Does anyone have a working python example of how to create a namespace in kubernetes? I do not know where to put the provider info based on the documentation:

What’s the current best practice for handling

kubectl

commands that just don’t convert to Pulumi yet? (for example Helm Chart deploys with hooks)

hey, im getting the following after changing an

image

field in containers with

pulumi preview --diff

~ kubernetes:apps/v1:Deployment: (update)
        [id=default/selfservice-s99yer46]
        ...
      ~ spec: {
          ~ template: {
              ~ spec: {
                  ~ containers: [
                      ~ [0]: {
                            }
                        [1]: <null>
                      ~ [2]: {
                            }
                    ]
                }
            }
        }

how can pulumi show the actual image diff?

I wanted to use an api in my k8s config like monitoring.coreos.com/v1, the solution would be to write it as a yaml file and use yaml.configFile but i also want to insert some variables into it.... how would i approach this?

I'm trying to save my kubeconfig out to an S3 bucket so other team members have access to it...it doesn't seem like there are resources on this/perhaps discouraged? I did see https://github.com/pulumi/pulumi-kubernetes/issues/1032 and read the

Output

class in Python - which seems to suggest that it needs to stay in the

Output

type so that Pulumi objects are realized.... Is there a different approach I should be taking? Thanks!

Hey! Any idea on how to deal with this issue.

While setting up an AWS EKS cluster, I've tried using https://www.pulumi.com/blog/full-access-to-helm-features-through-new-helm-release-resource-for-kubernetes/ to install the

aws-load-balancer-controller

, but it doesn't seem to pass values properly.. I'm trying to override

image.repository

to use a repo in eu-west-1, but it's still using the default us-west-2 region (and failing to pull images).. Any ideas? Possibly a bug, or am I just not passing the value in the right way?

hi all, I am referring to k8s.core.v1.secret, regarding data field, can the key and value be variables? Another thing is the input secert.value, this should be a const from another resource instead of a string, I supposed I need to remove the double quotes before parsing to the secret class? here's my code:

if(helmConfigs.secret){
     let k8sSecret = new k8s.core.v1.Secret(${helmConfigs.secret.name}, {
        metadata: {
          name: helmConfigs.secret.name,
          namespace: helmConfigs.namespace
        },
      data: {
        helmConfigs.secret.key: helmConfigs.secret.value
      }
      });
    }

input:

helm: {
"cert-manager": {
      namespace: "cert-manager",
      version: "v1.5.3",
      repo: "<https://charts.jetstack.io>",
      chart: "cert-manager",
      values: require(`./google/helm_values/cert_manager`),
     secret: {}
    },
    "external-dns-public": {
      namespace: "external-dns",
      version: "3.1.1",
      repo: "<https://charts.bitnami.com/bitnami>",
      chart: "external-dns",
      values: require(`./google/helm_values/external_dns_public`),
     secret: {
         name: "external-dns-public"
         key: "credentials.json"
         value: "dnskey.privateKey"
     }
    }    
  }

Hi guys, I just started my job in a company and person who worked before used Pulumi and typescript to automate infrastructure in EKS. He configured 5 EKS clusters and when I try to add a resource under stack path, it is getting deployed into those 5 clusters. I am not able to figure out how to deploy the resource in single cluster. Can some one please guide me, thanks a lot in advance. I have attached the folder structure. Stack name and stack path are defined in a yaml file to deploy infrastructure using github actions.

Hi there! 👋 I’m trying to import a StatefulSet into my stack, and the differ and/or preview are acting really weird: They’re somehow showing data from the very first version of the StatefulSet, even though the StatefulSet has been edited several times using

kubectl edit

. My StatefulSet is called

prometheus-grafana

, and runs in a namespace called

monitoring

. The Kubernetes cluster runs in GCP on version 1.20.10-gke.1600.

kubectl

tells me a few things (of particular interest, that the

apiVersion

is

apps/v1

):

$ kubectl get statefulset --context dev -n monitoring prometheus-grafana -o json
{
    "apiVersion": "apps/v1",
    "kind": "StatefulSet",
    […]
}

when I try to import the resource with Pulumi, however, the preview shows me some really old data:

// index.ts
new kubernetes.apps.v1.StatefulSet(
  'prometheus-grafana',
  {},
  { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
);

