pulumi-community #kubernetes

most-lighter-95902

07/06/2022, 11:21 PM

Where I provide the userSettings object as

values

key in the Pulumi helm release resource?

narrow-translator-93508

07/07/2022, 6:54 AM

Hi, I have a tricky issue with

Pulumi

and

helm

, no problem to install

ArgoCD

but when I try to configure

dex.config

section, it expects a

string

rather than a

map

and when I pass a string it is not rendered with the right structure in the config map

narrow-translator-93508

07/07/2022, 6:55 AM

Copy code

_, err := helm.NewRelease(
		a.Context, "argocd", &helm.ReleaseArgs{
			Chart: pulumi.String("argo-cd"),
			RepositoryOpts: helm.RepositoryOptsArgs{
				Repo: pulumi.String("<https://argoproj.github.io/argo-helm>"),
			},
			Namespace: pulumi.String(a.Config.Require("namespace")),
			Version:   pulumi.String(a.Config.Require("version")),
			Values: pulumi.Map{
				"dex": pulumi.Map{
					"enabled": pulumi.Bool(true),
				},
				"server": pulumi.Map{
					"config": pulumi.Map{
						"dex.config": pulumi.Map{
							"connectors": pulumi.MapArray{
								pulumi.Map{
									"config": pulumi.StringMap{
										"issuer":       pulumi.String("<https://accounts.google.com>"),
										"clientID":     a.Config.RequireSecret("client-id"),
										"clientSecret": a.Config.RequireSecret("client-secret"),
									},
									"type": pulumi.String("oidc"),
									"id":   pulumi.String("google"),
									"name": pulumi.String("Google"),
								},
							},
						},
					},
				},
			},
		},
	)

narrow-translator-93508

07/07/2022, 6:55 AM

When I pass a

map

it generates this error message

narrow-translator-93508

07/07/2022, 6:55 AM

Copy code

Diagnostics:
  kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> (argocd):
    error: error validating "": error validating data: ValidationError(ConfigMap.data.dex.config): invalid type for io.k8s.api.core.v1.ConfigMap.data: got "map", expected "string"

narrow-translator-93508

07/07/2022, 6:56 AM

It happens here: https://github.com/argoproj/argo-helm/blob/main/charts/argo-cd/templates/_helpers.tpl#L241-L245

narrow-translator-93508

07/07/2022, 6:56 AM

Any ideas/suggestions on how to fix that?

narrow-translator-93508

07/07/2022, 10:19 AM

Fixed 🎉

narrow-translator-93508

07/07/2022, 10:19 AM

Using this approach (in case it helps anyone with the same issue)

narrow-translator-93508

07/07/2022, 10:19 AM

Copy code

pulumi.All(
		a.Config.RequireSecret("client-id"), a.Config.RequireSecret("client-secret"),
	).ApplyT(
		func(args []interface{}) error {
			dex := &OIDCConfig{
				Connectors: []*OIDCConnector{
					{
						Config: map[string]interface{}{
							"issuer":       "<https://accounts.google.com>",
							"clientID":     args[0].(string),
							"clientSecret": args[1].(string),
						},
						Type: "oidc",
						Name: "Google",
						ID:   "google",
					},
				},
			}
			d, err := yaml.Marshal(&dex)
			if err != nil {
				return errors.Wrap(err, "SetupArgoCD: failed creating dex config")
			}

			_, err = helm.NewRelease(
				a.Context, "argocd", &helm.ReleaseArgs{
					Chart: pulumi.String("argo-cd"),
					RepositoryOpts: helm.RepositoryOptsArgs{
						Repo: pulumi.String("<https://argoproj.github.io/argo-helm>"),
					},
					Namespace: pulumi.String(a.Config.Require("namespace")),
					Version:   pulumi.String(a.Config.Require("version")),
					Values: pulumi.Map{
						"dex": pulumi.Map{
							"enabled": pulumi.Bool(true),
						},
						"server": pulumi.Map{
							"config": pulumi.Map{
								"dex.config": pulumi.String(d),
							},
						},
					},
				},
			)
			if err != nil {
				return errors.Wrap(err, "SetupArgoCD: failed installing helm chart")
			}

			return nil
		},
	)

narrow-translator-93508

07/07/2022, 10:21 AM

I think it would be nice to handle this in a future release, I mean

map

represented as

string

curved-morning-41391

07/07/2022, 11:29 PM

Hey anyone know a good way to mimic

kubectl wait --for=condition=available --timeout=600s deployment/cert-manager-webhook -n cert-manager

in pulumi?

glamorous-australia-21342

07/07/2022, 11:34 PM

You could use the command resource

glamorous-australia-21342

07/07/2022, 11:35 PM

https://www.pulumi.com/blog/improving-kubernetes-management-with-pulumis-await-logic/

glamorous-australia-21342

07/07/2022, 11:35 PM

This too https://gist.github.com/lukehoban/fd0355ed5b82386bd89c0ffe2a3c916a

🙌 1

curved-morning-41391

07/08/2022, 2:24 AM

Okay one more, is there any way to get the cluster version from the provider?

