Since deploying the Datadog helm chart I get the following ` Pulumi Community #kubernetes

Since deploying the Datadog helm chart, I get the ...

rapid-soccer-18092

09/28/2021, 3:53 PM

Since deploying the Datadog helm chart, I get the following

pulumi preview

diff even if nothing has changed. This ultimately causes my datadog pods to get recreated, which is not desirable. I am deploying to AKS K8s (1.21.2) using Pulumi 3.12.0

Copy code

pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:preprod::aks::pulumi:pulumi:Stack::aks-preprod]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ spec: {
              ~ template: {
                  ~ metadata: {
                      ~ annotations: {
                          ~ checksum/clusteragent_token: "32a656c3c7aeb06e5c36xxx" => "8027d4026d2e72484f1xxx"
                        }
                    }
                }
            }
        +-kubernetes:core/v1:Secret: (replace)
            [id=default/datadog-chart-cluster-agent]
            [urn=urn:pulumi:preprod::aks::kubernetes:<http://helm.sh/v3:Chart$kubernetes:core/v1:Secret::default/datadog-chart-cluster-agent|helm.sh/v3:Chart$kubernetes:core/v1:Secret::default/datadog-chart-cluster-agent>]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ data: {
            }
        ~ kubernetes:apps/v1:DaemonSet: (update)
            [id=default/datadog-chart]
            [urn=urn:pulumi:preprod::aks::kubernetes:<http://helm.sh/v3:Chart$kubernetes:apps/v1:DaemonSet::default/datadog-chart|helm.sh/v3:Chart$kubernetes:apps/v1:DaemonSet::default/datadog-chart>]
            [provider=urn:pulumi:preprod::aks::pulumi:providers:kubernetes::k8s-provider::046e67e2-9780-4010-9c77-9999999ebefd]
          ~ spec: {
              ~ template: {
                  ~ metadata: {
                      ~ annotations: {
                          ~ checksum/clusteragent_token: "bcc328b0b69baa07a7fae32a6baxxx" => "5200e78e7733904901f9511a094e8xxx"
                        }
                    }
                }
Resources:
    ~ 2 to update
    +-1 to replace
    3 changes. 103 unchanged

And the pruned logs from the

pulumi up

look like this:

Copy code

-- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleting original 
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]
 ~  kubernetes:apps/v1:DaemonSet default/datadog-chart updating [diff: ~spec]
 -- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleting original 
 -- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent deleted original
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]; [1/2] Waiting for app ReplicaSet be marked available
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updating [diff: ~spec]; Deployment initialization complete
 ~  kubernetes:apps/v1:Deployment default/datadog-chart-cluster-agent updated [diff: ~spec]; Deployment initialization complete 
 ~  kubernetes:apps/v1:DaemonSet default/datadog-chart updated [diff: ~spec] 
 +- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent replacing [diff: ~data];
 +- kubernetes:core/v1:Secret default/datadog-chart-cluster-agent replaced [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent creating replacement [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent creating replacement [diff: ~data]; 
 ++ kubernetes:core/v1:Secret default/datadog-chart-cluster-agent created replacement [diff: ~data];

Can someone help point me in the right direction?

bored-table-20691

09/28/2021, 4:07 PM

My guess is there is something in the chart that is getting changed on every deployment, likely due to some hook

bored-table-20691

09/28/2021, 4:08 PM

You should look at the Helm chart to see if there is a way to disable that part of it or tell it to skip hooks, and possibly do a transform on the Pulumi side

brave-ambulance-98491

09/28/2021, 5:12 PM

I suspect the

Secret

has a fixed name in the helm chart? The issue with

ConfigMap

mentioned up above likely applies to

Secret

as well: When you use a fixed name for a

Secret

, Pulumi deletes and replaces it in order to force a recreation of pods that mount the secret in. If you can have Pulumi name the

Secret

for you, it will create a new secret, update the pods to depend on it, and perform a standard rollout.

rapid-soccer-18092

09/29/2021, 4:06 AM

Thanks for your responses. @bored-table-20691 I dont see any evidence of their being hooks or a way to disable them. Nothing specified in the readme or configuration. Is there somewhere else I could look to find this? @brave-ambulance-98491 I'm not specifying a

Secret

ConfigMap

for Datadog, but these are created when deploying the chart:

bored-table-20691

09/29/2021, 4:07 AM

Can you share a link to the chart a

rapid-soccer-18092

09/29/2021, 4:08 AM

FYI, how I'm deploying the chart:

Copy code

var datadogChart = new Chart("datadog-chart",
    new ChartArgs
    {
        Chart = "datadog",
        Version = args.DatadogChartVersion,
        Namespace = "default",
        Values = new Dictionary<string, object>
        {
            ["datadog"] = new Dictionary<string, object>
            {
                ["apiKey"] = args.DatadogApiKey,
                ["site"] = "<http://datadoghq.eu|datadoghq.eu>",
                ["logs"] = new Dictionary<string, object>
                {
                    ["enabled"] = true,
                    ["containerCollectAll"] = true
                },
                ["kubelet"] = new Dictionary<string, object>
                {
                    ["tlsVerify"] = false
                }
            },
        },
        FetchOptions = new ChartFetchArgs
        {
            Repo = "<https://helm.datadoghq.com>"
        }
    },
    new ComponentResourceOptions
    {
        Provider = provider,
    });

rapid-soccer-18092

09/29/2021, 4:09 AM

@bored-table-20691 https://github.com/DataDog/helm-charts/blob/main/charts/datadog/README.md

rapid-soccer-18092

09/29/2021, 4:11 AM

Link corrected

bored-table-20691

09/29/2021, 4:13 AM

# clusterAgent.token -- Cluster Agent token is a preshared key between node agents and cluster agent (autogenerated if empty, needs to be at least 32 characters a-zA-z) token: ""

bored-table-20691

09/29/2021, 4:13 AM

This is the issue

bored-table-20691

09/29/2021, 4:14 AM

Set a value there (you can use the random Pulumi provider)

rapid-soccer-18092

09/29/2021, 4:28 AM

Ok great, thanks. Let me try this. What do you mean by using a random Pulumi provider?

rapid-soccer-18092

09/29/2021, 4:29 AM

Something like this? https://www.pulumi.com/docs/reference/pkg/random/randompassword/

bored-table-20691

09/29/2021, 4:33 AM

Yep exactly.

bored-table-20691

09/29/2021, 4:33 AM

Sorry I'm on my phone so hard to link

rapid-soccer-18092

09/29/2021, 4:33 AM

No problem - appreciate the help! I will report back

rapid-soccer-18092

09/29/2021, 6:18 AM

@bored-table-20691 Thanks - this did work for me. I had to name my secret (which I believe makes it immutable) because otherwise the Datadog agent cannot find it. Pasting my code below for reference.

Copy code

var datadogChecksum = new RandomPassword("datadog-checksum-password", new RandomPasswordArgs
{
    Length = 32,
    Special = true
});

var secret = new Secret("datadog-checksum-secret", 
    new SecretArgs
    {
        Metadata = new ObjectMetaArgs()
        {
            Name = "datadog-checksum-secret",
            Namespace = "default"
        },
        StringData =  datadogChecksum
            .Result
            .Apply(x => new Dictionary<string, string>() { { "token", x } })
    },
    new CustomResourceOptions
    {
        Provider = provider
    });

// Datadog chart. <https://github.com/DataDog/helm-charts/tree/main/charts/datadog>
var datadogChart = new Chart("datadog-chart",
    new ChartArgs
    {
        Chart = "datadog",
        Version = args.DatadogChartVersion,
        Namespace = "default",
        Values = new Dictionary<string, object>
        {
            ["datadog"] = new Dictionary<string, object>
            {
                ["apiKey"] = args.DatadogApiKey,
                ["site"] = "<http://datadoghq.eu|datadoghq.eu>",
                ["logs"] = new Dictionary<string, object>
                {
                    ["enabled"] = true,
                    ["containerCollectAll"] = true
                },
                ["kubelet"] = new Dictionary<string, object>
                {
                    ["tlsVerify"] = false // See: <https://github.com/DataDog/integrations-core/issues/2582>
                }
            },
            ["clusterAgent"] = new Dictionary<string, object>
            {
                ["tokenExistingSecret"] = "datadog-checksum-secret"
            }
        },
        FetchOptions = new ChartFetchArgs
        {
            Repo = "<https://helm.datadoghq.com>"
        }
    },
    new ComponentResourceOptions
    {
        Provider = provider,
        DependsOn = { aks, datadogChecksum }
    });

bored-table-20691

09/29/2021, 2:25 PM

Glad it worked out

7 Views

Open in Slack

Previous Next