No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

__main__.py

I found having a "main" repository with EKS exporting the kubeconfig and then running pulumi on my different repos works really great as a setup

So for example
• infrastructure-stack: EKS/nginx/external-dns/cert-manager/etc
• api-stack: docker registry, k8s deployment/service/database

So in every "other" repo I have this:
```import * as pulumi from '@pulumi/pulumi';
import * as k8s from '@pulumi/kubernetes';

const env = pulumi.getStack();
const cluster = new pulumi.StackReference(`my/inf/${env}`);
const kubeconfig = cluster.getOutput('kubeconfig');

export const provider = new k8s.Provider('k8s-provider', { kubeconfig });```


Hey Max, thanks a lot for the tip! I'll try to restructure things as you suggest

But, just to be clear, do you keep the EKS configurations and the kubernetes-related configurations in separate repositories, or do you have them as different directories within a single repo?

<@U0171GYHGKX> I have one repo called "infrastructure" where I have EKS and stuff that doesn't really fit into my other repositories.

Then I have another repo called "magento2" for our e-commerce platform, in this repo I do stuff like building the docker image, deploying it to kubernetes, setting up mysql etc. I try to keep all pulumi code as close to the application itself, makes it easy to deploy.

And continuing I have another repo called "api" which does the same thing but for my api-service, etc etc

Hello again <@U014YTFPGAU>, I've ran into some trouble with exporting the kubeconfig from the "inf" repository, and I can't find a clear example of it for Python. Would you mind sharing how you have done that?

<@U0171GYHGKX> check out this example here: <https://github.com/pulumi/examples/blob/master/gcp-py-gke/__main__.py#L96>

Thanks again for the pointer, <@U014YTFPGAU>. I've used that example and adopted it to EKS (my solution is attached, in case it's useful to anyone). But now I have another question for you about security...

I'm aware that the kubectl command would still require AWS credentials to operate but, neverthess, considering that the K8S certificate and other details in the kubeconfig are stored in plain text on the Pulumi servers, then does this not constitute a potential security flaw? What is your opinion on this?

<@U0171GYHGKX> I'm not sure actually, I'm gonna try and see if I can set the kubeconfig as a secret

<@U0171GYHGKX> I did this `export const kubeconfig = pulumi.secret(cluster.kubeconfig);` and it worked fine :+1: