Is there a --from-files option with Pulumi Kubernetes Secret resource? I can’t seem to find one in the docs

Anyone hit this? https://github.com/pulumi/pulumi-kubernetes/issues/1939 I'm wondering what the recommended workaround is, I'm unable to install knative/istio with

ConfigFile

Hi all. What is best practice to manage admin access to a Kubernetes cluster? I'm creating a cluster with

pulumi_gcp.container.Cluster

and then want to deploy Strimzi operator with

pulumi_kubernetes.helm.v3.Chart

. The problem I run into is that I don't personally have access to the cluster until I run

gcloud container clusters get-gredentials <cluster_name> --region <region>

and generate the configuration, with certificates, for the cluster. I have a few ideas but I feel like I'm missing something that should work better. Idea 1: I can run the command to get the credentials from gcloud with

pulumi_command.local.Command

after the creation of the cluster and before the Chart. I don't particularly like this idea because it changes the state of my personal environment. For the time being it is not a problem, but once we start working with multiple clusters and multiple developers it is bound to cause problems. And then I'm out of ideas. I'll start by trying idea 1 but I hope I can get some more information here.

I’m trying to change some kubelet configuration in EKS, can’t find it in the documentation anyone knows if it’s possible to change

kubeletExtraConfig

(https://eksctl.io/usage/customizing-the-kubelet/) with pulumi ?

How does

dependsOn

work with

ConfigFile

? I have two typescript classes, A and B, that both extends

ComponentResource

class. In both A and B I use the

ConfigFile

resource. First I create A and when creating B I set that it depends on A, but for some reason it seems like all the resources in A isn't running when B is provisioned... is that by design? Do I need to depend on the actual

ConfigFile

that A creates for it to work? I thought A wouldn't be done until everything I create in the constructor of A is done.

I'm trying to create two identical environments in different namespaces on the same EKS cluster. What I expected to happen is that Pulumi would detect existing resources that would be shared and only create ones that are needed in the new namespace. That's mostly true except for when I

pulumi up

it tries to create all resources, which causes it to error out with the following error:

kubernetes:core/v1:ServiceAccount (aws-lb-controller-sa):
    error: resource kube-system/lb-serviceaccount was not successfully created by the Kubernetes API server : serviceaccounts "lb-serviceaccount" already exists

At this point the ServiceAccount for my load balancer exists on the

kube-system

namespace, and doesn't need creation in the new namespace. How do I get Pulumi to discover existing resources (in this case, my load balancer ServiceAccount) in a different namespace or at least not try and error out attempting to recreate the existing ServiceAccount? I've tried to run

pulumi refresh

on my newly created stack, but it doesn't seem to change anything.

Hey guys 🙂 What is the best practice for the identity of an EKS cluster creator? Should it be the CI role that we use to deploy our infrastructure? Should it be a dedicated role created only for the purpose of creation of the cluster? And then the CI does everything else in terms of deployment of AWS resources as well as k8s resources. Perhaps it should not be the CI role that is the creator as it will be part of system:masters. And for reasons I don’t fully understand, we don’t want to just add users to that if they need admin control. Rather they should be made separate

clusterAdmins

. So then perhaps it should be a dedicated role that doesn’t get used for anything else to create the cluster.

When you create something using the

Chart

resource, what is the recommended way to read output values from the resource... like the public ip of a loadbalancer that was created? Is the recommended approach to do an

apply

on the

ready

property and the loop through the resources?

Does anyone know how to replicate --from-files option in kubectl with Pulumi Kubernetes Secret resource? I can’t seem to find one in the docs

what would be the recommended way to run a kubectl command during a pulumi up?

for example, to query current image name for a deployment

Do you know if it is possible to use

Pulumi TLS

self signed certificate for generating a

Kubernetes TLS secret

?

Does anyone know how to do a

ApplyT

(in Go) on a type like

Deployment

where each individual field is an

Output

type, but without using

All

and having to specify every field?

I'm trying to get the cluster name for a Provider I'm using to provision resources with. I could export it from the other stack which makes the kluster from where I export the kubeconfig from which I made the Provider, but I feel I should be able to get it from the Provider and thus need 1 fewer export/import. https://www.pulumi.com/registry/packages/kubernetes/api-docs/provider/#cluster_nodejs clearly shows a cluster property as one of the inputs for the Provider function and further down the page it says: "All input properties are implicitly available as output properties." But when I do:

const monProvider = new k8s.Provider("monprov", {
        kubeconfig: kubeConfig,
});
pulumi.log.warn(`${monProvider.cluster}`);

I get

index.ts(184,32): error TS2339: Property 'cluster' does not exist on type 'Provider'.

what am I doing wrong?

Hi guys Currently we use Pulumi for the deployment directly to the K8S clusters. But we need a more regulated flow and condsider to use the yaml output and decouple the "generate" process (pulumi up) and the deployment itself completly. That would mean that we would use i.e. ArgoCD as the deployment agent on the clusters, triggerd by the changes from the Pulumi Yaml Output. But I think we found there an issue, both, Argo and Pulumi are using the annotation

last-applied-configuration

. So Pulumi will see for every up changes which does not exist. Is it possible to not produce this field at all? I know about the

ignoreChanges

property (https://www.pulumi.com/docs/intro/concepts/resources/options/ignorechanges/) but this produces/writes the field anyway, just skips the diff. Any ideas? Or did I missed something in the docs? Thank you.

