https://pulumi.com logo
Title
h

handsome-state-59775

04/05/2021, 5:19 AM
i'm trying to create a docker registry (private) secret in a namespace, and then patch the default service account for that namespace to use that secret, but i get the following error:
error: resource ****/serviceAccount-****-ge0e5qf8 was not successfully created by the Kubernetes API server : ServiceAccount in version "v1" cannot be handled as a ServiceAccount: v1.ServiceAccount.ImagePullSecrets: []v1.LocalObjectReference: readObjectStart: expect { or n, but found ", error found in #10 byte of ...|ecrets":["****/|..., bigger context ...|{"apiVersion":"v1","imagePullSecrets":["****/regcred"],"kind":"ServiceAccount","metad|...
any insights? code as follows:
1
registry_credentials_encoded = base64.b64encode(
    f'{REGISTRY_USERNAME}:{REGISTRY_PASSWORD}'.encode(),
).decode()
image_pull_secret_ns_main = k8s.core.v1.Secret(
    resource_name=f'containerRegistryCredentials-{NAMESPACE_MAIN}',
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name='regcred',
        namespace=NAMESPACES[NAMESPACE_MAIN].metadata.name,
    ),
    type='<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>',
    string_data={
        '.dockerconfigjson':
            '{"auths":{'
            f'"{CONTAINER_REGISTRY}":'
            '{"auth":'
            f'"{registry_credentials_encoded}"'
            '}}}',
    },
    opts=p.ResourceOptions(
        provider=k8s_provider,
        parent=NAMESPACES[NAMESPACE_MAIN]
        if NAMESPACE_MAIN in NAMESPACES else aks,
    ),
)

# Service account configuration for main namespaces
k8s.core.v1.ServiceAccount(
    resource_name=f'serviceAccount-{NAMESPACE_MAIN}',
    metadata=k8s.meta.v1.ObjectMetaArgs(
        namespace=NAMESPACES[NAMESPACE_MAIN].metadata.name,
    ),
    image_pull_secrets=[
        image_pull_secret_ns_main,
    ],
    opts=p.ResourceOptions(
        provider=k8s_provider,
        parent=NAMESPACES[NAMESPACE_MAIN]
        if NAMESPACE_MAIN in NAMESPACES else aks,
    ),
)
another issue is that the final secret at k8s has
{"auth":"X2pzb25fa2V5OjxwdWx1bWkub3V0cHV0Lk91dHB1dCBvYmplY3QgYXQgMHgxNTI0NzhjZDA+"}
which decodes to
_json_key:<pulumi.output.Output object at 0x152478cd0>
instead of
REGISTRY_PASSWORD
's value (obtained via
config.require_secret()
). what am i doing wrong?
1