coat-62279

    11/07/2021, 10:13 AM
    hi all, I am referring to k8s.core.v1.secret, regarding data field, can the key and value be variables? Another thing is the input secert.value, this should be a const from another resource instead of a string, I supposed I need to remove the double quotes before parsing to the secret class? here's my code:
    if(helmConfigs.secret){
         let k8sSecret = new k8s.core.v1.Secret(${helmConfigs.secret.name}, {
            metadata: {
              name: helmConfigs.secret.name,
              namespace: helmConfigs.namespace
            },
          data: {
            helmConfigs.secret.key: helmConfigs.secret.value
          }
          });
        }
    input:
    helm: {
    "cert-manager": {
          namespace: "cert-manager",
          version: "v1.5.3",
          repo: "<https://charts.jetstack.io>",
          chart: "cert-manager",
          values: require(`./google/helm_values/cert_manager`),
         secret: {}
        },
        "external-dns-public": {
          namespace: "external-dns",
          version: "3.1.1",
          repo: "<https://charts.bitnami.com/bitnami>",
          chart: "external-dns",
          values: require(`./google/helm_values/external_dns_public`),
         secret: {
             name: "external-dns-public"
             key: "credentials.json"
             value: "dnskey.privateKey"
         }
        }    
      }
    b
    • 2
    • 2
  • b

    brainy-appointment-20633

    11/07/2021, 8:29 PM
    Hi guys, I just started my job in a company and person who worked before used Pulumi and typescript to automate infrastructure in EKS. He configured 5 EKS clusters and when I try to add a resource under stack path, it is getting deployed into those 5 clusters. I am not able to figure out how to deploy the resource in single cluster. Can some one please guide me, thanks a lot in advance. I have attached the folder structure. Stack name and stack path are defined in a yaml file to deploy infrastructure using github actions.
    b
    • 2
    • 4
  • b

    broad-helmet-79436

    11/08/2021, 10:19 AM
    Hi there! 👋 I’m trying to import a StatefulSet into my stack, and the differ and/or preview are acting really weird: They’re somehow showing data from the very first version of the StatefulSet, even though the StatefulSet has been edited several times using
    kubectl edit
    . My StatefulSet is called
    prometheus-grafana
    , and runs in a namespace called
    monitoring
    . The Kubernetes cluster runs in GCP on version 1.20.10-gke.1600.
    kubectl
    tells me a few things (of particular interest, that the
    apiVersion
    is
    apps/v1
    ):
    $ kubectl get statefulset --context dev -n monitoring prometheus-grafana -o json
    {
        "apiVersion": "apps/v1",
        "kind": "StatefulSet",
        […]
    }
    when I try to import the resource with Pulumi, however, the preview shows me some really old data:
    // index.ts
    new kubernetes.apps.v1.StatefulSet(
      'prometheus-grafana',
      {},
      { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
    );
    $ pulumi preview --stack dev --diff
    
    […]
    
     =   ├─ kubernetes:apps/v1:StatefulSet  prometheus-grafana  import     [diff: -spec~apiVersion,metadata]; 1 warni
        = kubernetes:apps/v1:StatefulSet: (import)
            [id=monitoring/prometheus-grafana]
            [urn=urn:pulumi:dev::folio::kubernetes:apps/v1:StatefulSet::prometheus-grafana]
    
    […]
        [provider=urn:pulumi:dev::folio::pulumi:providers:kubernetes::kubernetes_provider::a326d7af-28d0-4aa9-b5e1-7017e0244985]
          ~ apiVersion: "apps/v1beta2" => "apps/v1"
          […]
    This is especially surprising because I’m using
    new kubernetes.apps.v1.StatefulSet(…)
    , which I believe shouldn’t see anything with
    apiVersion
    apps/v1beta2
    . From the looks of it, the Pulumi preview shows me the very first version of the statefulset that was deployed three years ago: I’ve also modified one of the containers to add an environment variable, and updated the Docker image multiple times using
    kubectl edit
    . I figured that was really weird, so I decided to log the imported StatefulSet to see if it’s somehow an issue with the diffing and/or preview:
    const statefulSet = new kubernetes.apps.v1.StatefulSet(
      'prometheus-grafana',
      {},
      { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
    );
    
    statefulSet.apiVersion.apply(apiVersion =>
      console.log({ apiVersion })
    );
    $ pulumi up --stack dev
    
    […]
    
