Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
w
wet-noon-14291
02/21/2021, 8:40 AMIs there a way to the aks cluster config within a pulumi program for the service principal in use? Or do I have to get the config using the cli with
az aks get-credentials?b
brave-planet-10645
02/21/2021, 9:11 AMYou can use https://www.pulumi.com/docs/reference/pkg/azure-nextgen/authorization/getclientconfig/ if you're using azure next gen (and I think it's https://www.pulumi.com/docs/reference/pkg/azure/authorization/getuserassignedidentity/ with the original azure provider)
if you're using next gen you can use this snippet:
import * as azure from "@pulumi/azure-nextgen";
const clientConfig = azure.authorization.latest.getClientConfig();
const currentPrincipal = clientConfig.then((x) => x.objectId);(I think that's what you'll need)
That's what I've been doing to take my current user and add it to an admin group
w
wet-noon-14291
02/21/2021, 10:25 AMThanks, I’ll try that when I have time.
reading again, will this really get the cluster config for the kubernetes cluster? Isn’t this just getting the service principal info?
f
fresh-pilot-59899
02/21/2021, 7:30 PMthere is the kubeAdminConfigRaw property https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/#kubeadminconfigraw_nodejs
and then you can create a provider with it
let cluster = new k8s.Provider(name, {
kubeconfig: aks.kubeAdminConfigRaw,
}, {
parent: this,
});
which you can use to provision resources insisde aks
new k8s.core.v1.Namespace(namespace, {
metadata: {
name: namespace
}
}, {
provider: cluster,
parent: this,
})
w
wet-noon-14291
02/21/2021, 9:30 PM@fresh-pilot-59899 yes, I know about that one. But I would like to know how to get the credentials for a service provider if I don't have access to the raw admin config. I would like to use a service provider that only has access for the namespace it should manage and nothing more.
Basically the equivalent of
az aks get-credentialsb
brave-planet-10645
02/22/2021, 10:11 AMCould you create a role and role binding for the group you want to give access to, then give that role access to the namespace? Take a look at these docs: https://www.pulumi.com/docs/guides/crosswalk/kubernetes/configure-access-control/#configure-rbac-authorization
w
wet-noon-14291
02/23/2021, 10:55 PM@brave-planet-10645, that is what I'm doing, but how do I get hold of the credentials for the service principal in a pulumi context? The service principal has been created in another stack (call it A), what I would like to do is from stack B get the service principal client id and client secret created in A using a stack reference, and then get hold of the kube config for that service principal. I know I can probably show this through command line, but ideally I would like to do it within the pulumi context.
@tall-librarian-49374 do you know if there is a way to do get the k8s cluster config from within pulumi? Or do I have to do it beforehand?
t
tall-librarian-49374
02/24/2021, 6:49 AMIs the cluster created from Pulumi? What exactly is “cluster config”? Is it in https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/getmanagedcluster/ ?
w
wet-noon-14291
02/24/2021, 10:10 AMthe cluster config is what you get when you do
az aks get-credentialsbasically this https://www.pulumi.com/docs/reference/pkg/azure/containerservice/kubernetescluster/#kubeconfigraw_nodejs, but I want to have it for another service principal then the one that was used to create the cluster.
t
tall-librarian-49374
02/24/2021, 10:34 AMThere are several List* functions in here that return kubeconfig variants: https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/
w
wet-noon-14291
02/24/2021, 11:01 AMthanks, I'll look into those!
@tall-librarian-49374, so let me check so I understand https://www.pulumi.com/docs/reference/pkg/azure-nextgen/containerservice/listmanagedclusteraccessprofile/. If I use a azure nextgen provider with the SP I want the credentials for I should just be able to call that method there to get the credentials, correct? If so, awesome 🙂
t
tall-librarian-49374
02/24/2021, 11:10 AMI have no experience with this function but you should be able to call it
👍 1