This message was deleted.

Did you try dependsOn?

dependsOn

what?

the ClusterIssuer

to be verbose, i've tried doing a

dependsOn

various cert-manager resources, but it always fails with

Plan apply failed: resource letsencrypt-prod was not successfully created by the Kubernetes API server : Internal error occurred: failed calling webhook "<http://clusterissuers.admission.certmanager.k8s.io|clusterissuers.admission.certmanager.k8s.io>": the server is currently unable to handle the request

i also tried depending on the parent

kubernetes:yaml:ConfigFile

. this didn't work because depending on the parent doesn't wait for its children resources. (so it failed because the CRD didn't exist yet) what i'd like to try is waiting on all children resources (which i don't think i can do without enumerating all children resources). and if that doesn't work, wait for 30s after all the children resources have been created, then create the ClusterIssuer.

hmmm

i haven't caught it during creation other than when it fails due to the CRD not existing, where i saw it doing retries.

Have you tried setting parent?

of the clusterissuer?

yes

i tried containing the clusterissuer and the cert-manager yaml in a single

kubernetes:yaml:ConfigGroup

-- that also didn't work (CRD not existing issue)

yeah probably

it is, but i doubt it matters.

and your passing in the provider as well?

yup. if i run it again it works, so it's clearly just a resource creation timing issue

Could you do something like this? https://github.com/pulumi/examples/tree/master/kubernetes-ts-staged-rollout-with-prometheus

and wait for what?

well my intial thought was just use a timer, its a hack until you find a real solution

i'm not really sure what's happening in that example tbh. i guess it's just waiting for the promise returned by

util.checkHttpLatency

to resolve? and during that time it might throw an error?

That would d be really cool if that worked

I'm a dummy. I should be able to just use the

resources

property of the

ConfigFile

as the

dependsOn

... i guess i'll see if that works

working on this too

const certManager = new kubernetes.yaml.ConfigFile(
        "cert-manager",
        { file: CertManagerYamlFile, },
        { providers: { kubernetes: provider } }
    );
    const dependsOn = [certManager.getResource("v1/Namespace", "cert-manager")];

i just tried this, and it seems to work:

const certManager = new k8s.yaml.ConfigFile("<https://github.com/jetstack/cert-manager/releases/download/v0.9.1/cert-manager.yaml>", {}, {provider: provider});
    const CLUSTER_ISSUER_YAML = `...`;
    
    // transform the {key: Resource} type of 
    // certManager.resources to the
    // Resource[] type accepted by dependsOn
    const dependsOn = certManager.resources.apply(resources => Object.keys(resources).map(key => resources[key]));
    const clusterIssuer = new k8s.yaml.ConfigGroup('cluster-issuer', {yaml: CLUSTER_ISSUER_YAML}, {provider, dependsOn});

cool i thought about doing that but i only hit errors about namespace so far

you're using the all-in-one yaml, yeah? same as the link in mine there ^

instead of doing the yaml like that... i have written some custom resource things like so

/**
 * A resource which issues certificates via HTTP01 Challenge Provider.
 */
export class Http01CertificateIssuer extends kubernetes.apiextensions.CustomResource implements CertificateIssuer {
    /**
     * The name of the issuer.
     */
    public name: string;

    /**
     * The issuer configuration.
     */
    public configuration: CertificateProviderConfigHttp01[];

    /**
     * The provider used to deploy the created resource.
     */
    public provider: pulumi.ProviderResource;

    /**
     * Registers a new ClusterCertificateIssuer using LetsEncrypt.
     * @param issuerName The name to refer to the issuer as.
     * @param namespace The namespace to store the issuer in.
     * @param acmeCertificateEmail The email to supply as the registrant.
     * @param server The LetsEncrypt endpoint to use.
     * @param provider A specific provider to use.
     * @param dependsOn Additional dependencies.
     * @param privateKeySecretRef An optional name for the secret where the private key for the certificate is stored.
     */
    constructor(
        issuerName: string,
        namespace: pulumi.Input<string>,
        acmeCertificateEmail: pulumi.Input<string>,
        server: pulumi.Input<string>,
        provider: pulumi.ProviderResource,
        dependsOn: pulumi.Resource[] | undefined,
        privateKeySecretRef: pulumi.Input<string> = issuerName,
        ingressClass: pulumi.Input<string> = "nginx"
    ) {
        super(
            issuerName,
            {
                apiVersion: "<http://certmanager.k8s.io/v1alpha1|certmanager.k8s.io/v1alpha1>",
                kind: "ClusterIssuer",
                metadata: {
                    name: issuerName,
                    namespace: namespace
                },
                spec: {
                    acme: {
                        server: server,
                        email: acmeCertificateEmail,
                        privateKeySecretRef: {
                            name: privateKeySecretRef
                        },
                        http01: {}
                    },
                    solvers: [{
                        selector: {},
                        http01: {
                            ingress: {
                                class: "nginx"
                            }
                        }
                    }]
                }
            },
            { provider: provider, dependsOn: dependsOn }
        );

        this.name = issuerName;
        this.provider = provider;
        this.configuration = [{ http01: { ingressClass: ingressClass } }];
    }
}

that's definitely the better way of doing things

it pays off for certs imo

/**
 * A certificate issued by a CertificateIssuer.
 */
export class Certificate extends kubernetes.apiextensions.CustomResource implements ICertificate {

    public readonly name: string;
    public readonly namespace: pulumi.Output<string>;
    public readonly secretName: pulumi.Output<string>;
    public readonly domains: pulumi.Output<string[]>;

    /**
     * Creates a new certificate.
     * @param name The name of the certificate.
     * @param namespace The namespace to store the certificate in.
     * @param domains The domains the certificate certifies.
     * @param issuer The CertificateIssuer used to issue it.
     */
    constructor(
        name: string,
        namespace: pulumi.Input<string>,
        domains: pulumi.Input<string>[],
        issuer: CertificateIssuer,
        secretName: pulumi.Input<string> = name
    ) {
        super(
            name,
            {
                apiVersion: "<http://certmanager.k8s.io/v1alpha1|certmanager.k8s.io/v1alpha1>",
                kind: "Certificate",
                metadata: {
                    name: name,
                    namespace: namespace
                },
                spec: {
                    secretName: secretName,
                    dnsNames: domains,
                    acme: {
                        config: issuer.configuration.map(x => ({
                            ...x,
                            domains: domains
                        }))
                    },
                    issuerRef: {
                        name: issuer.name,
                        kind: issuer.kind
                    }
                }
            },
            {
                provider: issuer.provider
            }
        );

        this.name = name;
        this.namespace = pulumi.Output.create(namespace);
        this.secretName = pulumi.Output.create(secretName);
        this.domains = pulumi.Output.create(domains);
    }
}

@better-rainbow-14549 I would also be interested in having cert-manager resources as first-class citizens in pulumi instead of having to deal with the yaml. If you want to open source your efforts, you can count on me in helping carrying the thing forward, as new cert-manager releases arrive.