I’m having difficulty finding the information so here goes. I’m trying to create a Database (instance, user, password) and a Kubernetes Secret from my Pulumi Config:

$ pulumi config set --secret pulumi-product-k8s-minikube:db_user_password letmein

const user = new postgresql.Role("product_admin_user", {
    createDatabase: true,
    login: true,
    name: "product_admin_user",
    password: config.requireSecret("db_user_password")
});

const productSecretMap = new k8s.core.v1.Secret("product-api-secrets", {
    metadata: {
        namespace: productNamespace.metadata.name
    },
    data: {
        database_password: config.requireSecret("db_user_password").apply(val => val)
    }
});

Problem is, the k8s Secret needs the base64 encoded value that, I think, is being retrieved as the salt encoded value from the config. What exactly is the standard practice here (aside from using a secret manager) to transfer the database password from the config to both the Database Role and Kubernetes Secret? I figured I could store 2 password values (one base64, the other in the salt encoded) but it doesn’t feel right.

Hello, when i deploy traefikv2 helm chart the service namespace is set to default even though i set

namespace: traefikNamespace.metadata.name,

and

transformations: [
    (obj: any, opts: pulumi.CustomResourceOptions) => { 
        if (obj.kind === "Service") {
            obj.metadata.namespace == traefikNamespace.metadata.name
        }
    }
],

But work when i set

kubectl config set-context --current --namespace=NAMESPACE

Should i create an own k8s provider with correct namespace, or I am doing something wrong?

message has been deleted

I discovered a breaking typo (probably there are more) in a key in

kubernetes-ingress-nginx

https://github.com/pulumi/pulumi-kubernetes-ingress-nginx/blob/master/schema.json 1. Do I understand correctly these schemas are handcrafted? 2. Is simply creating a PR with the suggested changes enough? 3. (How) can I rebuild the component locally, I don’t have any go experience or worked with these generated components, so any guide is helpful.

What is the benefit of

kubernetes-ingress-nginx

if the types are all wrong?

@gorgeous-egg-16927 I updated pulumi-kubernetes from 3.19.4 to 3.20.2 and enabled server side apply but now I'm seeing all the crds updating metadata on every update, similar to this issue that was fixed before ssa was available. 🤔

Does anyone get an error when trying to move from ingress v1beta to v1? It make the

pulumi up

fail and after it works the second time

Hello, I'm trying to use

k8s.yaml.ConfigFile

to deploy CRDs into my EKS cluster (typescript) and I run into issues. Btw I'm new to typescript and as well to pulumi. So please kindly bare with me 🙏 Code:

import * as k8s from "@pulumi/kubernetes";
import * as eks from "@pulumi/eks";


export default {
    install_crds(cluster: eks.Cluster){
        new k8s.yaml.ConfigFile("argocd_namespace", {
            file: "kubernetes_cluster_components/namespaces/argocd-namespace.yaml",
        }, {providers: { "kubernetes": cluster.provider }});
    }
};

Error:

pulumi:pulumi:Stack  k8s-moralis-aws-dev-argo-test  running.    error: an unhandled error occurred: Program exited with non-zero exit code: -1
I0804 09:23:53.878138   22054 deployment_executor.go:162] deploymentExecutor.Execute(...): exiting provider canceller
     Type                 Name                           Plan     Info
     pulumi:pulumi:Stack  k8s-moralis-aws-dev-argo-test           1 error; 39 messages

Diagnostics:
  pulumi:pulumi:Stack (k8s-moralis-aws-dev-argo-test):
    Cloud Provider: aws Stack: aws-dev-argo-test

    error: an unhandled error occurred: Program exited with non-zero exit code: -1

The error message is not very descriptive, hence difficult to troubleshoot. Can someone please help me here 🙏

Hi, I've been using Pulumi for a number of years now, but only recently started using the Kubernetes provider. Is there a way to get information from a Kubernetes cluster, for example getting a list of services? Other providers have functions for this, but not Kubernetes. I'm not sure how that would work here. Thank you.

Hi there. Anyone who knows what to add as to link private repo's from ArgoCD instantiated with Pulumi?

Hey has anyone installed istio/knative with pulumi? Having trouble getting it to line up

I followed the tutorials and slowly build deployments into my EKS cluster… Now I want to deploy the entire stack on a blank slate AWS account… But,

pulumi up

fails because the cluster is not available… The deployments, services, pods, etc. do NOT wait for the EKS cluster to be available..

configured Kubernetes cluster is unreachable: unable to load schema information from the API server:…

What do I need to do for pushbutton deployment of my apps? (failover, DR, geo-redundancy, etc.)

hey all! for some reason, when i use the k8s provider in YAML-only mode (with the Go SDK), it takes about a second or two per resource. Funky, i mean, it's only generating YAMLs, right? I'm using an empty stack always, so that my entire cluster is always saved to the output. Thanks!

Hi I converted the quickstart k8s java example into Kotlin/JVM and I would like to share where: https://github.com/luistrigueiros/quickstart-pulumi-k8s-kotlin