pulumi-community #kubernetes

kubernetes

victorious-dusk-75271

09/09/2022, 5:18 AM

1) state file contains errors: resource urn:pulumi:staging::allrites-infrastructure::custom:resource:eks$custom:resource:AlbIngressController$aws:iam/role:Role::primary-eks-aws-loadbalancer-controller-role dependency urn:pulumi:staging::allrites-infrastructure::custom:resource:eks$custom:resource:AlbIngressController$kubernetes:core/v1:Namespace::primary-eks-alb-namespace refers to missing resource
    2) importing this file could be dangerous; rerun with --force to proceed anyway

victorious-dusk-75271

09/09/2022, 5:19 AM

even i import then using --force, i cant run up

average-pilot-3793

09/12/2022, 10:08 AM

hello, is it possible to use the

coreDns

aws.eks.Addon

with fargate in a k8s. https://www.pulumi.com/registry/packages/aws/api-docs/eks/addon/#sts=Create%20a%20Addon%20Resource the documentation provides some level of information but when applying it i run into the following error. the full kubectl describe command output is in the thread. I suspect the label should be updated in the ResourceOptions somehow to

<http://eks.amazonaws.com/fargate-profile=|eks.amazonaws.com/fargate-profile=><cluster name>

Events:
  Type     Reason            Age                       From               Message
  ----     ------            ----                      ----               -------
  Warning  FailedScheduling  2m29s (x5494 over 3d21h)  default-scheduler  0/3 nodes are available: 3 node(s) had taint {<http://eks.amazonaws.com/compute-type|eks.amazonaws.com/compute-type>: fargate}, that the pod didn't tolerate.

most-lighter-95902

09/15/2022, 3:33 PM

Is there a way to use the

--from-file

flag in kubectl for secret creation via Pulumi?

delightful-bear-69098

09/18/2022, 2:18 PM

Is there an how to on how to create an use service account token ? It would possible a good tutorial to have using the kubeadmin ui as example.

bored-spoon-83710

09/19/2022, 4:29 PM

Hello, in my code I have a patch resource (I’ve enabled server side apply) to patch a daemon set which is created by another resource in my code (an EKS addon). For the initial creation of my stack, if I do a

pulumi up --skip-preview

it works as intended. However, if I do a

pulumi up

I get an error during preview:

error: Preview failed: resource kube-system/ebs-csi-node was not successfully created by the Kubernetes API server : DaemonSet.apps "ebs-csi-node" is invalid: [spec.template.metadata.labels: Invalid value: map[string]string(nil): `selector` does not match template `labels`, spec.template.spec.containers: Required value]

Is it a limitation of the provider or did I miss something? Is there a workaround (other than skipping the preview)?

brash-gigabyte-81569

09/21/2022, 9:49 PM

Besides creating another kubernete provider, is there a way to set a default namespace when you are applying a bunch of yaml via yaml.NewConfigFile(…) ?

some-continent-7311

09/29/2022, 7:40 AM

After upgrading

@pulumi/pulumi

and

@pulumi/kubernetes

^3.0.0

and running

pulumi up

I get this warning:

W0929 13:38:59.750875   65229 gcp.go:119] WARNING: the gcp auth plugin is deprecated in v1.22+, unavailable in v1.26+; use gcloud instead.
    To learn more, consult <https://cloud.google.com/blog/products/containers-kubernetes/kubectl-auth-changes-in-gke>

What should I do exactly to get rid of the warning?

damp-honey-93158

10/05/2022, 2:36 PM

I’d like to know if its possible to use “create if not exists” semantics for a k8s secret using pulumi, has anyone done that?

damp-honey-93158

10/06/2022, 7:15 AM

good morning! recently I've been getting random errors in Helm deployments, and I wondered if anyone else has started to experience this or its just me? On the off chance, here's what I'm seeing: Diagnostics: kubernetes:helm.sh/v3:Release (creditor-testcluster): error: unable to build kubernetes objects from release manifest: resource mapping not found for name: "dapr-operator" namespace: "" from "": no matches for kind "ServiceAccount" in version "v1" ensure CRDs are installed first this is a DAPR based Helm install - and its been working perfectly for months, it started to fail two days ago. The cluster is ephemeral. any ideas appreciated - have a good one.