glamorous-australia-21342

07/08/2022, 2:25 AM

Platformversion if eks https://www.pulumi.com/registry/packages/aws/api-docs/eks/getcluster/#platformversion_nodejs. Google around the docs im sure the other providers have a version output.

curved-morning-41391

07/08/2022, 2:33 AM

ah but its provider specific, anyway to get the equivalent of

kubectl version

most-lighter-95902

07/10/2022, 5:39 PM

Is there a --from-files option with Pulumi Kubernetes Secret resource? I can’t seem to find one in the docs

curved-morning-41391

07/11/2022, 10:17 PM

Anyone hit this? https://github.com/pulumi/pulumi-kubernetes/issues/1939 I'm wondering what the recommended workaround is, I'm unable to install knative/istio with

ConfigFile

rough-author-69114

07/12/2022, 8:50 AM

Hi all. What is best practice to manage admin access to a Kubernetes cluster? I'm creating a cluster with

pulumi_gcp.container.Cluster

and then want to deploy Strimzi operator with

pulumi_kubernetes.helm.v3.Chart

. The problem I run into is that I don't personally have access to the cluster until I run

gcloud container clusters get-gredentials <cluster_name> --region <region>

and generate the configuration, with certificates, for the cluster. I have a few ideas but I feel like I'm missing something that should work better. Idea 1: I can run the command to get the credentials from gcloud with

pulumi_command.local.Command

after the creation of the cluster and before the Chart. I don't particularly like this idea because it changes the state of my personal environment. For the time being it is not a problem, but once we start working with multiple clusters and multiple developers it is bound to cause problems. And then I'm out of ideas. I'll start by trying idea 1 but I hope I can get some more information here.

white-chef-55657

07/14/2022, 1:09 PM

I’m trying to change some kubelet configuration in EKS, can’t find it in the documentation anyone knows if it’s possible to change

kubeletExtraConfig

(https://eksctl.io/usage/customizing-the-kubelet/) with pulumi ?

wet-noon-14291

07/14/2022, 9:56 PM

How does

dependsOn

work with

ConfigFile

? I have two typescript classes, A and B, that both extends

ComponentResource

class. In both A and B I use the

ConfigFile

resource. First I create A and when creating B I set that it depends on A, but for some reason it seems like all the resources in A isn't running when B is provisioned... is that by design? Do I need to depend on the actual

ConfigFile

that A creates for it to work? I thought A wouldn't be done until everything I create in the constructor of A is done.

adamant-terabyte-3965

07/15/2022, 4:50 PM

I'm trying to create two identical environments in different namespaces on the same EKS cluster. What I expected to happen is that Pulumi would detect existing resources that would be shared and only create ones that are needed in the new namespace. That's mostly true except for when I

pulumi up

it tries to create all resources, which causes it to error out with the following error:

Copy code

kubernetes:core/v1:ServiceAccount (aws-lb-controller-sa):
    error: resource kube-system/lb-serviceaccount was not successfully created by the Kubernetes API server : serviceaccounts "lb-serviceaccount" already exists

At this point the ServiceAccount for my load balancer exists on the

kube-system

namespace, and doesn't need creation in the new namespace. How do I get Pulumi to discover existing resources (in this case, my load balancer ServiceAccount) in a different namespace or at least not try and error out attempting to recreate the existing ServiceAccount? I've tried to run

pulumi refresh

on my newly created stack, but it doesn't seem to change anything.

steep-portugal-37539

07/15/2022, 5:58 PM

Hey guys 🙂 What is the best practice for the identity of an EKS cluster creator? Should it be the CI role that we use to deploy our infrastructure? Should it be a dedicated role created only for the purpose of creation of the cluster? And then the CI does everything else in terms of deployment of AWS resources as well as k8s resources. Perhaps it should not be the CI role that is the creator as it will be part of system:masters. And for reasons I don’t fully understand, we don’t want to just add users to that if they need admin control. Rather they should be made separate

clusterAdmins

. So then perhaps it should be a dedicated role that doesn’t get used for anything else to create the cluster.

wet-noon-14291

07/18/2022, 10:28 PM

When you create something using the

Chart

resource, what is the recommended way to read output values from the resource... like the public ip of a loadbalancer that was created? Is the recommended approach to do an

apply

on the

ready

property and the loop through the resources?

most-lighter-95902

07/18/2022, 10:56 PM

Does anyone know how to replicate --from-files option in kubectl with Pulumi Kubernetes Secret resource? I can’t seem to find one in the docs

quaint-book-39362

07/20/2022, 1:39 AM

what would be the recommended way to run a kubectl command during a pulumi up?

quaint-book-39362

07/20/2022, 1:39 AM

for example, to query current image name for a deployment

narrow-translator-93508

07/21/2022, 6:45 PM

Do you know if it is possible to use

Pulumi TLS

self signed certificate for generating a

Kubernetes TLS secret