https://pulumi.com logo
Powered by
c

colossal-kilobyte-61996

06/21/2023, 11:02 AM
It’s me again, this time asking for help regarding a weird error I am having when using a K8S Provider that loads the 
kubeconfig
from the output of a cluster creation by the DigitalOcean provider. (Typescript) This is what I am doing to create the provider and export it so I can using it in other parts of the project:
Copy code
const k8sCluster = new new digitalocean.KubernetesCluster (...)

(...)

export const provider = new k8s.Provider('k8s', {
  kubeconfig: k8sCluster.kubeConfigs[0].rawConfig,
});
Later I am using the provider to create a Helm Release as follows:
Copy code
import { provider } from '../path-to-the-provider';

const redis = new k8s.helm.v3.Release(
  'redis',
  {
    chart: 'redis',
  },
  {
    provider,
  },
);
This is failing with the following error:
Copy code
Diagnostics:
  kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release> (redis):
    error: could not get server version from Kubernetes: the server has asked for the client to provide credentials
Note that if I don’t use the provider and I let the default provider kick in and use the 
kubeConfig
file in my system, everything works. I am sure I am missing something but I am unsure what. I’d be grateful if anybody could guide me here. Thank you 🙏
I am doing 
-v 3
and 
--debug
but I don’t see anything meaningful in the logs
Exactly, that was the issue, in case anyone wonders! Doing this worked!
Now I’ve gotten another problem, since changing the k8s provider (which points to the same cluster as before, just it doesnt use the default global provider), resources are asking to be replaced. Why is that?
s

salmon-account-74572

06/21/2023, 4:05 PM
Resources are asking to be replaced because the provider is part of the URN (Universal Resource Name, how Pulumi uniquely identifies resources). If the provider has changed, then the URN has changed, and the resource needs to be replaced.
If this is a major problem, you can probably use Pulumi’s aliases functionality to work around it: https://www.pulumi.com/docs/concepts/options/aliases/
c

colossal-kilobyte-61996

06/21/2023, 4:07 PM
I was trying to use aliases, however I’m a bit confused on how to use them to reference the default provider, because I am unaware of what’s the default provider URN. Just to clarify, the “new” provider should have an alias to the default global provider’s URN, correct?
As a side note, do you think it would be possible to add the above scenario: https://github.com/pulumi/pulumi-digitalocean/issues/312#issuecomment-1143432863 to the DigitalOcean package docs? I’m sure it’s something a lot of people will encounter and it’s hard to debug
s

salmon-account-74572

06/21/2023, 5:05 PM
Here’s an example of provider aliasing I just got from a colleague:
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const config = new pulumi.Config("aws");
const provider = new aws.Provider("aws", {
    profile: config.require("profile"),
    region: <aws.Region>config.require("region")
    // where the below string is the URN of the default provider
}, { aliases: ["urn:pulumi:phil::provider-alias::pulumi:providers:aws::default_5_30_1"] });

// Create an AWS resource (S3 Bucket)
const bucket = new aws.s3.Bucket("my-bucket", {}, { provider: provider });

// Export the name of the bucket
export const bucketName = bucket.id;
The default provider’s URN should be accessible in the Pulumi state, assuming you haven’t already run an update (which I think you were holding on because of the resource replacements). That will give you what you need to put in the alias.
c

colossal-kilobyte-61996

06/21/2023, 5:06 PM
That makes sense! I will give it a try, thank you! Btw what’s the 
_5_30_1
suffix in the alias?
s

salmon-account-74572

06/21/2023, 5:07 PM
Provider version (referencing version 5.30.1 of the AWS provider, in this example).
As to your other question, I’m trying to make sure I understand what needs to be added. Are you saying that the suggestion to generate a custom Kubeconfig with a user-provided API token is what you think would be useful to add?
c

colossal-kilobyte-61996

06/21/2023, 5:12 PM
I think the solution the comment gives works but is very opinionated and some people might find it insecure, so what I would explain in the docs is that the kubeconfig generated by the DO API expires after 7 days. What happened to me is that it expired indeed and when trying to do 
pulumi up
, it complained about missing credentials, which further confused me due do the fact that it had worked in the past.
new digitalocean.KubernetesCluster
returns a 
kubeConfig
that expires after 7 days basically, and when it does, it’s confusing. It;s not something Pulumi can control obviously but a hint about this in the docs is what I would add.
🙏
s

salmon-account-74572

06/21/2023, 5:18 PM
Got it, thank you. Let me formulate all that into an issue and see what we can do!
c

colossal-kilobyte-61996

06/21/2023, 5:23 PM
awesome! Let me know if you need feedback or anything. 🙏🙏
s

salmon-account-74572

06/21/2023, 5:24 PM
I’ve opened this issue: https://github.com/pulumi/pulumi-digitalocean/issues/445 Feel free to upvote the issue and/or add more information, details, clarification, etc. Thank you!
c

colossal-kilobyte-61996

06/21/2023, 5:24 PM
Great! DD
a

acceptable-intern-25844

07/01/2023, 4:14 PM
Greetings. I’ve got the same issue and tried to replace the kubeconfig with the proposed 
createTokenKubeconfig
. I’ve specified the alias for the k8s provider, but it still wants to replace everything, here are diff details:
Copy code
pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:qa.provision::crm::pulumi:pulumi:Stack::crm-qa.provision]
    ++pulumi:providers:kubernetes: (create-replacement)
        [id=a318d097-7f31-40f1-baf7-51a549ebec6f]
        [urn=urn:pulumi:qa.provision::crm::pulumi:providers:kubernetes::doks]
        enableServerSideApply: "true"
        kubeconfig           : [secret]
        version              : "3.24.2"
    +-pulumi:providers:kubernetes: (replace)
        [id=a318d097-7f31-40f1-baf7-51a549ebec6f]
        [urn=urn:pulumi:qa.provision::crm::pulumi:providers:kubernetes::doks]
        enableServerSideApply: "true"
        kubeconfig           : [secret]
        version              : "3.24.2"
    --pulumi:providers:kubernetes: (delete-replaced)
        [id=a318d097-7f31-40f1-baf7-51a549ebec6f]
        [urn=urn:pulumi:qa.provision::crm::pulumi:providers:kubernetes::doks]
any suggestions on how to deal with this?
but when I pass the kubeconfig as a string it identifies diff as to update
Powered by