    Diagnostics:
      pulumi:pulumi:Stack (folio-dev):
        { apiVersion: 'apps/v1' }
    I double-checked that this code is indeed printing the imported resource by logging the
    metadata
    and containers as well. It sure seems to me like the code is doing what I intended. On a related note, I also see the correct data with this code:
    const res = kubernetes.apps.v1.StatefulSet.get(
      'p-g',
      'monitoring/prometheus-grafana',
      { provider: kubernetesProvider }
    );
    
    res.apiVersion.apply(apiVersion => console.log({ apiVersion }));
    If I’m right so far, I believe it means that the imported resource has its
    apiVersion
    set to
    apps/v1
    , but the Pulumi resource differ and/or preview for some reason believe they’re working with the Very First Version of the StatefulSet that was deployed in 2018. I know that the Kubernetes API does some caching, particularly on requests to
    watch
    a resource, by checking the
    resourceVersion
    property on the objects. I verified that the StatefulSet’s
    resourceVersion
    gets updated when I change the container spec’s
    image
    with
    kubectl edit
    , though. I have no idea if it matters, but the StatefulSet was deployed by Cloud Marketplace (https://console.cloud.google.com/marketplace/product/google/prometheus), which means it has some
    ownerReferences
    set. Still, I don’t really see that triggering this behaviour, since my diagnostics/logs show that Pulumi has the correct data to work with. I’ve put quite a few hours into debugging this, and now I’m at a complete loss. Am I missing something obvious? 😅
    e
    g
    • 3
    • 16
  • s

    sparse-spring-91820

    11/09/2021, 9:42 AM
    Hello 👋 I am stuck with setting up SSL certificate for the ingress controller. I created a certificate for my domain and completed the DNS challenge using ACM. What I'm trying now is to use that created certificate for my nginx-ingress controller but I can't make it work. This is my code:
    const nginx = new k8s.helm.v3.Chart('nginx',
        {
            namespace,
            chart: 'nginx-ingress',
            version: '1.24.4',
            fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
            values: {
              controller: {
                annotations: {
                  '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
                  '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
                  '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
                  '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
                },
                publishService: { enabled: true }
              }
            }
        },
        { providers: { kubernetes: options.provider } }
    );
    I tried a lot of variations but none of them worked for me. I end up getting error:
    400 Bad Request "Play HTTP request was sent to HTTPS port"
    or another case, I get auto-generated
    Kubernetes Ingress Controller Fake Certificate
    which shows me
    Not secure
    flag in the browser because that certificate is not signed by authority that browser trusts. Has anyone else set nginx-ingress working with certificate generated by ACM?
    ✅ 1
    f
    b
    • 3
    • 15
  • l

    limited-rainbow-51650

    11/09/2021, 11:13 AM
    Does anyone have a small Typescript example on how correctly add an environment variable to a container in a
    Deployment
    using a transformation? I seem to fail on setting it the correct way.
    f
    • 2
    • 2
  • c

    colossal-car-2729

    11/09/2021, 3:37 PM
    hey im having some issues with
    k8s.helm.v3.chart
    when switching from
    LocalChartOpts
    to
    ChartOpts
    (so instead of using a chart in a local repository using some upstream repo). In my values.yaml is a line like this:
    {{ .Files.Get “files/fluentd-prometheus.conf” | indent 4 }}
    The file is read with
    LocalChartOpts
    but is just empty with
    ChartOpts
    . I assume the working directory with
    ChartOpts
    is neither where
    pulumi up
    is executed nor where the values.yaml file is located. Any idea one this?
  • m

    modern-city-46733

    11/09/2021, 5:06 PM
    Here’s an odd one, getting this error, but the release referenced doesn’t exist:
    Error: rendered manifests contain a resource that already exists. Unable to continue with install: MutatingWebhookConfiguration "aws-load-balancer-webhook" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "<http://meta.helm.sh/release-name|meta.helm.sh/release-name>" must equal "aws-load-balancer-controller": current value is "release-xxxxx"
    b
    • 2
    • 4
  • w

    witty-belgium-75866

    11/11/2021, 10:50 AM
    Hi, I'm using the Helm provider In order to install the
    aws-load-balancer-controller
    chart on my EKS cluster, by using pulumi ( Python ). The installation goes well, but every time I'm executing
    pulumi up
    or
    pulumi preview
    , some of its resources are being changed: it's very unnecessary and time consuming. anybody encountered that? thx!
    w
    • 2
    • 6
  • b

