Hey guys, Im deploying an EKS Cluster that after the creation it generates a kubeconfig file and uses it to create a k8s provider. after the cluster and the node group is finished and the provider is live, the cluster begins installing deployments using pulumi helm v3 release. for some reason, the deployments keep failing randomly( sometimes a couple are ok and other are not and vice versa) for this reason:

Helm release "cert-manager/cert-manager" was created, but failed to initialize completely. Use Helm CLI to investigate.: failed to become available within allocated timeout. Error: Helm Release cert-manager/cert-manager: the server could not find the requested resource

after retrying with pulumi up everything is fine and it deploys as shown in the picture. help anyone please? 🙂 *I tried using every flag possible - skipAwait, waitForJobs, timeout (respectively) and neither are working

Anyone know what would be analogous to

$.Release.Revision

from helm, in Pulumi?

I'm struggling with create and destroy order for my k8s stack. I'm trying to build a stack that launches eks, then installs the aws LB controller using helm (composite resource), and then create an ingress, which uses the controller to create an ALB. The problem is that I cannot get the ingress creation to wait until the Deployment deployed by the Helm chart is created and initialized, and so the ingress creation often fails. And I cannot get the Deployment teardown to wait until the Ingress is torn down, so the Ingress delete usually blocks indefinitely. I have code that looks like this:

lb_controller_chart = k8s.helm.v3.Chart(
    "albctl",
    k8s.helm.v3.ChartOpts(
        chart="aws-load-balancer-controller",
        fetch_opts=k8s.helm.v3.FetchOpts(
            repo="<https://aws.github.io/eks-charts>"
        ),
        namespace=alb_controller_sa_namespace,
        values={
            "region": "us-west-2",
            "serviceAccount": {
                "name": alb_controller_sa,
                "create": False,
            },
            "vpcId": eks_cluster.eks_cluster.vpc_config.vpc_id.apply(lambda c: c),
            "clusterName": eks_cluster.eks_cluster.name.apply(lambda c: c),
        },
    ),
    opts=pulumi.ResourceOptions(provider=eks_provider)
)
...
ingress = k8s.networking.v1.Ingress(
    "myingress",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="myingress",
        annotations={
            "<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>": "ip",
            "<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>": "[{\"HTTP\": 80}]",
            "<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>": "internet-facing",
            "<http://alb.ingress.kubernetes.io/subnets|alb.ingress.kubernetes.io/subnets>": eks_vpc.public_subnet_ids.apply(lambda ids: ", ".join(ids)),
            "<http://alb.ingress.kubernetes.io/backend-protocol|alb.ingress.kubernetes.io/backend-protocol>": "HTTP"
        }
    ),
    spec=k8s.networking.v1.IngressSpecArgs(
        ingress_class_name="alb",
        rules=[k8s.networking.v1.IngressRuleArgs(
            host="*.helloworld.responsive.dev",
            http=k8s.networking.v1.HTTPIngressRuleValueArgs(
                paths=[k8s.networking.v1.HTTPIngressPathArgs(
                    backend=k8s.networking.v1.IngressBackendArgs(
                        service=k8s.networking.v1.IngressServiceBackendArgs(
                            name="helloworld",
                            port=k8s.networking.v1.ServiceBackendPortArgs(number=8081)
                        )
                    ),
                    path="/",
                    path_type="Prefix"
                )]
            )
        )]
    ),
    opts=pulumi.ResourceOptions(
        provider=eks_provider, depends_on=[lb_controller_chart])
)

At create time, I need the ingress to only get created after the deployment resource that is part of the helm chart is created. However, often times it does not wait and the ingress creation fails. Similarly, at delete time the deployment in the helm chart is deleted before the ingress, and the ingress deletion hangs. I thought setting

depends_on

would cover me here, but it doesn't seem to be working. My pulumi version is

v3.55.0

pulumi_kubernetes is at

pulumi_kubernetes-3.24.1

Is it fair to say that the `kubernetesx` package is DOA at this point? It looks like it hasn't gotten any updates in almost 2 years, despite being referenced from the Crosswalk docs

Is there a way to include a bake time when I run

pulumi up

? I’d like to catch any quick pod crashes immediately after deploying changes.

Hello, community; it has been a long time since I have had an issue with applying deployments updates. When I update a resource, even if the strategy is the one as default, or even if I specify RollingUpdate like the following snippet

strategy: {
            rollingUpdate: { maxUnavailable: '75%', maxSurge: '75%' },
          },

Pulumi deletes the resources, in this case, all the 3 replicas, and then recreates the 3 replicas. I also tried to use the parameter

deleteBeforeReplace: false,

but nothing changed. The problem is annoying in production since the alerting system always notifies of an issue because the liveness probe results in a HTTP 503 error. Any advice? Many thanks for considering my request.

Hello, community. I need add some transformations to the

pulumi_kubernetes.helm.v3.Release

object. Inside

Charts

is easy because is inside this object

ChartOpts

How I can add it to

ReleaseArgs

? Thanks in advance!!

