https://pulumi.com logo
#general
Title
# general
b

busy-umbrella-36067

02/19/2019, 6:42 PM
I’m seeing some weird behavior with k8s ingress annotations. I just recently added an aws security group to an annotation for a k8s ingress. However, using the
.apply
method causes all of the annotations to be planned for removal. I would expect Pulumi to wait until the security group is created to modify the Ingress (display the new annotation value as computed), is there a better way to go about this?
Copy code
let Ingress = new k8s.extensions.v1beta1.Ingress("xxxxxxx-xxx", {
      metadata: {
        annotations: {
          '<http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>': 'alb',
          '<http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>': awsCertificate.arn,
          '<http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>': '[{"HTTPS": 443}]',
          '<http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>': 'internet-facing',
          '<http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>': 'ip',
          '<http://alb.ingress.kubernetes.io/security-groups|alb.ingress.kubernetes.io/security-groups>': securityGroup.id.apply(id => {return id})
        }
      },
Copy code
~ kubernetes:extensions/v1beta1:Ingress: (update)
        [id=default/xxxx-xx-xxx]
        [urn=urn:pulumi:xxxxxx-staging::xxxxxxxxx::kubernetes:extensions/v1beta1:Ingress::xxxxxx-xxxxxxx]
      ~ metadata  : {
          ~ annotations: {
              - <http://alb.ingress.kubernetes.io/certificate-arn|alb.ingress.kubernetes.io/certificate-arn>        : "arn:aws:acm:xx-west-1:xxxxxxxxxxxx:certificate/xxxxxxxxxxxxx"
              - <http://alb.ingress.kubernetes.io/inbound-cidrs|alb.ingress.kubernetes.io/inbound-cidrs>          : "xxxxxxxxxxxxxx"
              - <http://alb.ingress.kubernetes.io/listen-ports|alb.ingress.kubernetes.io/listen-ports>           : "[{\"HTTPS\": 443}]"
              - <http://alb.ingress.kubernetes.io/scheme|alb.ingress.kubernetes.io/scheme>                 : "internet-facing"
              - <http://alb.ingress.kubernetes.io/target-type|alb.ingress.kubernetes.io/target-type>            : "ip"
              - <http://kubernetes.io/ingress.class|kubernetes.io/ingress.class>                      : "alb"
            }
        }
g

gorgeous-egg-16927

02/19/2019, 7:09 PM
I just tried something similar and wasn’t able to reproduce.
Copy code
import * as k8s from "@pulumi/kubernetes";
import * as random from "@pulumi/random";

const randID = new random.RandomString("rand", {
    length: 6
});

const pod = new k8s.core.v1.Pod("pod-test", {
    metadata: {
        annotations: {
            "randomTest": randID.result.apply(id => {return id}),
            "foo": "bar",
        }
    },
    spec: {
        containers: [
            {name: "nginx", image: "nginx:1.13-alpine"},
        ],
    },
});
Copy code
Resources:
    ~ 1 to update
    2 unchanged

Do you want to perform this update? details
  pulumi:pulumi:Stack: (same)
    [urn=urn:pulumi:pulumi-k8s-test-dev::pulumi-k8s-test::pulumi:pulumi:Stack::pulumi-k8s-test-pulumi-k8s-test-dev]
    ~ kubernetes:core/v1:Pod: (update)
        [id=default/pod-test-nqu8sske]
        [urn=urn:pulumi:pulumi-k8s-test-dev::pulumi-k8s-test::kubernetes:core/v1:Pod::pod-test]
      ~ metadata  : {
          ~ annotations: {
              + randomTest          : "Esk%0Q"
            }
        }
BTW, you should be able to skip the
apply
there. This worked the same for me:
Copy code
import * as k8s from "@pulumi/kubernetes";
import * as random from "@pulumi/random";

const randID = new random.RandomString("rand", {
    length: 6
});

const pod = new k8s.core.v1.Pod("pod-test", {
    metadata: {
        annotations: {
            "randomTest": randID.result,
            "foo": "bar",
        }
    },
    spec: {
        containers: [
            {name: "nginx", image: "nginx:1.13-alpine"},
        ],
    },
});
I don’t see anything obviously wrong in the info you provided, but I’ll take a look if you can provide repro steps for me
b

busy-umbrella-36067

02/19/2019, 7:17 PM
Can you try this?
Copy code
import * as k8s from "@pulumi/kubernetes";
import * as aws from "@pulumi/aws";
import * as random from "@pulumi/random";

const securityGroup = new aws.ec2.SecurityGroup('sg-test', {
  description: "Container node security group",
  egress: [{
      cidrBlocks: ["0.0.0.0/0"],
      fromPort: 0,
      protocol: "-1",
      toPort: 0,
  }],
  ingress: [{
      cidrBlocks: ["0.0.0.0/0"],
      fromPort: 0,
      protocol: "-1",
      toPort: 0,
  }],
})

const pod = new k8s.core.v1.Pod("pod-test", {
    metadata: {
        annotations: {
            "randomTest2": securityGroup.apply(id => { return id }),
            "foo": "bar",
        }
    },
    spec: {
        containers: [
            {name: "nginx", image: "nginx:1.13-alpine"},
        ],
    },
});
g

gorgeous-egg-16927

02/19/2019, 7:29 PM
@busy-umbrella-36067 I’m getting a warning that
Property 'apply' does not exist on type 'SecurityGroup'
b

busy-umbrella-36067

02/19/2019, 7:30 PM
ah sorry
securityGroup.id
g

gorgeous-egg-16927

02/19/2019, 7:33 PM
Copy code
aws:ec2:SecurityGroup (sg-test):
    error: Plan apply failed: Error creating Security Group: InvalidParameterValue: Value (sg-test-2496046) for parameter GroupName is invalid. Group names may not be in the format sg-*.
    	status code: 400, request id: b553cde8-8174-4363-a802-7d9fbd2dc91b
Looks like it could be a bug with the autonaming for sec group
@busy-umbrella-36067 Yeah, manually setting the sg name to “sgtest” fixed it for me
Copy code
const securityGroup = new aws.ec2.SecurityGroup('sg-test', {
    name: "sgtest",
    description: "Container node security group",
    egress: [{
        cidrBlocks: ["0.0.0.0/0"],
        fromPort: 0,
        protocol: "-1",
        toPort: 0,
    }],
    ingress: [{
        cidrBlocks: ["0.0.0.0/0"],
        fromPort: 0,
        protocol: "-1",
        toPort: 0,
    }],
});

const pod = new k8s.core.v1.Pod("pod-test", {
    metadata: {
        annotations: {
            "randomTest2": securityGroup.id,
            "foo": "bar",
        }
    },
    spec: {
        containers: [
            {name: "nginx", image: "nginx:1.13-alpine"},
        ],
    },
});
Ah, it’s actually a problem with the name you picked for the sec group. I guess
sg-*
is not allowed, so when it autonamed based on that, it was invalid
Changing the resource name to
secgrp-test
fixes it as well
b

busy-umbrella-36067

02/20/2019, 3:11 AM
I filed the bug with more specific detail here: https://github.com/pulumi/pulumi-kubernetes/issues/438
g

gorgeous-egg-16927

02/20/2019, 4:16 PM
Thanks, I’ll take a look today.