$ pulumi preview --stack dev --diff

[…]

 =   ├─ kubernetes:apps/v1:StatefulSet  prometheus-grafana  import     [diff: -spec~apiVersion,metadata]; 1 warni
    = kubernetes:apps/v1:StatefulSet: (import)
        [id=monitoring/prometheus-grafana]
        [urn=urn:pulumi:dev::folio::kubernetes:apps/v1:StatefulSet::prometheus-grafana]

[…]
    [provider=urn:pulumi:dev::folio::pulumi:providers:kubernetes::kubernetes_provider::a326d7af-28d0-4aa9-b5e1-7017e0244985]
      ~ apiVersion: "apps/v1beta2" => "apps/v1"
      […]

This is especially surprising because I’m using

new kubernetes.apps.v1.StatefulSet(…)

, which I believe shouldn’t see anything with

apiVersion

apps/v1beta2

. From the looks of it, the Pulumi preview shows me the very first version of the statefulset that was deployed three years ago: I’ve also modified one of the containers to add an environment variable, and updated the Docker image multiple times using

kubectl edit

. I figured that was really weird, so I decided to log the imported StatefulSet to see if it’s somehow an issue with the diffing and/or preview:

const statefulSet = new kubernetes.apps.v1.StatefulSet(
  'prometheus-grafana',
  {},
  { import: 'monitoring/prometheus-grafana', provider: kubernetesProvider }
);

statefulSet.apiVersion.apply(apiVersion =>
  console.log({ apiVersion })
);

$ pulumi up --stack dev

[…]

Diagnostics:
  pulumi:pulumi:Stack (folio-dev):
    { apiVersion: 'apps/v1' }

I double-checked that this code is indeed printing the imported resource by logging the

metadata

and containers as well. It sure seems to me like the code is doing what I intended. On a related note, I also see the correct data with this code:

const res = kubernetes.apps.v1.StatefulSet.get(
  'p-g',
  'monitoring/prometheus-grafana',
  { provider: kubernetesProvider }
);

res.apiVersion.apply(apiVersion => console.log({ apiVersion }));

If I’m right so far, I believe it means that the imported resource has its

apiVersion

set to

apps/v1

, but the Pulumi resource differ and/or preview for some reason believe they’re working with the Very First Version of the StatefulSet that was deployed in 2018. I know that the Kubernetes API does some caching, particularly on requests to

watch

a resource, by checking the

resourceVersion

property on the objects. I verified that the StatefulSet’s

resourceVersion

gets updated when I change the container spec’s

image

with

kubectl edit

, though. I have no idea if it matters, but the StatefulSet was deployed by Cloud Marketplace (https://console.cloud.google.com/marketplace/product/google/prometheus), which means it has some

ownerReferences

set. Still, I don’t really see that triggering this behaviour, since my diagnostics/logs show that Pulumi has the correct data to work with. I’ve put quite a few hours into debugging this, and now I’m at a complete loss. Am I missing something obvious? 😅

Hello 👋 I am stuck with setting up SSL certificate for the ingress controller. I created a certificate for my domain and completed the DNS challenge using ACM. What I'm trying now is to use that created certificate for my nginx-ingress controller but I can't make it work. This is my code:

const nginx = new k8s.helm.v3.Chart('nginx',
    {
        namespace,
        chart: 'nginx-ingress',
        version: '1.24.4',
        fetchOpts: { repo: '<https://charts.helm.sh/stable/>' },
        values: {
          controller: {
            annotations: {
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-cert|service.beta.kubernetes.io/aws-load-balancer-ssl-cert>': 'arn:aws:acm:us-east-1:XXXXXXXXXXXX:certificate/XXXXXXXXXXXXXXXXXXXXXXXXXXXXX',
              '<http://service.beta.kubernetes.io/aws-load-balancer-type|service.beta.kubernetes.io/aws-load-balancer-type>': 'alb',
              '<http://service.beta.kubernetes.io/aws-load-balancer-backend-protocol|service.beta.kubernetes.io/aws-load-balancer-backend-protocol>': 'http',
              '<http://service.beta.kubernetes.io/aws-load-balancer-ssl-ports|service.beta.kubernetes.io/aws-load-balancer-ssl-ports>': 'https'
            },
            publishService: { enabled: true }
          }
        }
    },
    { providers: { kubernetes: options.provider } }
);

I tried a lot of variations but none of them worked for me. I end up getting error:

400 Bad Request "Play HTTP request was sent to HTTPS port"

or another case, I get auto-generated

Kubernetes Ingress Controller Fake Certificate

which shows me

Not secure

flag in the browser because that certificate is not signed by authority that browser trusts. Has anyone else set nginx-ingress working with certificate generated by ACM?