Hi all, this question is not specific to pulumi, but wondering if anyone has experience exposing ssh (or another tcp service) through ingress controller? I have successfully setup exposing ssh but am running into connection issues. Is exposing ssh through ingress controller (or any non http/https service) a terrible idea? Again, not necessarily pulumi related, but wondering if any kubernetes users have input on this. Thanks much.

I'm trying to disable k8s default provider on an existing stack. However i'm getting the following output:

Error: Invoke: Default provider for 'kubernetes' disabled. 'kubernetes:yaml:decode' must use an explicit provider.

although i am passing an explicit provider to all k8s yaml resources. So i found there was a bug where the provider didn't propagate to some yaml functionalities: https://github.com/pulumi/pulumi-kubernetes/issues/1938 And that a fix was released in version

3.19.4

, however upgrading my provider to that version didn't solve the issue. I verified providers are on the right version using

pulumi export

and still the issue persist. @gorgeous-egg-16927 as the one who fixed this bug, do you have any idea what i might be missing here?

Is there some secret sauce for using OCI Helm repos? Per https://hub.docker.com/r/thethingsindustries/lorawan-stack-helm-chart

helm install <name> <oci://registry-1.docker.io/thethingsindustries/lorawan-stack-helm-chart>

Below gives

error: failed to pull chart: could not find protocol handler for:

ttn-deploy:
  type: kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>
  properties:
    chart: thethingsindustries/lorawan-stack-helm-chart
    version: 0.0.3
    name: lorawan-stack-helm-chart
    namespace: things
    repositoryOpts:
      repo: <http://registry-1.docker.io|registry-1.docker.io>

I've tried setting repo to

<oci://registry-1.docker.io/>

which throws

error: failed to pull chart: looks like "<oci://registry-1.docker.io/>" is not a valid chart repository or cannot be reached: object required

Hi, new to pulumi here. For my use case, we don’t want to use pulumi up, down to deploy k8 resources. want to express k8 configuration as code and generate json or yaml output and use kubectl to release. For example how i can convert below deployment object to json output in python.

app_labels = {"app": "nginx"}

deployment = Deployment(
    "nginx",
    spec=DeploymentSpecArgs(
        selector=LabelSelectorArgs(match_labels=app_labels),
        replicas=1,
        template=PodTemplateSpecArgs(
            metadata=ObjectMetaArgs(labels=app_labels),
            spec=PodSpecArgs(containers=[ContainerArgs(name="nginx", image="nginx")])
        ),
    )
)

Hi, I created an eks cluster via Pulumi’s eks package and upon upgrading the kubernetes version to 1.25 in aws console, I’m running into vpc-cni issues. It looks like my vpc-cni version is a bit outdated (

amazon-k8s-cni-init:v1.11.0, amazon-k8s-cni:v1.11.0

) - how can I update this version? When I re-up pulumi stack that has

eks.Cluster

, it doesn’t seem to update the vpc-cni. Thanks in advance for your help!

Should I be manually re-applying the manifest for this? My cluster is currently down due to this problem

Hi, what’s the best practice for upgrading the eks kubernetes version and managed node group version? Should I be doing it through aws console or via pulumi’s

version

property in

eks.Cluster

and

eks.ManagedNodeGroup

? I’m just not sure if there will be a down time if I use pulumi since aws console allows for rolling updates option

Hi, what is the difference between

clusterSecurityGroupTags

and

nodeSecurityGroupTags

in

eks.Cluster

? I’m using Karpenter and it required to have a tag in the cluster security groups and when I tried

clusterSecurityGroupTags

, it created a new security group instead of adding tags to the default cluster security group?

Hello Folks, I need some help setting up EKS cluster using Pulumi templates. I am using this EKS template from Pulumi to setup my cluster. But the pods in the cluster does not startup since it is not able to pull the

amazon-k8s-cni-init

container image from ECR. This is the exact error that is seen the pod

Failed to pull image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0>": rpc error: code = Unknown desc = failed to pull and unpack image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0>": failed to resolve reference "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0>": pulling from host <http://602401143452.dkr.ecr.us-west-2.amazonaws.com|602401143452.dkr.ecr.us-west-2.amazonaws.com> failed with status code [manifests v1.11.0]: 401 UnauthorizedWarningFailed25 minuteskubeletError: ErrImagePullNormalBackOff25 minuteskubeletBack-off pulling image "<http://602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0|602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.11.0>"WarningFailed25 minuteskubeletError: ImagePullBackOff

I did not make any change to the template provided by Pulumi. Any leads on this is appreciated.

