https://pulumi.com logo
Join Slack
Powered by
Did something change in the way to create an EKS c...
# aws
p
Did something change in the way to create an EKS cluster? Just tonight suddenly
Copy code
const cluster = new eks.Cluster(name, {
  instanceType: "t2.medium",
  desiredCapacity: 1,
  minSize: 1,
  maxSize: 2,
  storageClasses: 'gp2',
  deployDashboard: false,
});
fails with
Copy code
Diagnostics:
  eks:index:VpcCni (chartmuseum-vpc-cni):
    error: Command failed: kubectl apply -f /var/folders/4z/2zvwp19d343djqc78xywc6p00000gn/T/tmp-215018e7GR5EVRaFT.tmp
    error: You must be logged in to the server (the server has asked for the client to provide credentials)
 
  kubernetes:<http://storage.k8s.io/v1:StorageClass|storage.k8s.io/v1:StorageClass> (chartmuseum-gp2):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
 
  kubernetes:core/v1:ConfigMap (chartmuseum-nodeAccess):
    error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
 
  pulumi:pulumi:Stack (chartmuseum-tutorial-chartmuseum):
    error: You must be logged in to the server (the server has asked for the client to provide credentials)
 
    error: update failed
The cluster is created so not sure why this suddenly no longer works
b
how are you creating the chart museum part?
p
this is even before it gets there, the eksindexVpcCni is part of the new Cluster
b
No Ned releases of Pulumi-eks have happened
Not since Jan 28th
p
It is a blog post i’m wirting i’ve left for 2 weeks and am picking up tonight. https://github.com/roderik/chartmuseum-tutorial/blob/main/index.ts
this code worked then 🙂
b
Have you just started picking up 0.22 or was it always on 0.22?
p
eks was always 22
this is how the pretty logs looks like
the parts failing are in the new eks.Cluster()
b
what's in your 
kubeconfig
?
p
destroyed nd recreated everything, including the full stack as well
b
do you have an old 
KUBECONFIG
in 
~/.kube/config
?
p
i have 20 something clusters in there
b
ah wait, no. This is the aws credentials I think
how do you auth to aws?
p
aws configure witht he same creds as the aws:accessKey and secretKey in the pulumi config
i also reinstalled my computer, it is a m1 arm but pulumi is installed as amd64
b
did you install the aws cli
p
➜ chartmuseum-tutorial (main) ✗ aws --version                        (arnawsekseu west 3711839938093:cluster/chartmuseum-eksCluster-8e59b65/chartmuseum) aws-cli/2.1.29 Python/3.9.2 Darwin/20.4.0 source/arm64 prompt/off
it is installed as arm64 though
b
okay, well I'm not totally sure, but the issue is definitely coming from the created cluster. I would output the kubeconfig and try that
p
➜ chartmuseum-tutorial (main) ✗ aws sts get-caller-identity                 (arnawsekseu west 3711839938093:cluster/chartmuseum-eksCluster-8e59b65/chartmuseum) Could not connect to the endpoint URL: “https://sts.eu-west3.amazonaws.com/
that is weird,,,
ah crap i know
i forgot a - between west and 3
b
That’d be it
And we turned off region validation by default in Pulumi-aws
Ok that’s kinda the last straw @billowy-army-68599 - I’m going to revert those defaults I changed as it’s proving to be painful
b
👍
p
weird though that i have awsregion eu-west-3 in my yaml file
does the local env take precedence?
b
It should not
b
it does for the 
kubectl
part
b
Wel there we go ☝️
TIL
b
the kubectl call out doesn't use the provider I think, because if you look in the generated kubeconfig unless you set the aws profile and region, it uses the defaults
p
i have had problems with that before, you can make GKE clusters with the config in the yml file, but not talk to the cluster because the kubernetes provider does not use those vaiables
b
it runs 
aws eks get-token
which will use your default profile if it's set
p
i have bypassed this by duplicating some stuff i found in a pulumi repo somehwere
Copy code
- name: Setup credentials
        run: |
          export GOOGLE_APPLICATION_CREDENTIALS="$(mktemp).json"
          # Check if GOOGLE_CREDENTIALS is base64 encoded
          if [[ $GOOGLE_CREDENTIALS =~ ^([A-Za-z0-9+/]{4})*([A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==)?$ ]]; then
            echo "$GOOGLE_CREDENTIALS"|base64 -d > $GOOGLE_APPLICATION_CREDENTIALS
            # unset for other gcloud commands using this variable.
            unset GOOGLE_CREDENTIALS
          else
            echo "$GOOGLE_CREDENTIALS" > $GOOGLE_APPLICATION_CREDENTIALS
          fi
          gcloud auth activate-service-account --key-file=$GOOGLE_APPLICATION_CREDENTIALS
          gcloud --quiet auth configure-docker $GOOGLE_DOCKER_HOSTNAME_LIST
as i do not use the pulumi action but use the cli manually
b
Yeah all of that has disappeared now :)
p
Not sure what the intended behaviour is (as all these providers are standalone), but as a user, if i set my creds in the pulumi yaml, i kind of expect them to be used everywhere.
FYI, deploy works perfectly now, 👍
Open in Slack
PreviousNext
Powered by