EDIT False alarm disappointed Leaving it up though as delete Pulumi Community #kubernetes

EDIT: False alarm :disappointed: Leaving it up tho...

better-shampoo-48884

04/10/2021, 8:23 AM

EDIT: False alarm 😞 Leaving it up though as deleted posts just make people curious for no reason 😉 There's something weird about diffs with one helm chart in particular.. every time I run the stack, it wants to replace some certificates.. with the exact identical certificate..

Copy code

├─ kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart>                                                 akv2k8s
 ~   │  ├─ kubernetes:<http://admissionregistration.k8s.io/v1:MutatingWebhookConfiguration|admissionregistration.k8s.io/v1:MutatingWebhookConfiguration>  akv2k8s/akv2k8s-envinjector       update      [diff: ~webhooks]
 +-  │  ├─ kubernetes:core/v1:Secret                                                akv2k8s/akv2k8s-envinjector-tls   replace     [diff: ~data]
 +-  │  ├─ kubernetes:core/v1:Secret                                                akv2k8s/akv2k8s-envinjector-ca    replace     [diff: ~data]
 ~   │  └─ kubernetes:apps/v1:Deployment                                            akv2k8s/akv2k8s-envinjector       update      [diff: ~spec]

Edit: neeevermind! there is a tiny diff in the certificates generated.. a bit frustrating, but of no consequence. Was almost certain there might have been some encoding issues triggering the diff or something, but no - new certs are generated by the chart every time it's touched. oh well.

better-shampoo-48884

04/10/2021, 8:25 AM

....and I spoke too quickly. there is actually a diff of just a few characters every single time. oh well 😕

billowy-army-68599

04/10/2021, 2:44 PM

There’s discussion about this here: https://pulumi-community.slack.com/archives/C84L4E3N1/p1617211149122200?thread_ts=1617187173.108800&channel=C84L4E3N1&message_ts=1617211149.122200

better-shampoo-48884

04/11/2021, 3:09 PM

That is so incredibly awesome - thanks! My chart expects me to pass those certs as variables to overload the helm behavior though.. so I made a nice reusable component out of that tls cert generation stuff 😃 Only issue now is some odd complaints about templating when I add the certs to the values:

Copy code

akv2k8sValues.env_injector.certificate.custom = {
            enabled: true,
            server: {
                tls: {
                    crt: tlsCert.crt.certPem,
                    key: tlsCert.key.privateKeyPem
                }
            },
            ca: {
                crt: tlsCert.caCert.certPem
            }
        }

with

Copy code

const SPVakv2k8s = new k8s.helm.v3.Chart("akv2k8s",{
        chart: "akv2k8s",
        version: "2.0.10",
        namespace: akv2k8sNamespace.metadata.name,
        fetchOpts: {
            repo: helmRepos.spv.url
        },
        values: akv2k8sValues
    },{
        provider: cluster
    })

results in...

Copy code

Error: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to create chart from template: YAML parse error on akv2k8s/templates/env-injector-apiservice.yaml: error converting YAML to JSON: yaml: line 15: could not find expected ':'

Which makes me wonder.. how much json -> yaml -> json -> yaml is actually going on here :D

billowy-army-68599

04/11/2021, 3:43 PM

helm's values.yaml takes a string so you'll need to inject values into the helm chart using an

apply()

better-shampoo-48884

04/11/2021, 3:55 PM

thanks 🙂 tried that- but I really think I need a full-on tutorial on the .apply(x => x) loop and how it actually works under the hood. I keep hitting the same hurdle of not understanding how the Output<T> transforms and when.

better-shampoo-48884

04/11/2021, 3:57 PM

Copy code

if (akv2k8sValues?.env_injector?.certificate?.custom) {
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: tlsCert.crt.certPem.apply(x => x),
                        key: tlsCert.key.privateKeyPem.apply(x => x)
                    }
                },
                ca: {
                    crt: tlsCert.caCert.certPem.apply(x => x)
                }
            }        
        }
    }

Basically - this produces the exact same error.

better-shampoo-48884

04/11/2021, 4:09 PM

Man.. I'm giving up for now.. This actually passed - but likely with the crappy string values rather than the correct values since the actual deployment failed (still in the process of burning down my deployment). The top combination of interpolate + apply was then referenced with yet another apply earlier - with still no joy. There seems to be no way to get those keys to be real strings before helm does its magic.

Copy code

//let serverCrt = pulumi.interpolate`${tlsCert.crt.certPem.apply(x => x)}`
    let serverKey = "xzc";
    let caCrt = "czx";
    let serverCrt = "vcx";
    tlsCert.crt.certPem.apply(pem => {
        serverCrt = pem;
        return true
    })
    tlsCert.key.privateKeyPem.apply(key => {
        serverKey = key;
        return true
    })
    tlsCert.caCert.certPem.apply(pem => {
        caCrt = pem;
        return true
    })   
    if (akv2k8sValues?.env_injector?.certificate?.custom) {
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: serverCrt,
                        key: serverKey
                    }
                },
                ca: {
                    crt: caCrt
                }
            }        
        }
    }

better-shampoo-48884

04/11/2021, 5:14 PM

Going full shotgun mode on this.. still failing at the same place..

Copy code

let akv2k8sValues = yaml.load(fs.readFileSync("./components/chart-values/akv2k8s-production.yml")) as any

    let tlsCrt = tlsCert.crt.certPem.apply(tlsCrt => {
        let curObj = akv2k8sValues;
        akv2k8sValues.env_injector.certificate = {
            useCertManager: false,
            custom: {
                enabled: true,
                server: {
                    tls: {
                        crt: tlsCert.crt.certPem.apply(x => x),
                        key: "toBeFilled"
                    }
                },
                ca: {
                    crt: "toBeFilled"
                }
            }        
        }
        return akv2k8sValues;
    })

    let tlsKey = pulumi.all([tlsCrt, tlsCert.key.privateKeyPem]).apply(([objValue, key]) => {
        objValue.env_injector.certificate.custom.server.tls.key = key;
        return objValue;
    })

    let finalAkv2k8sValues = pulumi.all([tlsKey, tlsCert.caCert.certPem]).apply(([objValue, cert]) => {
        objValue.env_injector.certificate.custom.ca.crt = cert;
        return objValue;
    })
    
    
    const SPVakv2k8s = new k8s.helm.v3.Chart("akv2k8s",{
        chart: "akv2k8s",
        version: "2.0.10",
        namespace: akv2k8sNamespace.metadata.name,
        fetchOpts: {
            repo: helmRepos.spv.url
        },
        values: finalAkv2k8sValues.apply(x => x)
    },{
        provider: cluster,
        dependsOn: [tlsCert.crt, tlsCert.key, tlsCert.caCert]
    })

4 Views

Open in Slack

Previous Next