Hello folks, We’re using secrets to store some sensitive data (namely serviceAccounts keys). I was wondering what would happen to pods (or workloads more generally) using those secrets when we rotate our serviceAccount keys. Pulumi would then try to recreate a new secret with new values. Will these be propagated to the workloads using them? Many thanks,

has anyone seen spurious

urn

name conflicts when creating a brand new resource…where there DEFINITELY isn’t an existing resource with that name?

is there a way to deploy to k8s and generate the yaml to a directory at the same time? currently you need to create a separate k8s provider and set the renderYamlToDirectory property as setting this property causes the other attributes like kubeconfig to be ignored. i could create two k8s objects with different providers, since you can only pass one provider, but it would be nice if you could pass multiple providers to k8s objects.

Hey guys, I’m trying to create a Helm Release on an already exist cluster (managed by Pulumi). For some reason i’m getting this error on my

pulumi up

action on Github Actions:

+  kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> eks-bootstrap creating error: can't create Helm Release with unreachable cluster: unable to load Kubernetes client configuration from kubeconfig file: invalid configuration: no configuration has been provided, try setting KUBERNETES_MASTER environment variable

Here is the code i’m creating my Helm Release (occurs after the eks k8s cluster creation)

export function createHelmBootstrapChart(stackName: string) {

    const releaseArgs: k8s.helm.v3.ReleaseArgs = {
        atomic: true,
        name: "eks-bootstrap",
        chart: "./charts/eks-bootstrap-chart",
        dependencyUpdate: true,
        namespace: "kube-system",
        valueYamlFiles: [new FileAsset(`./charts/eks-bootstrap-chart/values-${stackName}.yaml`)]
        
    }
    new k8s.helm.v3.Release("eks-bootstrap", releaseArgs)

}

Do you guys know how to set the Kubeconfig ? because it looks like the kubeconfig is missing during runtime on the github action.

Does anyone know how to handle updates in Helm Chart/Release ? I created a release using Pulumi but it never updates when i’m changing the chart or the pulumi code. For example, I changed the release namespace, it updates the Pulumi state but doesn’t create the release in the new namespace (neither delete the old release). Any hints with that ?

So, I've got about 160 helm releases in a stack connecting to an EKS cluster on aws. Trying to run it locally is now actually timing out telling me my upgrade token has expired. I suspect trying to build the state for my helm releases is being throttled by aws. Any advice, should I split my stack into substacks so that I don't have to poll quite as many for each op?

Yes

So I have a general k8s question, I have a Saas product that we are looking at modernizing in a lot of areas. It is a CRM for nonprofits that has 500-1k unique customers. We have them in a monolith app now with 1 shared database. We are looking at increasing isolation, improving scaling, noisy neighbor issues, etc. I have been told by a few that it would make sense to have a structure where each of our customer’s have their own name space to get better isolation. But I am curious if this is the best pattern? Is this what most people are doing now for multi-tenant apps?

I could use some help solving how to write kustomize transformations to remove a namespace object from being generated by @pulumi/kubernetes's kubernetes.kustomize.Directory where the namespace object is coming in from an upstream that is out of my control. Problem of kustomize generating the namespace object results in:

Updating (keycloak):
     Type                                                  Name                   Status                  Info
     pulumi:pulumi:Stack                                   tkl-keycloak-keycloak  **failed**              1 error
     └─ kubernetes:kustomize:Directory                     keycloak                                       
 +      ├─ kubernetes:core/v1:Namespace                    keycloak               **creating failed**     1 error

Got a weird error when trying to used my crd generated with crd2pulumi. Anyone has already that kind of a problem?

TypeError: Invalid Version:
        at new SemVer (/builds/${PROJECT}/pulumi/node_modules/semver/semver.js:332:11)
        at compare (/builds/${PROJECT}/pulumi/node_modules/semver/semver.js:647:10)
        at Function.eq (/builds/${PROJECT}/pulumi/node_modules/semver/semver.js:693:10)
        at sameVersion (/builds/${PROJECT}/pulumi/node_modules/@pulumi/runtime/rpc.ts:703:57)
        at register (/builds/${PROJECT}/pulumi/node_modules/@pulumi/runtime/rpc.ts:718:17)
        at Object.registerResourcePackage (/builds/${PROJECT}/pulumi/node_modules/@pulumi/runtime/rpc.ts:780:5)
        at Object.<anonymous> (/builds/${PROJECT}/pulumi/node_modules/@ticketmaster/pipelog-crds/build/index.js:25:16)
        at Module._compile (node:internal/modules/cjs/loader:1103:14)
        at Object.Module._extensions..js (node:internal/modules/cjs/loader:1155:10)
        at Module.load (node:internal/modules/cjs/loader:981:32)

I'm trying to use Command and run something on the create. There is already an EKS cluster and I have it's kubeconfig From the example on https://www.pulumi.com/registry/packages/command/#graceful-cleanup-of-workloads-in-a-kubernetes-cluster I'm getting an error

environment[KUBECONFIG] value: An error occurred decoding 'command.environment[KUBECONFIG] value': Cannot decode Object{} to type string; it isn't a struct, and no custom decoder exists

Is there some better way to provide kubeconfig to the command and I would like to avoid having it on filesystem.

