hello. I want to use the Postgres provider to manage databases on a Postgres instance deployed on Kubernetes. The issue is that the service is not exposed to the outside so Pulumi can´t reach it. What is the best way to handle this? Should I use a VPN/kubectl port-forwarding? I need a way that can be use in CI envrionment and also for new/existing clusters. (A new cluster will create the K8s cluster, deploy the postgres StatefulSet and setup default databases).

I would say using port forward is the best way if you're running inside the cluster. Just set the environment variable

PGHOST

to localhost and it should work

I'd explore setting up an IngressController to provide access to the underlying Pod that contains your Postgres container.

I'm not sure I'd advocate exposing databases via an ingress!

yah. that would be the simplest option, but in general is not a good practice for security reasons to expose services like databases to the outside.

I'm not certain what the postgres provider is, but in my cluster, I installed postgres and pgadmin4, leave the db to be accessed directly by all the apps, which included pgAdmin4, and I created an IngressController for pgAdmin4 to do db administration from outside of the cluster

@polite-motherboard-78438 I’m hitting the same issue here. What did you end up with to fix it on your end ?

@faint-motherboard-95438 I would expect that you'd need to expose your postgres db to the outside world if you want CI/CD to do the work, or port-forward to the postgres instance if you want to do the work with a local pulumi app.

@ancient-megabyte-79588 exposing the DB to the outside world is not an option and a security issue for us. The question is more related on how to do so in one pulumi run (though that seems impossible, maybe someone from the @echoing-match-29901 knows the trick). If not doable, indeed that means to deploy the raw DB service from one pulumi project, and manage it from another one with some “magic” in between to access the DB (as you suggested either a trigger port-forward or open a VPN)

@faint-motherboard-95438 In this case, outside world meant outside of the cluster but not necessarily public. If your CI/CD has access to the same internal network as your kubernetes is on, I simple meant exposing your Postgres DB on a NodePort or LoadBalancer. Currently, our Postgres DB is exposed only as a ClusterIP and is only accessible via portforwarding or pods that are internal to the cluster, which means Pulumi cannot access it. I am curious though if the new pulumi kubernetes operator is an option for you. That looks to be like having a little pulumi CLI in your k8s cluster.

@ancient-megabyte-79588 thanks for clarifying. I ended up provisioning the database in one project and managing resources in another one, using a postgresql provider and spawning a port-forwarding before running the

pulumi

command, maybe not perfect but works both locally and in a pipeline.