damp-honey-93158

10/06/2022, 7:16 AM

also; in lots of these errors I see k8s report that the namespace is empty

lively-needle-84406

10/06/2022, 2:15 PM

Morning everyone! I am having an issue with applying Istio helm charts into my EKS cluster using Pulumi. Base:

export const istioBaseChart = new k8s.helm.v3.Release("istio-base", {
    chart: "base",
    version: istioVersion,
    namespace: istioNamespace.metadata.name,
    repositoryOpts: {
        repo: "<https://istio-release.storage.googleapis.com/charts>",
    },
    
}, {
    dependsOn: [cluster, istioNamespace]
});

Istiod:

export const istiod = new k8s.helm.v3.Chart("istiod", {
    chart: "istiod",
    version: istioVersion,
    namespace: istioNamespace.metadata.name,
    fetchOpts: {
        repo: "<https://istio-release.storage.googleapis.com/charts>",
    },
}, {
    dependsOn: [cluster, istioNamespace, istioBaseChart]
});

The error I am receiving is:

kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> (istio-base):
    error: could not get server version from Kubernetes: Get "<https://B042EE83435E804CA59AE3C4ACC5C169.sk1.us-west-1.eks.amazonaws.com/version?timeout=32s>": dial tcp: lookup <http://xxxxxxxxxxxxxx.sk1.us-west-1.eks.amazonaws.com|xxxxxxxxxxxxxx.sk1.us-west-1.eks.amazonaws.com> on [xxxx:xxxx:xxx:xxxx::x]:xx: no such host

To me, this looks like the dependency on the cluster and other resources is not being honored. Any ideas how to ensure the cluster and other resources get created properly before applying these charts?

damp-honey-93158

10/07/2022, 9:48 AM

Has anyone found/used a Pulumi API that works with Percona / MySQL?

proud-pizza-80589

10/11/2022, 11:08 AM

I know this is not something that should be run in prod, but anyone have a nice way to recover from e.g. “secret x already exists” During dev and using

pulumi cancel && pulumi refresh --yes --clear-pending-creates

i often have left over stuff if i rerun before the previous run times out.

victorious-exabyte-70545

10/12/2022, 8:59 PM

Hi Folks! I am getting this error when trying to create an azure aks cluster with pulumi

+  azure-native:containerservice:ManagedCluster devprivaks creating error: '
 'cannot check existence of resource '
 "'/subscriptions/*******/resourceGroups/******/providers/Microsoft.ContainerService/managedClusters/*****': "
 'status code 400, '
 '{"error":{"code":"InvalidApiVersionParameter","message":"The api-version '
 "'2021-03-01' is invalid. The supported versions are "
 '\'2022-09-01,2022-06-01,2022-05-01,2022-03-01-preview,2022-01-01,2021-04-01,2021-01-01,2020-10-01,2020-09-01,2020-08-01,2020-07-01,2020-06-01,2020-05-01,2020-01-01,2019-11-01,2019-10-01,2019-09-01,2019-08-01,2019-07-01,2019-06-01,2019-05-10,2019-05-01,2019-03-01,2018-11-01,2018-09-01,2018-08-01,2018-07-01,2018-06-01,2018-05-01,2018-02-01,2018-01-01,2017-12-01,2017-08-01,2017-06-01,2017-05-10,2017-05-01,2017-03-01,2016-09-01,2016-07-01,2016-06-01,2016-02-01,2015-11-01,2015-01-01,2014-04-01-preview,2014-04-01,2014-01-01,2013-03-01,2014-02-26,2014-04\'."}}\n'

orange-psychiatrist-22511

10/13/2022, 10:22 PM

Hi everyone! Quick question that I can't seem to find anything about online, but thought that it'd be a common usecase: I use pulumi to provision deployments in my setup, but after that I want to manage number of replicas and container images outside of pulumi (we have pipelines doing that already). I know

ignoreChanges

help to some extent, but whenever we need to change a deployment configuration it will reset the number of replicas and/or the image there. So my question is: is there a way of defining a specific field of a kubernetes resource to not be managed by pulumi? If not, what is the "normal" way of using pulumi with kubernetes deployments?