    big-potato-91793

    11/11/2021, 9:00 PM
    Hello 🙂, I’m doing a migration of our internal package for deploying an ingress. Since, ingress spec will be deprecated at the k8s version 1.22. I was doing some testing. I’m always getting that error the first time I run the pulumi deployment.
    Diagnostics:
      kubernetes:<http://networking.k8s.io/v1:Ingress|networking.k8s.io/v1:Ingress> (ingress-name):
        error: 1 error occurred:
        	* the Kubernetes API server reported that "namespace/ingress-name" failed to fully initialize or become live: Ingress.extensions "ingress-name" is invalid: spec.rules[0].http.paths[0].backend: Invalid value: "": resource or service backend is required
    If, i rerun back my pipeline everything pass without any problem. Any idea?
    g
    • 2
    • 2
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:25 AM
    Is it normal that pulumi does not clean up after itself if it fails a deployment?
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:25 AM
    A somewhat common example is having a deployment's readiness check fail, which causes its deployment to fail (as pulumi waits for it to become ready)
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:26 AM
    however, pulumi just goes "alright, deployment failed"
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:26 AM
    and leaves the failed deployment resources in the cluster
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:26 AM
    instead of cleaning it up
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:26 AM
    is there any way to make pulumi do that cleanup?
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:26 AM
    or possibly even just not wait for the deployment to become ready?
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:27 AM
    it's not like it doesn't get applied if it doesn't get ready, it's already in the k8s state, so it's somewhat pointless to wait for it to become ready before updating pulumi's state
    n
    • 2
    • 4
  • n

    nutritious-petabyte-61303

    11/12/2021, 2:28 AM
    I think waiting for the deployment is fine, but it should also update it to the state even if it fails
  • m

    mammoth-honey-6147

    11/12/2021, 2:23 PM
    I'm generating a cert from a Pulumi deployed cert-manager instance by implementing a custom resource, ie:
    Certificate, err := apiextensions.NewCustomResource(ctx, "cert", &apiextensions.CustomResourceArgs{
                      // Various fields, etc
    }
    Which works perfectly fine - However, I need to effectively "wait" until the cert is in
    ready
    state - I'm using a DNS challenge method so it can take ~60-90 seconds. I have another app that references the cert that's generated via the corresponding secret, which, I believe, isn't in a fully formed state as the app reads the secret before the entire chain is fully complete. Therefore, how can I facilitate this wait in my code? I could do this by inspecting the
    status
    field of the API object but it looks like I can't do that with the current SDK
  • q

    quick-television-97606

    11/12/2021, 11:25 PM
    silly question, I tried the pulumi k8s quick start, and it says it deployed I guess a k8s cluster with nginx. but I don't see the cluster in the aws console. I've checked all the accounts in my aws config file that it could have used and regions, and don't see it, and in the pulumi console I don't see where the resources were made, just that they exist. any ideas? 🙂
  • n

    nutritious-petabyte-61303

    11/15/2021, 3:49 PM
    does pulumi wait for k8s jobs to finish instead of just launching them?
    b
    g
    n
    • 4
    • 4
  • n

    nutritious-petabyte-61303

    11/15/2021, 3:49 PM
    both make sense in different scenarios but I'm not really sure which one is the default behavior or how can one control it
  • g

    glamorous-australia-21342

    11/16/2021, 12:45 AM
    could someone help me understand how pulumi updates the kubeconfig on EKS? my colleagues and my CI are having a heck of a time authenticating. Right now my CI is having
    configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
    . We have a role that is defined in pulumi
    rolemappings
    for the cluster and I can confirm the IAM role is in aws-auth configmap. Anyone can auth to the cluster with k9s or kubectl using this role, but if anyone tries to do pulumi commands we get this auth error above. I can do anything beause I created the cluster I guess. I even tried using a different test account and have no issues, but my colleagues and my CI is broken. I am not using a providercredentialopts so pulumi is using whatever profile is in the default profile.
    b
    • 2
    • 6
Powered by Linen
Title
g

glamorous-australia-21342

11/16/2021, 12:45 AM
could someone help me understand how pulumi updates the kubeconfig on EKS? my colleagues and my CI are having a heck of a time authenticating. Right now my CI is having
configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
. We have a role that is defined in pulumi
rolemappings
for the cluster and I can confirm the IAM role is in aws-auth configmap. Anyone can auth to the cluster with k9s or kubectl using this role, but if anyone tries to do pulumi commands we get this auth error above. I can do anything beause I created the cluster I guess. I even tried using a different test account and have no issues, but my colleagues and my CI is broken. I am not using a providercredentialopts so pulumi is using whatever profile is in the default profile.
b

brave-ambulance-98491

11/16/2021, 1:08 AM
Did you set
creationRoleProvider
when you created the cluster? I ran into this issue when I first set up EKS and my solution was to use this parameter with a shared admin role. If you don't do this, the cluster is created with whatever your current AWS credentials are.
g

glamorous-australia-21342

11/16/2021, 5:21 PM
no i did not how interesting
if i already created the cluster without it what can i do now?
we had another cluster we had this problem with but using the rolemapping auth works fine
b

brave-ambulance-98491

11/16/2021, 5:28 PM
I might've fixed this by editing my state file directly, but you also might be able to fix by just setting
creationRoleProvider
and updating the program.
g

glamorous-australia-21342

11/16/2021, 6:29 PM
interesting
View count: 7