Does anyone have a small Typescript example on how correctly add an environment variable to a container in a

Deployment

using a transformation? I seem to fail on setting it the correct way.

hey im having some issues with

k8s.helm.v3.chart

when switching from

LocalChartOpts

to

ChartOpts

(so instead of using a chart in a local repository using some upstream repo). In my values.yaml is a line like this:

{{ .Files.Get “files/fluentd-prometheus.conf” | indent 4 }}

The file is read with

LocalChartOpts

but is just empty with

ChartOpts

. I assume the working directory with

ChartOpts

is neither where

pulumi up

is executed nor where the values.yaml file is located. Any idea one this?

Here’s an odd one, getting this error, but the release referenced doesn’t exist:

Error: rendered manifests contain a resource that already exists. Unable to continue with install: MutatingWebhookConfiguration "aws-load-balancer-webhook" in namespace "" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "<http://meta.helm.sh/release-name|meta.helm.sh/release-name>" must equal "aws-load-balancer-controller": current value is "release-xxxxx"

Hi, I'm using the Helm provider In order to install the

aws-load-balancer-controller

chart on my EKS cluster, by using pulumi ( Python ). The installation goes well, but every time I'm executing

pulumi up

or

pulumi preview

, some of its resources are being changed: it's very unnecessary and time consuming. anybody encountered that? thx!

Hello 🙂, I’m doing a migration of our internal package for deploying an ingress. Since, ingress spec will be deprecated at the k8s version 1.22. I was doing some testing. I’m always getting that error the first time I run the pulumi deployment.

Diagnostics:
  kubernetes:<http://networking.k8s.io/v1:Ingress|networking.k8s.io/v1:Ingress> (ingress-name):
    error: 1 error occurred:
    	* the Kubernetes API server reported that "namespace/ingress-name" failed to fully initialize or become live: Ingress.extensions "ingress-name" is invalid: spec.rules[0].http.paths[0].backend: Invalid value: "": resource or service backend is required

If, i rerun back my pipeline everything pass without any problem. Any idea?

Is it normal that pulumi does not clean up after itself if it fails a deployment?

A somewhat common example is having a deployment's readiness check fail, which causes its deployment to fail (as pulumi waits for it to become ready)

however, pulumi just goes "alright, deployment failed"

and leaves the failed deployment resources in the cluster

instead of cleaning it up

is there any way to make pulumi do that cleanup?

or possibly even just not wait for the deployment to become ready?

it's not like it doesn't get applied if it doesn't get ready, it's already in the k8s state, so it's somewhat pointless to wait for it to become ready before updating pulumi's state

I think waiting for the deployment is fine, but it should also update it to the state even if it fails

I'm generating a cert from a Pulumi deployed cert-manager instance by implementing a custom resource, ie:

Certificate, err := apiextensions.NewCustomResource(ctx, "cert", &apiextensions.CustomResourceArgs{
                  // Various fields, etc
}

Which works perfectly fine - However, I need to effectively "wait" until the cert is in

ready

state - I'm using a DNS challenge method so it can take ~60-90 seconds. I have another app that references the cert that's generated via the corresponding secret, which, I believe, isn't in a fully formed state as the app reads the secret before the entire chain is fully complete. Therefore, how can I facilitate this wait in my code? I could do this by inspecting the

status

field of the API object but it looks like I can't do that with the current SDK

silly question, I tried the pulumi k8s quick start, and it says it deployed I guess a k8s cluster with nginx. but I don't see the cluster in the aws console. I've checked all the accounts in my aws config file that it could have used and regions, and don't see it, and in the pulumi console I don't see where the resources were made, just that they exist. any ideas? 🙂

does pulumi wait for k8s jobs to finish instead of just launching them?

both make sense in different scenarios but I'm not really sure which one is the default behavior or how can one control it