delightful-bear-69098

10/15/2022, 9:36 PM

I found today that it is possible to import a Helm Release into a Pulumi project using something like:

delightful-bear-69098

10/15/2022, 9:36 PM

pulumi import kubernetes:helm.sh/v3:Release myRelease kong/quickstart-3f0608ad

delightful-bear-69098

10/15/2022, 9:37 PM

My question is what type of Kubernetes resources can I import ?

delightful-bear-69098

10/15/2022, 9:37 PM

Can I import any type of Kubernetess resource ?

bored-baker-95734

10/18/2022, 2:50 PM

Hi Do I get some help over here for pulumi-eks bugs I reported ? https://github.com/pulumi/pulumi-eks/issues/799

victorious-exabyte-70545

10/19/2022, 4:43 PM

Hi guys, we had a really strange issue with Pulumi and AKS yesterday. pulumi would throw an error and say that the deployment failed, but the resource was actually created in kuberentes. In other cases, the resource would be acknowledged as created, but pulumi timed out while polling for the resource to be fully initialized. This is less of a problem than pulumi not recording that the resource was created. In that case, retries on the deployment would fail, because the resource already exists. I am thinking it is related to timeouts? https://stackoverflow.com/questions/64638116/change-pulumis-timeout-when-deploying-kubernetes-resources

'(ingress-nginx-private/private-nginx-ingress-controller):\n'
 '    error: 1 error occurred:\n'
 '    \t* resource ingress-nginx-private/private-nginx-ingress-controller was '
 'successfully created, but the Kubernetes API server reported that it failed '
 'to fully initialize or become live: Timeout occurred polling for '
 "'private-nginx-ingress-controller'\n"
 '\n'

nice-father-44210

10/23/2022, 6:47 PM

Is installing a Helm chart from an AWS ECR repo supported in

pulumi-kubernetes

? I’m trying to find the right combination of arguments to make it work but coming up short. Appreciate the help, thanks in advance 🙂

ecr_token = aws.ecr.get_authorization_token()

pulumi_kubernetes.helm.v3.Release(
    "release",
    pulumi_kubernetes.helm.v3.ReleaseArgs(
        name = "test",
        chart = "my-chart",
        version = "0.1.0",
        repository_opts = pulumi_kubernetes.helm.v3.RepositoryOptsArgs(
            repo = f"oci://{account_id}.dkr.ecr.{region}.<http://amazonaws.com|amazonaws.com>",
            username = "AWS",
            password = ecr_token.authorization_token,
        ),
        values = {}
    ),
    opts = pulumi.ResourceOptions(provider = my_k8s_provider, )
)

gorgeous-egg-16927

10/24/2022, 5:24 PM

As you may have seen in recent announcements, we enabled the Server-side Apply feature by default in the

v3.22.0

version of

pulumi-kubernetes

. With this behavior enabled, you may encounter error messages about resource field conflicts. These errors are related to other controllers changing fields on shared resources. With the previous Client-side diff/apply behavior, these conflicts were not always apparent, but are now caught during preview and update. These errors are typically something that need to be resolved by the user, and are a legitimate difference that wasn’t detected by our previous Client-Side diff logic. Your options for resolving these conflicts are: 1. Disable SSA with the

enableServerSideApply

provider flag to use the previous behavior for now. This is the fastest way to unblock yourself, but as noted, will miss legitimate conflicts that are only detective with a Server-side diff. 2. Use the

ignoreChanges

resource option to selectively ignore changes to fields that another controller may update. Other controllers could be operators, admission controllers,

kubectl

, etc. 3. Use the

<http://pulumi.com/patchForce|pulumi.com/patchForce>

annotation to explicitly take ownership of the conflicting fields. Note that this might prevent other controllers from updating them. 4. Pin

pulumi-kubernetes

to a version previous to

v3.22.0

. Please let us know if you run into problems by filing an issue. Thanks for your patience as we work through this important transition point in the provider!