Hello everyone, happy Monday! Maybe a silly question but how do you get the dynamic resource names created by

new k8s.helm.v3.Release(…)…

for

XYZ

Helm chart… if you don’t specify the

name

and leave Pulumi to autogenerate it, or even specify the

name

whichever… and use the resource names later on it the program without inferring the name based on the prefix and whatever the chart is?

How are people dealing with existing/managed resources? We have a GKE cluster and want to modify some of the resources GKE creates, like the

standard

StorageClass

. Haven't been able to find a good, automated way to do this.

import

requires the resource fields match exactly so it's not particularly helpful without lots of manual work. Currently we're using a dynamic provider to patch the resource but it's pretty flaky.

Is there a way to get a fixed Secret name from Pulumi rather than a name with a hash value appended to the end of the name I specify?

const dockerSecret = new Secret('docker-hub-credentials',
  {
    data: {
      'username': docker_username, // Base64-encoded value
      'password': docker_password  // Base64-encoded value
    }
  },
  {
    provider: k3sProvider
  }
)

In the above example, the secret created is docker-hub-credentials-m4vtegxw. In other, non-Pulumi programs, I have to remember to update the referenced secret name to the full Pulumi-generated name value. I’d expected to be able to set a name property that would be analogous to setting a

name

property on an S3 Bucket to fix the name.

If anyone have an idea what’s happening here… https://pulumi-community.slack.com/archives/C84L4E3N1/p1648488781552619

I have an issues with helm release. it seems it doesnt detect changes in the chart directory. while

helm upgrade

does.

Handling Partial Failures/Timeouts With Kubernetes and Pending Operations Just got my first prod kubernetes deployment out the door. 🎉 Now I'm running into a situation and not sure if it's easily resolved. If I deploy to a new environment and run into it failing, things can get into a stuck state. For example, Ingress timed out. Now it isn't able to proceed because it tries to recreate the ingress that was already created, but not marked as healthy. I've adjusted things to have a longer timeout, but that doesn't fix the possible failure I'd still deal with in the future. • I can't access the cluster to try and import and I don't see any import options with kubernetes object • Only thing I can see is to run a destroy on stack and redeploy but that's not ideal since everything is up except for pulumi knowing the ingress was successfully created. Impacts the downtime. • Right now I had to ask the admin to delete the ingress manually and that won't fly in any future deployments. How do I handle this? In this scenario the state track is actually causing a problem for me. Also since state tracking is involved it's causing others to question the approach since kubectl apply and such don't do state tracking. I want to avoid having to shelve this work but have to figure out some way to handle this myself in the future. Would appreciate any guidance on how I can stablize this with the limited access I have.

Hello, has there been any thought into having Kubernetes as the backing state store? It would be nice if I didn't need another source of truth for my k8s objects

Hello, I have been trying to deploy Argo-CD via Pulumi. Seems due to CRD issue, its not possible to directly deploy it. However i was trying to use the argocd-autopilot to bootstrap my rest of the cluster. I am planning to run the argocd-autopilot via kubernetes job where i can pass the kubeconfig as well as git PAT token to the job to bootstrap the argocd and the cluster. However i am wandering if there is any way i can run another kubernetes job when i am destroy the stack which does removes the argo apps and cleans up the cluster?

Hi, I'm trying to deploy CSI Store chart https://aws.amazon.com/blogs/security/how-to-use-aws-secrets-configuration-provider-with-kubernetes-secrets-store-csi-driver/ But I do get this warning - this issue mentioned is closed however I cannot deploy the chart successfully

warning: This resource contains Helm hooks that are not currently supported by Pulumi. The resource will be created, but any hooks will not be executed. Hooks support is tracked at <https://github.com/pulumi/pulumi-kubernetes/issues/555> -- This warning can be disabled by setting the PULUMI_K8S_SUPPRESS_HELM_HOOK_WARNINGS environment variable

kubernetes  resource  3.18.0   77 MB   n/a        22 minutes ago

Just created a cluster with Pulumi’s

eks

package and it doesn’t seem to install the latest Kubernetes version?

EKS now has v1.22 available for Kubernetes but Pulumi’s

eks

package doesn’t seem to find it on new install?

Should I specify the version explicitly?

You should always specify the version explicitly

Hey all, just joined the chat. Currently the kubernetes provider seems to be chugging pretty hard when it comes to large CRDs (Deploying argocd hangs forever). Any recommendations? I’ve filed an issue in the relevant repo. Are there any mitigations atm?

Is it possible to render kubernetes YAML with Pulumi?

seems so

interestingly enough I've found that using Pulumi for the deployments themselves is often less than ideal, as it handles some of the state updates wrong or fails to do cleanup appropriately in failure scenarios, figured rednering to yaml and using a different deployment tool would work better