https://pulumi.com logo
Join Slack
Powered by
Hi Guys, I’m using a `azure-native.containerservic...
# kubernetes
w
Hi Guys, I’m using a 
azure-native.containerservice
lib to create AKS cluster and I also would like deploy k8s RBAC objects with 
kubernetes
lib. I have something like:
Copy code
# Creating AKS
const cluster = new containerservice.ManagedCluster(...)

# Getting a kubectlconfig
const creds = pulumi.all([cluster.name, resourceGroup.name]).apply(([clusterName, rgName]) => {
  return containerservice.listManagedClusterUserCredentials({
      resourceGroupName: rgName,
      resourceName: clusterName,
  });
});
const encoded = creds.kubeconfigs[0].value;
const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());

# Creating provider
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})

# And deploying a role
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...})
When run it locally with 
pulumi up
I got auth request:
Copy code
To sign in, use a web browser to open the page <https://microsoft.com/devicelogin>".
Am I missing something?
b
run az login before you run pulumi up and follow the instructions
w
I’ve already signed
b
ah ok, I misunderstood then
w
And I’d like to get kubeconfig from AKS
For CI etc
b
what does 
az account show
return?
w
Copy code
{
  "environmentName": "AzureCloud",
  "homeTenantId": "xxxxxxxxxx",
  "id": "xxxxxxxx",
  "isDefault": true,
  "managedByTenants": [],
  "name": "AAAAA",
  "state": "Enabled",
  "tenantId": "xxxxxx",
  "user": {
    "name": "sergiii",
    "type": "user"
  }
}
b
do you have any env vars set which might be overriding that? check 
env | grep -i azure
w
nope
I have other clusters in my local kubeconfig
b
i just ran something like your code without any issues, there has to be something locally that's upsetting the auth process
w
So overall it should works?
b
yes it should work
w
Thanks. Looks like something with provider
Copy code
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...},{provider: aksProvider})
b
if you comment that out, does everything work?
w
Looks like provider is added successful
Copy code
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})
Once I added a Role - got 
To sign in, use a web browser to open the page
b
i would remove this: 
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...})
and then export your kubeconfig:
Copy code
export const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());
Then do 
pulumi stack output kubeconfig
and examine what's there
w
have a valid config in output
Copy code
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: CERT
    server: <https://api:443>
  name: dev
contexts:
- context:
    cluster: dev
    user: clusterUser_aks_dev
  name: dev
current-context: dev
kind: Config
preferences: {}
users:
- name: clusterUser_aks-dev
    auth-provider:
      config:
        apiserver-id:cccc
        client-id: xxxx
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: cccc
      name: azure
but once i’m trying to run 
pulumi up
without update got auth message
b
if you set the 
kubeconfig
up to and run 
kubectl
does it work?
w
Oh, looks like it comes from config
Copy code
pulumi stack output kubeconfig --show-secrets > kubeconfig.yaml
➜  pulumi-aks git:(poc) ✗ KUBECONFIG=./kubeconfig.yaml kubectl get nodes
To sign in, use a web browser to open the page <https://microsoft.com/devicelogin> and enter the code XXXXXX to authenticate.
b
yeah that's what I've been trying to say 🙂 your environment isn't set up correctly to auth with a kubeconfig
w
Thank you much! wondering hw to setup it now
5 Views
Open in Slack
PreviousNext
Powered by