damp-honey-93158

10/26/2022, 1:32 PM

hello Pulumiers! I've got a helm chart (for DAPR) that is now reporting failures when I "pulumi up" it... has anyone seen this? Diagnostics: kubernetes:helm.sh/v3:Release (invscanner-testtest): error: template: dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml:14:46: executing "dapr/charts/dapr_sentry/templates/dapr_sentry_deployment.yaml" at <index $existingSecret.data "issuer.crt">: error calling index: index of untyped nil

sparse-hairdresser-15357

10/26/2022, 7:51 PM

Hello, we are running Pulumi (.NET) via a Jenkins pipeline, and we created a container for this purpose. Recently we updated the Pulumi version inside that container from 3.39.1 running on .NET Core 3.1, to version 3.43.1 running on .NET 6, and now we are seeing a lot of failures:

error: Preview failed: 1 error occurred:
	* the Kubernetes API server reported that "some-namespace/some-application" failed to fully initialize or become live: use `<http://pulumi.com/patchForce|pulumi.com/patchForce>` to override the conflict: Apply failed with 4 conflicts: conflicts with "pulumi-resource-kubernetes.exe" using apps/v1:
- .spec.strategy.rollingUpdate.maxUnavailable
- .spec.strategy.rollingUpdate.maxUnavailable
- .spec.template.spec.containers[name="some-application"].resources.limits.cpu
conflicts with "rancher" using apps/v1:
- .spec.replicas

And I have no idea what is going on and why this is happening. Easy would be to just do what it says with 'patchForce', but I want to understand why this is happening and if it can be prevented.

alert-zebra-27114

10/27/2022, 9:10 AM

Howdy all, We have a product with many micro-services based on AWS and EKS, where everything is managed with a set of layered Pulumu stacks. This has many advantages and we are pretty happy with it. As part of this, we also deploy services in AWS and Kubernetes via Pulumi. This allows us to create any needed additional infrastructure - like Cognito User Pools, queues, databases, logs, etc - in the stack before the service itself is deployed/installed using a Helm Chart. But... sometimes the Helm chart installation fails and we don't really see much in terms of feed back. We can figure out the problems by re-deploying and then monitoring the objects in Kubernetes, but that is not exactly a good process for the developers. So are there any known way to get more feed-back from the Helm chart installation? Like the logs from the various containers and PODs? As the depoyment fails - and thus pulumi up fails - I cannot see how I can run any additional code to retrieve the wanted information.

eager-football-6317

10/27/2022, 9:20 AM

Hi folks, In the Kubernetes provider v3.22.0, server-side apply was made the default (see earlier). This exposed surprising errors, and caused problematic interactions with other tooling, such as Helm, that are not straight-forward to work around. Therefore, we’ve rolled back that change — server-side apply is back to being opt-in in v3.22.1. Update to that version of the Pulumi Kubernetes SDK using e.g.,

npm update @pulumi/kubernetes

. If you have set the flag

enableServerSideApply: false

in order to work around problems, the new release will respect that.

millions-train-91139

10/27/2022, 3:46 PM

Hey all, I came by a super weird behavior in the pulumi-kubernetes provider Why is the

Kubeconfig

even a part of the state. If it’s the file content - than it may contain secrets. If

Kubeconfig

is a path to a local file - then it may not (and probably won’t) exist later on (CI/CD, different developers). I also saw that

pulumi up

overrides this parameter, so it make even less sense to me. What is interesting thought, and the reason I’m interested in this parameter from the first place is the fact that

pulumi refresh

fails since it is not being overridden in that scenario and tries to find that file locally - with a horrible undescriptive message

warning: configured Kubernetes cluster is unreachable: failed to parse kubeconfig data in `kubernetes:config:kubeconfig`- couldn't get version/kind; json parse error: json: cannot unmarshal string into Go value of type struct { APIVersion string "json:\"apiVersion,omitempty\""; Kind string "json:\"kind,omitempty\"" }
    error: Preview failed: failed to read resource state due to unreachable cluster. If the cluster has been deleted, you can edit the pulumi state to remove this resource

flat-insurance-25294

11/01/2022, 8:01 AM

Does Pulimi let us generate YAML files for local K8? We define all our Deployments and Services in TypeScript, but for running locally for dev, we’re duplicating them. It would be great if you could generate .YAML manifest files for deploying to local k8.