https://pulumi.com logo
Title
c

colossal-school-15171

11/19/2020, 5:23 AM
hey all, I’m having a hard time getting my pulumi program to authenticate into an existing Azure Container Registry to grab the image it needs to build and deploy to an AKS cluster.
let coreLabels = { app: "core" };
let coreDeployment = new k8s.apps.v1.Deployment("core", {
    spec: {
        selector: { matchLabels: coreLabels },
        replicas:  1,
        template: {
            metadata: { labels: coreLabels },
            spec: {
                containers: [{
                    name: "core",
                    image:"<http://mappeddev.azurecr.io.blob.core.windows.net|mappeddev.azurecr.io.blob.core.windows.net>",
                    ports: [{ containerPort: 80 }]
                }],
            },
        },
    },
});
which gives this error diagnostic:
Type                                                          Name                       Status                  Info
     pulumi:pulumi:Stack                                           mapped_infrastructure-aks  **failed**              1 error
 ~   ├─ kubernetes:apps/v1:Deployment                              core                       **updating failed**     1 error
 ~   ├─ azure-nextgen:containerregistry/v20190501preview:ScopeMap  acrScopeMap                **updating failed**     [diff: ~actions]; 1 error
 ~   └─ azure:containerservice:KubernetesCluster                   aksCluster                 updated                 [diff: ~addonProfile]
 
Diagnostics:
  kubernetes:apps/v1:Deployment (core):
    error: 5 errors occurred:
        * the Kubernetes API server reported that "core-1je2id4a" failed to fully initialize or become live: 'core-1je2id4a' timed out waiting to be Ready
        * [MinimumReplicasUnavailable] Deployment does not have minimum availability.
        * [ProgressDeadlineExceeded] ReplicaSet "core-1je2id4a-cd7d9599d" has timed out progressing.
        * Minimum number of live Pods was not attained
        * [Pod core-1je2id4a-cd7d9599d-k4n9v]: containers with unready status: [core] -- [ImagePullBackOff] Back-off pulling image "<http://mappeddev.azurecr.io.blob.core.windows.net|mappeddev.azurecr.io.blob.core.windows.net>"
I’ve tried creating a token using the example code here: https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerregistry/token/ it gives me this error
azure-nextgen:containerregistry/v20190501preview:Token (token):
    error: Code="CertificateAuthNotSupported" Message="Certificate authentication is not yet supported. For more information on repository permissions, please visit <https://aka.ms/acr/repo-permissions>."
t

tall-librarian-49374

11/19/2020, 6:39 AM
I did that by granting a role assignment to AKS SP:
const clusterPrincipalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
new authorization.RoleAssignment("access-from-cluster", {
    properties: {
        principalId: clusterPrincipalId,
        roleDefinitionId: "/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
    },
    roleAssignmentName: "923a52ca-a43c-5112-b7cb-12fe172d568f",
    scope: registry.id,
});
(my AKS has a managed identity)
c

colossal-school-15171

11/19/2020, 6:45 PM
Thanks @tall-librarian-49374 I’ve really enjoyed your pulumi tutorials. I’ll give this a try and see if that does it.
👍 1
Hmmm, that’s not working for me, for a number of reasons. new authorization.RoleAssignment fails because it doesn’t recognize authorization as a valid construct, so I’m guessing that’s imported from somewhere? Anyway it seems like it’s pointing me in a useful direction. I’m going to try some of what’s described here and see if that makes it work https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/
t

tall-librarian-49374

11/19/2020, 7:35 PM
Yeah, you need to import it from
@pulumi/azure-nextgen/authorization/latest
c

colossal-school-15171

11/19/2020, 9:06 PM
thanks, I’ll try that
a

ancient-megabyte-79588

11/19/2020, 11:00 PM
You can also create a secret in k8s that contains your ACR docker credentials and then tell your deployment to use that secret to access your ACR when pulling private images. https://www.westerndevs.com/kubernetes/kubernetes-my-journey-part-7a/ This does not require managed identities anywhere.
c

colossal-school-15171

11/27/2020, 9:55 PM
solid, thank you
r

rapid-oil-61997

12/01/2020, 7:27 PM
@tall-librarian-49374 do you have any example equivalent of this in the azure provider? Not the azure next gen provider.
t

tall-librarian-49374

12/01/2020, 7:53 PM
@rapid-oil-61997 of which part specifically?
r

rapid-oil-61997

12/01/2020, 8:09 PM
Finding the identity of aks cluster and using it for providing access to acr
t

tall-librarian-49374

12/01/2020, 8:17 PM
no, I don’t have that
r

rapid-oil-61997

12/01/2020, 8:30 PM
Ok. I was looking on some documentation which shows the way to find the identity. But couldn't find one
@tall-librarian-49374 is there a way I can find the resource id of the managed resource group where the nodes exist in case of an aks cluster?
t

tall-librarian-49374

01/12/2021, 11:11 AM
I don’t know to be honest…