hey all, I’m having a hard time getting my pulumi ...
# azure
c
hey all, I’m having a hard time getting my pulumi program to authenticate into an existing Azure Container Registry to grab the image it needs to build and deploy to an AKS cluster.
Copy code
let coreLabels = { app: "core" };
let coreDeployment = new k8s.apps.v1.Deployment("core", {
    spec: {
        selector: { matchLabels: coreLabels },
        replicas:  1,
        template: {
            metadata: { labels: coreLabels },
            spec: {
                containers: [{
                    name: "core",
                    image:"<http://mappeddev.azurecr.io.blob.core.windows.net|mappeddev.azurecr.io.blob.core.windows.net>",
                    ports: [{ containerPort: 80 }]
                }],
            },
        },
    },
});
which gives this error diagnostic:
Copy code
Type                                                          Name                       Status                  Info
     pulumi:pulumi:Stack                                           mapped_infrastructure-aks  **failed**              1 error
 ~   ├─ kubernetes:apps/v1:Deployment                              core                       **updating failed**     1 error
 ~   ├─ azure-nextgen:containerregistry/v20190501preview:ScopeMap  acrScopeMap                **updating failed**     [diff: ~actions]; 1 error
 ~   └─ azure:containerservice:KubernetesCluster                   aksCluster                 updated                 [diff: ~addonProfile]
 
Diagnostics:
  kubernetes:apps/v1:Deployment (core):
    error: 5 errors occurred:
        * the Kubernetes API server reported that "core-1je2id4a" failed to fully initialize or become live: 'core-1je2id4a' timed out waiting to be Ready
        * [MinimumReplicasUnavailable] Deployment does not have minimum availability.
        * [ProgressDeadlineExceeded] ReplicaSet "core-1je2id4a-cd7d9599d" has timed out progressing.
        * Minimum number of live Pods was not attained
        * [Pod core-1je2id4a-cd7d9599d-k4n9v]: containers with unready status: [core] -- [ImagePullBackOff] Back-off pulling image "<http://mappeddev.azurecr.io.blob.core.windows.net|mappeddev.azurecr.io.blob.core.windows.net>"
I’ve tried creating a token using the example code here: https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerregistry/token/ it gives me this error
Copy code
azure-nextgen:containerregistry/v20190501preview:Token (token):
    error: Code="CertificateAuthNotSupported" Message="Certificate authentication is not yet supported. For more information on repository permissions, please visit <https://aka.ms/acr/repo-permissions>."
t
I did that by granting a role assignment to AKS SP:
Copy code
const clusterPrincipalId = cluster.identityProfile.apply(p => p!["kubeletidentity"].objectId!);
new authorization.RoleAssignment("access-from-cluster", {
    properties: {
        principalId: clusterPrincipalId,
        roleDefinitionId: "/subscriptions/0282681f-7a9e-424b-80b2-96babd57a8a1/providers/Microsoft.Authorization/roleDefinitions/7f951dda-4ed3-4680-a7ca-43fe172d538d",
    },
    roleAssignmentName: "923a52ca-a43c-5112-b7cb-12fe172d568f",
    scope: registry.id,
});
(my AKS has a managed identity)
c
Thanks @tall-librarian-49374 I’ve really enjoyed your pulumi tutorials. I’ll give this a try and see if that does it.
👍 1
Hmmm, that’s not working for me, for a number of reasons. new authorization.RoleAssignment fails because it doesn’t recognize authorization as a valid construct, so I’m guessing that’s imported from somewhere? Anyway it seems like it’s pointing me in a useful direction. I’m going to try some of what’s described here and see if that makes it work https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/
t
Yeah, you need to import it from
Copy code
@pulumi/azure-nextgen/authorization/latest
c
thanks, I’ll try that
a
You can also create a secret in k8s that contains your ACR docker credentials and then tell your deployment to use that secret to access your ACR when pulling private images. https://www.westerndevs.com/kubernetes/kubernetes-my-journey-part-7a/ This does not require managed identities anywhere.
c
solid, thank you
r
@tall-librarian-49374 do you have any example equivalent of this in the azure provider? Not the azure next gen provider.
t
@rapid-oil-61997 of which part specifically?
r
Finding the identity of aks cluster and using it for providing access to acr
t
no, I don’t have that
r
Ok. I was looking on some documentation which shows the way to find the identity. But couldn't find one
@tall-librarian-49374 is there a way I can find the resource id of the managed resource group where the nodes exist in case of an aks cluster?
t
I don’t know to be honest…