https://pulumi.com logo
Join Slack
Powered by
anyone figure out how to generate your cluster oid...
# aws
c
anyone figure out how to generate your cluster oidc provider url with the pulumi sdk? i..e, the equivalent of this command 
aws eks describe-cluster --name cluster_name --query "cluster.identity.oidc.issuer" --output text
Trying to enable iam roles for service accounts on my cluster..
Looks like there's a stalled PR on setting this automatically on eks cluster creation. https://github.com/pulumi/pulumi-eks/pull/281
Yanking Tim's code to set it up ... 😉
darn, Property 'identities' does not exist on type 'Cluster'
b
There is a PR in flight to handle the creation of the OIDC provider: https://github.com/pulumi/pulumi-eks/pull/320
👍 2
c
Excited about that @breezy-hamburger-69619! Anyone creating a new cluster with eks will likely want that.
m
Can’t wait for this to release, thanks for doing the hard work of figuring out all the nasty details I was missing.
c
the release is up on npm.... still in alpha though.. I'm itching to remove the disgusting code I wrote with it!
b
CI has been acting up and has stalled this feat from being available. Hoping to fix it soon to ship a new release. Stay tuned
c
i've got a branch ready to go! Tried a preview with the alpha branch and the output is correct. Stoked.
b
c
recreated the cluster with createOidcProvider: true this time.. however, once i brought up the apps in k8s, i get this error message when attempting to access resources: WebIdentityErr: failed to retrieve credentials\ncaused by: InvalidIdentityToken: OpenIDConnect provider's HTTPS certificate doesn't match configured thumbprint\n\tstatus code: 400. do you know what this means @breezy-hamburger-69619?
b
There’s a bug in the thumbprint used [1]. A PR is in-flight [2] to fix it 1 - https://github.com/pulumi/pulumi-eks/issues/342 2- https://github.com/pulumi/pulumi-eks/pull/343
c
would love to see an alpha release when that's merged so i don't need to move backwards
m
I have been trying the new error and occasionally see it fail with this error:
Copy code
Diagnostics:
pulumi:pulumi:Stack (infrastructure-clusters):
  Method handler getSchema for /pulumirpc.ResourceProvider/GetSchema expected but not provided

  Method handler getSchema for /pulumirpc.ResourceProvider/GetSchema expected but not provided

  error: Running program '/home/jenkins/agent/workspace/INFURA_infrastructure_oidc' failed with an unhandled exception:
  TypeError: Cannot read property 'fingerprint' of undefined
      at TLSSocket.<anonymous> (/home/jenkins/agent/workspace/INFURA_infrastructure_oidc/node_modules/@pulumi/cert-thumprint.ts:77:82)
      at TLSSocket.emit (events.js:321:20)
      at TLSSocket.EventEmitter.emit (domain.js:485:12)
      at TLSSocket.onConnectSecure (_tls_wrap.js:1504:10)
      at TLSSocket.emit (events.js:321:20)
      at TLSSocket.EventEmitter.emit (domain.js:485:12)
      at TLSSocket._finishInit (_tls_wrap.js:918:8)
      at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:688:12)
. I’ll create an issue in pulumi/eks but wanted to mention here.
b
@calm-parrot-72437 we’ve cut a new release with the fix, PTAL https://github.com/pulumi/pulumi-eks/blob/master/CHANGELOG.md#01823-released-march-5-2020
@millions-judge-24978 Have you tried using our example as a basis? https://github.com/pulumi/pulumi-eks/blob/master/nodejs/eks/examples/oidc-iam-sa/index.ts
If that still does that work, please open an issue but things should be in a working state. We’ve tested it in a couple settings but would love to hear more if that’s not the case for you
m
Yup I am using 
0.18.23
. I have not seen that example, but I am basically doing the same thing. And the stack with this error is only provisioning the cluster with 
createOidcProvider: true
, none of the other stuff
I will open an issue. It works fine about 50% of the time
c
Thanks, @breezy-hamburger-69619, I'll give it a try.
Open in Slack
PreviousNext
Powered by