No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hi all, we recently rotated our AKS certificate and now can no longer access kubernetes with the pulumi k8provider.  The certificate (kubeconfig) works with lens and our deployment agents in DevOps pipelines.  Any ideas on what the issue is?

kubernetes:apps/v1:Deployment (default/chart):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: Get "<https://d.hcp.westus2.azmk8s.io:443/openapi/v2?timeout=32s|https://***********.hcp.westus2.azmk8s.io:443/openapi/v2?timeout=32s>": x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "ca")

Again, this started after a kube cert rotation.  When I print the kubeconfig it is correct.

```kubeconfig = creds.kubeconfigs[0].value.apply(
    lambda enc: base64.b64decode(enc).decode())

k8s_provider = k8s.Provider(
    f'{stack_name}-k8s-provider',
    kubeconfig=kubeconfig
)```

```pulumi.export("kubeconfig", kubeconfig)```

kubeconfig matches what lens is using and lens works.

<@U026JBAHN5U> what’s in your state? `pulumi state export` - i bet the kubeconfig is still stored in state with the wrong cert

That is probably it! Do I export, update kubeconfig, import?

You can do a refresh of the urn. I’m on mobile so can’t share how to do that. Expert and update would work too