https://pulumi.com logo
Title
h

hundreds-airport-37168

09/23/2021, 6:09 PM
Hi, when running pulumi through gitlab ci, i get a
kubernetes:core/v1:Namespace testtest creating error: configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
However running it locally it works fine. I use a google service account both locally and on gitlab ci by exporting
GOOGLE_CREDENTIALS
env variable
b

billowy-army-68599

09/23/2021, 6:10 PM
are you setting a
provider
on your Kubernetes resources? if not, you'll need to set a
KUBECONFIG
to talk to your kubernetes cluster
h

hundreds-airport-37168

09/23/2021, 6:11 PM
yes, using
import { clusterProvider } from '../../gcp/gke';

const tn = "testtest";
export const t = new k8s.core.v1.Namespace(tn, {
  metadata: {
      name: tn,
  }
}, {
  provider: clusterProvider,
});
and the clusterProvider is created by
export const kubeconfig = pulumi
  .all([cluster.name, cluster.endpoint, cluster.masterAuth])
  .apply(([name, endpoint, masterAuth]) => {
    const context = `${gcp.config.project}_${gcp.config.zone}_${name}`;
    return `apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: ${masterAuth.clusterCaCertificate}
    server: https://${endpoint}
  name: ${context}
contexts:
- context:
    cluster: ${context}
    user: ${context}
  name: ${context}
current-context: ${context}
kind: Config
preferences: {}
users:
- name: ${context}
  user:
    auth-provider:
      config:
        cmd-args: config config-helper --format=json
        cmd-path: gcloud
        expiry-key: '{.credential.token_expiry}'
        token-key: '{.credential.access_token}'
      name: gcp
`;
  });

export const clusterProvider = new k8s.Provider(clusterName, {
    kubeconfig: kubeconfig,
});
I guess the diff between local and gitlab ci is that i have gcloud setup locally and in gitlab ci its just using the pulumi image as base
b

billowy-army-68599

09/23/2021, 6:25 PM
the kubeconfig will need to have a token etc, if that isn't valid (it may be your google creds arent valid for the cluster?) it'll error like it is
h

hundreds-airport-37168

09/23/2021, 6:35 PM
but its setting the token from the above code snippet? I just followed the gcp tutorial you guys provide
b

billowy-army-68599

09/23/2021, 6:42 PM
how are you setting in gitlab? does a
gcloud
command work correctly before your
pulumi up
?
h

hundreds-airport-37168

09/23/2021, 6:44 PM
i highly doubt it because its just using a plain pulumi image, but i can try
image:
  name: pulumi/pulumi
  entrypoint:
    - '/usr/bin/env'
    - 'PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin'

stages:
  - infrastructure-update

pulumi:
  stage: infrastructure-update
  variables:
    PULUMI_STACK: nickjn92/pulumi-fleet/lab
  script:
    - npm ci
    - pulumi stack select $PULUMI_STACK
    - pulumi up --yes
  only:
  - main
b

billowy-army-68599

09/23/2021, 6:45 PM
where are you setting
GOOGLE_CREDENTIALS
?
h

hundreds-airport-37168

09/23/2021, 6:46 PM
gitlab CI/CD variable
i verified that its there by just doing an echo before the pulumi cmd
b

billowy-army-68599

09/23/2021, 6:57 PM
it's been a long while since I've used gitlab I'm afraid, but essentially my best guess is that the kubeconfig isn't getting the right creds
h

hundreds-airport-37168

09/23/2021, 6:58 PM
Thanks for all the help, it was as you hinted a gcloud issue. Just doing
script:
    - npm ci
    - echo $GOOGLE_CREDENTIALS > /tmp/creds.json
    - gcloud auth activate-service-account --key-file=/tmp/creds.json
    - pulumi stack select $PULUMI_STACK
    - pulumi up --yes
Got it to work 🙂 Thanks again 👍