https://pulumi.com logo
#kubernetes
Title
# kubernetes
b

better-shampoo-48884

04/10/2021, 8:23 AM
EDIT: False alarm 😞 Leaving it up though as deleted posts just make people curious for no reason πŸ˜‰ There's something weird about diffs with one helm chart in particular.. every time I run the stack, it wants to replace some certificates.. with the exact identical certificate..
Copy code
β”œβ”€ kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart>                                                 akv2k8s
 ~   β”‚  β”œβ”€ kubernetes:<http://admissionregistration.k8s.io/v1:MutatingWebhookConfiguration|admissionregistration.k8s.io/v1:MutatingWebhookConfiguration>  akv2k8s/akv2k8s-envinjector       update      [diff: ~webhooks]
 +-  β”‚  β”œβ”€ kubernetes:core/v1:Secret                                                akv2k8s/akv2k8s-envinjector-tls   replace     [diff: ~data]
 +-  β”‚  β”œβ”€ kubernetes:core/v1:Secret                                                akv2k8s/akv2k8s-envinjector-ca    replace     [diff: ~data]
 ~   β”‚  └─ kubernetes:apps/v1:Deployment                                            akv2k8s/akv2k8s-envinjector       update      [diff: ~spec]
Edit: neeevermind! there is a tiny diff in the certificates generated.. a bit frustrating, but of no consequence. Was almost certain there might have been some encoding issues triggering the diff or something, but no - new certs are generated by the chart every time it's touched. oh well.
....and I spoke too quickly. there is actually a diff of just a few characters every single time. oh well πŸ˜•
b

better-shampoo-48884

04/11/2021, 3:09 PM
That is so incredibly awesome - thanks! My chart expects me to pass those certs as variables to overload the helm behavior though.. so I made a nice reusable component out of that tls cert generation stuff πŸ˜ƒ Only issue now is some odd complaints about templating when I add the certs to the values:
Copy code
akv2k8sValues.env_injector.certificate.custom = {
            enabled: true,
            server: {
                tls: {
                    crt: tlsCert.crt.certPem,
                    key: tlsCert.key.privateKeyPem
                }
            },
            ca: {
                crt: tlsCert.caCert.certPem
            }
        }
with
Copy code
const SPVakv2k8s = new k8s.helm.v3.Chart("akv2k8s",{
        chart: "akv2k8s",
        version: "2.0.10",
        namespace: akv2k8sNamespace.metadata.name,
        fetchOpts: {
            repo: helmRepos.spv.url
        },
        values: akv2k8sValues
    },{
        provider: cluster
    })
results in...
Copy code
Error: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to create chart from template: YAML parse error on akv2k8s/templates/env-injector-apiservice.yaml: error converting YAML to JSON: yaml: line 15: could not find expected ':'
Which makes me wonder.. how much json -> yaml -> json -> yaml is actually going on here :D
b

billowy-army-68599

04/11/2021, 3:43 PM
helm's values.yaml takes a string so you'll need to inject values into the helm chart using an
apply()
b

better-shampoo-48884

04/11/2021, 3:55 PM
thanks πŸ™‚ tried that- but I really think I need a full-on tutorial on the .apply(x => x) loop and how it actually works under the hood. I keep hitting the same hurdle of not understanding how the Output<T> transforms and when.
Copy code
if (akv2k8sValues?.env_injector?.certificate?.custom) {
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: tlsCert.crt.certPem.apply(x => x),
                        key: tlsCert.key.privateKeyPem.apply(x => x)
                    }
                },
                ca: {
                    crt: tlsCert.caCert.certPem.apply(x => x)
                }
            }        
        }
    }
Basically - this produces the exact same error.
Man.. I'm giving up for now.. This actually passed - but likely with the crappy string values rather than the correct values since the actual deployment failed (still in the process of burning down my deployment). The top combination of interpolate + apply was then referenced with yet another apply earlier - with still no joy. There seems to be no way to get those keys to be real strings before helm does its magic.
Copy code
//let serverCrt = pulumi.interpolate`${tlsCert.crt.certPem.apply(x => x)}`
    let serverKey = "xzc";
    let caCrt = "czx";
    let serverCrt = "vcx";
    tlsCert.crt.certPem.apply(pem => {
        serverCrt = pem;
        return true
    })
    tlsCert.key.privateKeyPem.apply(key => {
        serverKey = key;
        return true
    })
    tlsCert.caCert.certPem.apply(pem => {
        caCrt = pem;
        return true
    })   
    if (akv2k8sValues?.env_injector?.certificate?.custom) {
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: serverCrt,
                        key: serverKey
                    }
                },
                ca: {
                    crt: caCrt
                }
            }        
        }
    }
Going full shotgun mode on this.. still failing at the same place..
Copy code
let akv2k8sValues = yaml.load(fs.readFileSync("./components/chart-values/akv2k8s-production.yml")) as any

    let tlsCrt = tlsCert.crt.certPem.apply(tlsCrt => {
        let curObj = akv2k8sValues;
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: tlsCert.crt.certPem.apply(x => x),
                        key: "toBeFilled"
                    }
                },
                ca: {
                    crt: "toBeFilled"
                }
            }        
        }
        return akv2k8sValues;
    })

    let tlsKey = pulumi.all([tlsCrt, tlsCert.key.privateKeyPem]).apply(([objValue, key]) => {
        objValue.env_injector.certificate.custom.server.tls.key = key;
        return objValue;
    })

    let finalAkv2k8sValues = pulumi.all([tlsKey, tlsCert.caCert.certPem]).apply(([objValue, cert]) => {
        objValue.env_injector.certificate.custom.ca.crt = cert;
        return objValue;
    })
    
    
    const SPVakv2k8s = new k8s.helm.v3.Chart("akv2k8s",{
        chart: "akv2k8s",
        version: "2.0.10",
        namespace: akv2k8sNamespace.metadata.name,
        fetchOpts: {
            repo: helmRepos.spv.url
        },
        values: finalAkv2k8sValues.apply(x => x)
    },{
        provider: cluster,
        dependsOn: [tlsCert.crt, tlsCert.key, tlsCert.caCert]
    })
4 Views