https://pulumi.com logo
Powered by
w

witty-belgium-75866

11/11/2021, 10:50 AM
Hi, I'm using the Helm provider In order to install the 
aws-load-balancer-controller
chart on my EKS cluster, by using pulumi ( Python ). The installation goes well, but every time I'm executing 
pulumi up
or 
pulumi preview
, some of its resources are being changed: it's very unnecessary and time consuming. anybody encountered that? thx!
w

worried-city-86458

11/11/2021, 5:33 PM
It's probably due to certs. I recommend you install cert manager then enable it in the aws lbc chart.
w

witty-belgium-75866

11/11/2021, 8:33 PM
ho @worried-city-86458 thanks for your comment. do you know where can I find the cert-manager chart?
w

worried-city-86458

11/12/2021, 3:26 AM
This is what I use in dotnet/c#:
Copy code
// cert manager; <https://github.com/jetstack/cert-manager/tree/master/deploy/charts/cert-manager>
Logger.LogDebug("Installing cert manager");
var certManagerRole = new RoleX($"{k8sPrefix}-cert-manager",
    new RoleXArgs
    {
        AssumeRolePolicy = IamHelpers.AssumeRoleForServiceAccount(oidcArn, oidcUrl, "cert-manager", "cert-manager", awsProvider),
        InlinePolicies = { ["policy"] = ReadResource("CertManagerPolicy.json") }
    },
    new ComponentResourceOptions { Provider = awsProvider });

var certManagerCrds = new ConfigGroup("cert-manager-crds",
    new ConfigGroupArgs { Yaml = ReadResource("CertManagerCrds.yaml") },
    new ComponentResourceOptions { Provider = k8sProvider });

var certManagerNs = new Namespace("cert-manager",
    new NamespaceArgs { Metadata = new ObjectMetaArgs { Name = "cert-manager" } },
    new CustomResourceOptions { Provider = k8sProvider });

var certManagerValues = certManagerRole.Arn.Apply(roleArn =>
    new Dictionary<string, object>
    {
        ["prometheus"] = new
        {
            enabled = true,
            servicemonitor = new { enabled = true }
        },
        ["serviceAccount"] = new { annotations = new Dictionary<string, string> { ["<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>"] = roleArn } },
        ["startupapicheck"] = new { annotations = new Dictionary<string, string> { ["appmesh.k8s.aws/sidecarInjectorWebhook"] = "disabled" } }
    }.ToDictionary()); // workaround <https://github.com/pulumi/pulumi/issues/8013>

var certManagerRelease = new Release("cert-manager",
    new ReleaseArgs
    {
        Namespace = "cert-manager",
        Name = "cert-manager",
        RepositoryOpts = new RepositoryOptsArgs { Repo = "<https://charts.jetstack.io>" },
        Chart = "cert-manager",
        Version = K8sConfig.CertManagerChartVersion,
        Values = certManagerValues,
        Atomic = true,
        SkipCrds = true
    },
    new CustomResourceOptions { DependsOn = { certManagerCrds.Ready(), certManagerNs, kubePrometheusStackCrds.Ready() }, Provider = k8sProvider });

// aws load balancer controller; <https://github.com/aws/eks-charts/tree/master/stable/aws-load-balancer-controller>
Logger.LogDebug("Installing aws load balancer controller");
var awsLbcRole = new RoleX($"{k8sPrefix}-aws-load-balancer-controller",
    new RoleXArgs
    {
        AssumeRolePolicy = IamHelpers.AssumeRoleForServiceAccount(oidcArn, oidcUrl, "kube-system", "aws-load-balancer-controller", awsProvider),
        InlinePolicies = { ["policy"] = ReadResource("AwsLoadBalancerPolicy.json") }
    },
    new ComponentResourceOptions { Provider = awsProvider });

var awsLbcCrds = new ConfigGroup("aws-load-balancer-controller-crds",
    new ConfigGroupArgs { Yaml = ReadResource("AwsLoadBalancerCrds.yaml") },
    new ComponentResourceOptions { Provider = k8sProvider });

var awsLbcValues = Output.Tuple(clusterName, awsLbcRole.Arn).Apply(((string ClusterName, string RoleArn) tuple) =>
    new Dictionary<string, object>
    {
        ["clusterName"] = tuple.ClusterName,
        ["enableCertManager"] = true,
        ["serviceAccount"] = new { annotations = new Dictionary<string, string> { ["<http://eks.amazonaws.com/role-arn|eks.amazonaws.com/role-arn>"] = tuple.RoleArn } }
    }.ToDictionary()); // workaround <https://github.com/pulumi/pulumi/issues/8013>

var awsLbcRelease = new Release("aws-load-balancer-controller", // ingress records with <http://alb.ingress.kubernetes.io|alb.ingress.kubernetes.io> annotations depend on chart finalizers
    new ReleaseArgs
    {
        Namespace = "kube-system",
        Name = "aws-load-balancer-controller",
        RepositoryOpts = new RepositoryOptsArgs { Repo = "<https://aws.github.io/eks-charts>" },
        Chart = "aws-load-balancer-controller",
        Version = K8sConfig.AwsLbcChartVersion,
        Values = awsLbcValues,
        Atomic = true,
        SkipCrds = true
    },
    new CustomResourceOptions { DependsOn = { awsLbcCrds.Ready(), certManagerRelease }, Provider = k8sProvider });
w

witty-belgium-75866

11/12/2021, 9:45 PM
Hi @worried-city-86458, thx. What is the reason that you are applying the CRDS separately from the helm chart itself?
w

worried-city-86458

11/13/2021, 3:38 AM
w

witty-belgium-75866

11/13/2021, 10:54 AM
Thanks for your help 🙂
4 Views
Powered by