I have a use case where in I am setting up k8s resources using helm chart and also creating a custom service account which would replace the service account added by helm for deploy/pods. I can set the pod service account using patch however I would like to do the patch only if service account is not replaced. To do that I would need to retrieve the existing pods service account and I don’t see any good way to do that in Pulumi, saw something with kubernete query but that was not maintained. I have currently worked around by setting a flag but I would like that to be dynamic so what’s the best way to retreive pod spec and service account

Any tips on getting a pulumi secret into a kubernetes secret? I tried both with and without a promise. I am doing the following(with promise):

cfg.requireSecret("secret1").apply(secret1=>{
        cfg.requireSecret("secret2").apply(secret2=>{
          const k8sSecret = new k8s.core.v1.Secret(`${k8sSecretName}-secret`, {
            data: {
                "access-id": secret1,
                "secret-key": secret2,
            },
          },{ parent: k8sNamespace });
        })
      })

And getting the following error:

error: resource default/k8sSecretName-7e8f35be was not successfully created by the Kubernetes API server : Secret in version "v1" cannot be handled as a Secret: illegal base64 data at input byte 40

Hi, Anyone have any experience deploying a policy for the kube-descheduler? I'm trying to do so as a pulumi Custom Resource but running into the following error:

creation failed: no matches for kind "DeschedulerPolicy" in version "descheduler/v1alpha2"

And here is my config for the policy:

k8s.apiextensions.CustomResource(
            "descheduler-policy",
            kind="DeschedulerPolicy",
            api_version="descheduler/v1alpha2",
            metadata=k8s.meta.v1.ObjectMetaArgs(
                namespace="kube-system",
            ),
            spec={
                "profiles": [
                    {
                        "name": "default",
                        "pluginConfig": [
                            {
                                "name": "DefaultEvictor"
                            },
                            {
                                "name": "HighNodeUtilization",
                                "args": {
                                        "thresholds": {"cpu": 20, "memory": 30},
                                },
                            },
                        ],
                        "plugins": {
                            "evict": {"enabled": ["DefaultEvictor"]},
                            "balance": {"enabled": ["HighNodeUtilization"]}
                        },
                    }
                ],
            },
            opts=pulumi.ResourceOptions(
                provider=provider,
                depends_on=[
                    cluster,
                    descheduler
                ],
                parent=self,
            ),
        )

Is there any way to disable the random numbers and letters pulumi creates on k8s resources?

Does anyone else use Pulumi to generate YAML manifests, and feed into a GitOps tool, like ArgoCD? If so: 1.) What are you doing? 2.) What are your challenges? 3.) What is going well? Any other things to consider are helpful too, e.g. , some Pulumi-native idea that is moving in the GitOps direction, etc?

Hi all, I'm trying to use the python flux bootstrap example from here: https://www.pulumi.com/registry/packages/flux/#example Am I correct in thinking that this example is meant to take a newly-created GKE cluster and 'connect' it a particular github repo?

Is there any known issue for unit testing the Kubernetes yaml ConfigFile?

Is there a way to convert my istio config yaml into pulumi python code?

Hi, I'm trying to create an EKS ManagedNodeGroup, which requires a

cluster

argument. I'm finding that the

cluster

it expects is not compatible with the result of

aws.eks.getCluster

, and I'm not sure what to do.

const cluster = await aws.eks.getCluster({
  name: "my-cluster-name",
})

const nodeGroup = new eks.ManagedNodeGroup("node-group", {cluster: cluster})

I'm getting a Typescript error

Type 'GetClusterResult' is not assignable to type 'Cluster | CoreData'.
  Type 'GetClusterResult' is missing the following properties from type 'CoreData': cluster, vpcId, subnetIds, clusterSecurityGroup, and 5 more

(using

getClusterOutput

has the same problem)

I am using

aws.eks.getCluster

because the cluster is created in another project, where I am exporting its name

@pulumi/eks

doesn't seem to have a way to get an existing cluster, and

@pulumi/aws

doesn't seem to know about managed node groups?

Hi all! Have a question about the

crd2pulumi

tool, but can’t seem to find a dedicated channel on that topic. Please let me know if there’s somewhere better to post this q! I’m trying to generate Typescript code for multiple CRDs from the same project. Specifically, I’m trying to generate code for Traefik’s

IngressRoute

and

Middleware

resources. Based on the usage described in the README, it seems like you can only point

crd2pulumi

to a single file. My approach has been to generate code for each CRD yml file and then move the generated code into separate directories (see attached screenshot). I’m able to import and use the generated classes (yay!). However I see the following error when importing two classes in the same Pulumi program:

TypeError: Invalid Version:

The printed stack trace that points me to a line that reads

pulumi.runtime.registerResourceModule("crds", "<http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>", _module)

. It looks like the version in each

package.json

is empty, but I’m finding it curious that this error only seems to occur when I try to import two different classes generated as described above. Wondering if there’s some sort of conflict since I’m registering the same resource module twice? Am I just missing how to generate code for multiple CRDs that belong in the same module? Thanks in advance for any advice here!

Screenshot:

Is there some way to use a custom awaiter for my

CustomResource

object (or for an object generated by crd2pulumi)? Or, is there good default behavior, e.g. looking to a

Ready

status condition? If no, would the community be interested in a contribution? Any known workarounds?