https://pulumi.com logo
#kubernetes
Title
# kubernetes
l

lively-computer-46855

03/20/2024, 5:54 PM
I'm looking to have the Postgres Provider talk to my RDS cluster that is only available (through a security group) to my EKS nodes. One way I can stitch that together manually is by `kubectl run`ing https://hub.docker.com/r/marcnuri/port-forward in my cluster and then using
kubectl port-forward
. Is there a good way to do this in Pulumi? I'm familiar with the
commands
package, but I can't quite figure out how to make that work in a declarative style such that it cleans up well after itself (shuts down the container in eks, kills the
port-forward
command...etc.)
b

billions-xylophone-85957

03/20/2024, 7:02 PM
vpn to the cluster?
l

lively-computer-46855

03/20/2024, 7:03 PM
the cluster doesn't exist before invoking
pulumi up
b

billions-xylophone-85957

03/20/2024, 7:05 PM
fair point! Then if you're doing something like populating the schema, I'd just run a job in that cluster that invokes
psql
. Port-forwarding sounds like a mess
l

lively-computer-46855

03/20/2024, 7:06 PM
it means i would have to give up on the benefits of the pulumi postgres package in terms of creating/updating resources
b

billions-xylophone-85957

03/20/2024, 7:06 PM
true as well
is there any chance you can make rds publicly accessible for the time of
up
and the make the policies stricter after the update finishes?
l

lively-computer-46855

03/20/2024, 7:07 PM
was considering that - it means detecting changes on every
up
b

billions-xylophone-85957

03/20/2024, 7:08 PM
because if yes, it may be possible to chain resources in the order of "create a relaxed SG" -> "do the postgres things" -> "make SG restrictive again"
l

lively-computer-46855

03/20/2024, 7:08 PM
the other slightly annoying thing about it is it's not so easy to move an rds instance between subnets, so i'm not sure how doable that is
i could leave it in a public subnet but with a strict security group though
b

billions-xylophone-85957

03/20/2024, 7:10 PM
you can also run a vpn to the vpc I think
l

lively-computer-46855

03/20/2024, 7:10 PM
the vpc also doesn't exist before hand
b

billions-xylophone-85957

03/20/2024, 7:10 PM
create the vpc - configure the vpn there - run the local.Command that connects to that vpn
yeah, but you can configure the vpn at creation time, right?
l

lively-computer-46855

03/20/2024, 7:11 PM
ah, yeah, that's interesting
b

billions-xylophone-85957

03/20/2024, 7:11 PM
it does sound rather like an overkill and I'm not sure how well it'll play with your CICD
l

lively-computer-46855

03/20/2024, 7:11 PM
yeah, i'll have to explore. thanks for the ideas!
b

billowy-army-68599

03/20/2024, 10:31 PM
put a tailscale subnet router in the vpc https://github.com/lbrlabs/pulumi-tailscale-bastion