https://pulumi.com logo
Title
w

wooden-receptionist-75654

10/25/2021, 10:45 AM
Hi Guys, I’m using a
azure-native.containerservice
lib to create AKS cluster and I also would like deploy k8s RBAC objects with
kubernetes
lib. I have something like:
# Creating AKS
const cluster = new containerservice.ManagedCluster(...)

# Getting a kubectlconfig
const creds = pulumi.all([cluster.name, resourceGroup.name]).apply(([clusterName, rgName]) => {
  return containerservice.listManagedClusterUserCredentials({
      resourceGroupName: rgName,
      resourceName: clusterName,
  });
});
const encoded = creds.kubeconfigs[0].value;
const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());

# Creating provider
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})

# And deploying a role
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...})
When run it locally with
pulumi up
I got auth request:
To sign in, use a web browser to open the page <https://microsoft.com/devicelogin>".
Am I missing something?
b

brainy-lion-38675

10/25/2021, 10:48 AM
run az login before you run pulumi up and follow the instructions
w

wooden-receptionist-75654

10/25/2021, 11:16 AM
I’ve already signed
b

brainy-lion-38675

10/25/2021, 11:17 AM
ah ok, I misunderstood then
w

wooden-receptionist-75654

10/25/2021, 11:17 AM
And I’d like to get kubeconfig from AKS
For CI etc
b

billowy-army-68599

10/25/2021, 11:59 AM
what does
az account show
return?
w

wooden-receptionist-75654

10/25/2021, 12:15 PM
{
  "environmentName": "AzureCloud",
  "homeTenantId": "xxxxxxxxxx",
  "id": "xxxxxxxx",
  "isDefault": true,
  "managedByTenants": [],
  "name": "AAAAA",
  "state": "Enabled",
  "tenantId": "xxxxxx",
  "user": {
    "name": "sergiii",
    "type": "user"
  }
}
b

billowy-army-68599

10/25/2021, 12:17 PM
do you have any env vars set which might be overriding that? check
env | grep -i azure
w

wooden-receptionist-75654

10/25/2021, 12:17 PM
nope
I have other clusters in my local kubeconfig
b

billowy-army-68599

10/25/2021, 12:22 PM
i just ran something like your code without any issues, there has to be something locally that's upsetting the auth process
w

wooden-receptionist-75654

10/25/2021, 12:24 PM
So overall it should works?
b

billowy-army-68599

10/25/2021, 12:25 PM
yes it should work
w

wooden-receptionist-75654

10/25/2021, 12:27 PM
Thanks. Looks like something with provider
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...},{provider: aksProvider})
b

billowy-army-68599

10/25/2021, 12:34 PM
if you comment that out, does everything work?
w

wooden-receptionist-75654

10/25/2021, 12:54 PM
Looks like provider is added successful
const aksProvider = new k8s.Provider("aks", {
  kubeconfig: kubeconfig
})
Once I added a Role - got
To sign in, use a web browser to open the page
b

billowy-army-68599

10/25/2021, 12:55 PM
i would remove this:
const devsGroupRole = new k8s.rbac.v1.Role("pulumi-devs",{...})
and then export your kubeconfig:
export const kubeconfig = encoded.apply(enc => Buffer.from(enc, "base64").toString());
Then do
pulumi stack output kubeconfig
and examine what's there
w

wooden-receptionist-75654

10/25/2021, 1:06 PM
have a valid config in output
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: CERT
    server: <https://api:443>
  name: dev
contexts:
- context:
    cluster: dev
    user: clusterUser_aks_dev
  name: dev
current-context: dev
kind: Config
preferences: {}
users:
- name: clusterUser_aks-dev
    auth-provider:
      config:
        apiserver-id:cccc
        client-id: xxxx
        config-mode: "1"
        environment: AzurePublicCloud
        tenant-id: cccc
      name: azure
but once i’m trying to run
pulumi up
without update got auth message
b

billowy-army-68599

10/25/2021, 1:13 PM
if you set the
kubeconfig
up to and run
kubectl
does it work?
w

wooden-receptionist-75654

10/25/2021, 1:19 PM
Oh, looks like it comes from config
pulumi stack output kubeconfig --show-secrets > kubeconfig.yaml
➜  pulumi-aks git:(poc) ✗ KUBECONFIG=./kubeconfig.yaml kubectl get nodes
To sign in, use a web browser to open the page <https://microsoft.com/devicelogin> and enter the code XXXXXX to authenticate.
b

billowy-army-68599

10/25/2021, 1:26 PM
yeah that's what I've been trying to say 🙂 your environment isn't set up correctly to auth with a kubeconfig
w

wooden-receptionist-75654

10/25/2021, 1:33 PM
Thank you much! wondering hw to setup it now