https://pulumi.com logo
Join Slack
Powered by
Hello, has pulumi the management for ClusterIssuer...
# general
t
Hello, has pulumi the management for ClusterIssuer on Kubernetes ?
b
Not exactly... you can use a custom resource like the following...
t
show me plis
b
Copy code
const stagingCertificate = new k8s.apiextensions.CustomResource("stagingCertificate", {
            apiVersion: "<http://cert-manager.io/v1alpha2|cert-manager.io/v1alpha2>",
            kind: "ClusterIssuer",
            metadata: {
                name: "letsencrypt-staging",
                namespace: certManagerNamespace.metadata.name
            },
            spec: {
                acme: {
                    server: "<https://acme-staging-v02.api.letsencrypt.org/directory>",
                    email: "<mailto:email@example.com|email@example.com>",
                    privateKeySecretRef: {
                        name: "letsencrypt-staging"
                    },
                    solvers: [
                        {
                            http01: {
                                ingress: {
                                    class: "nginx"
                                }
                            }
                        }
                    ]
                }
            }
        }, {provider: args.provider, parent: chart});
(I'm assuming you're trying to do something like that)
πŸ™Œ 1
t
yep!
cool
I have an issue importing a Instance DB from GCP
can you help me to figure out how to import ?
I used 
pulumi import gcp:sql/databaseInstance:DatabaseInstance db_instance projects/mystical-moon-307818/instances/prod-mysql
Copy code
gcp:sql:DatabaseInstance (db_instance):
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'db_instance' has a problem: AtLeastOne: "settings": one of `clone,settings` must be specified
    error: gcp:sql/databaseInstance:DatabaseInstance resource 'db_instance' has a problem: AtLeastOne: "clone": one of `clone,settings` must be specified
    error: Preview failed: one or more inputs failed to validate
l
there's a video here regarding cert-manager if that's what you are looking for: https://www.pulumi.com/resources/certificates-as-code-with-pulumi-and-cert-manager/ They use crd2pulumi to auto create the types. Another example here: https://www.pulumi.com/blog/introducing-crd2pulumi/#cert-manager-example
t
Thanks @loud-helicopter-75345
πŸ‘ 2
l
b
You can use Helm to install it if you don't want to use crd2pulmi. I did this recently using this code:
Copy code
const chart = new k8s.helm.v3.Chart("certmanagerchart", {
            fetchOpts: {
                repo: "<https://charts.jetstack.io>"
            },
            chart: "cert-manager",
            namespace: certManagerNamespace.metadata.name,
            values: {
                installCRDs: true
            }
        }, {
            provider: provider
        });
t
It throwme a lot of issues so I installed directly using the Manifests, the clusterissuer is needed for manage the auto-renewal cert with Letsencrypt
l
Yeah but helm won't help you when you go to create a ClusterIssuer right as typescript doesn't have knowledge of the CRDs so can't do autocompleteion or type checking.
t
It is correct, those need to be created separately…
l
Yeah @Cesar it throws errors about hooks right? πŸ˜„
t
yep, even adding the repo on terminal using helm repo add ….
l
I wonder how many people are going through the same process πŸ˜†
t
with nginx all works like a charm
πŸ‘ 1
b
Don't forget if you install things with helm on the command line it won't be in the pulumi state and therefore won't be managed by pulumi
πŸ‘ 1
t
yes, i know 😞
I have this error trying to use helm with cert manager
Copy code
Error: invocation of kubernetes:helm:template returned an error: failed to generate YAML for specified Helm chart: failed to pull chart: non-absolute URLs should be in form of repo_name/path_to_chart, got: jetstack
b
Can you paste the code you're using?
☝️ 1
If you've literally copied and pasted my code you'll need to make sure 
provider
is correctly pointing to the correct one
l
Actually looking at my code again. Cert-manager didn't throw me any errors when using Helm, the errors came from the ingress-nginx chart
t
Copy code
export const cert_manager_controller = new k8s.helm.v3.Chart("cert_manager_controller",
  {
      namespace: cert_manager_namespace,
      chart: cert_manager_repo,
      version: certManagerChartVersion,
      //fetchOpts: {repo: "<https://charts.jetstack.io>"},
      values: {
              set: {
                  installCRDS: true,
              },
      },
  },
  {provider: clusterProvider, dependsOn: [namespace_cert_manager]},
);
b
I'm using helm for ingress-nginx as well... here's mine (which works)
Copy code
const nginxIngress = new k8s.helm.v3.Chart(`${name}-helm`, {
            fetchOpts: {
                repo: "<https://kubernetes.github.io/ingress-nginx>"
            },
            chart: "ingress-nginx",
            namespace: ingressNamespace.metadata.name,
            values: {
                controller: {
                    replicaCount: 1,
                    nodeSelector: {
                        "<http://beta.kubernetes.io/os|beta.kubernetes.io/os>": "linux"
                    },
                    admissionWebhooks: {
                        patch: {
                            nodeSelector: {
                                "<http://beta.kubernetes.io/os|beta.kubernetes.io/os>": "linux"
                            }
                        }
                    }
                },
                defaultBackend: {
                    nodeSelector: {
                        "<http://beta.kubernetes.io/os|beta.kubernetes.io/os>": "linux"
                    }
                }
            }
        }, {provider: provider});
πŸ˜• 1
@tall-shoe-66375 you've commented out 
fetchOpts
so it won't know where to go get the chart from. You'll need to specify the path:
Copy code
const nginxIngress = new k8s.helm.v3.Chart("nginx-ingress", {
    path: "./nginx-ingress",
});
t
I added the // comment of fetchOpts after the error and installed with the manfiest
l
Instead of:
Copy code
values: {
              set: {
                  installCRDS: true,
              },
      },
I think it should just be:
Copy code
values: {
                  installCRDS: true,
      },
Just like in @brave-planet-10645 example
βœ… 1
t
Houston, works and I have some issues
πŸŽ‰ 1
as Cert Manager Installation mention for GCP
let me fix!
Copy code
+   └─ kubernetes:<http://helm.sh/v3:Chart|helm.sh/v3:Chart>                                                   cert_manager_controller                                                     created            
 +      β”œβ”€ kubernetes:core/v1:ServiceAccount                                          cert-manager/cert_manager_controller-cert-manager-webhook                   **creating failed**
 +      β”œβ”€ kubernetes:<http://rbac.authorization.k8s.io/v1:ClusterRoleBinding|rbac.authorization.k8s.io/v1:ClusterRoleBinding>                 cert_manager_controller-cert-manager-controller-certificates                **creating failed**
 +      β”œβ”€ kubernetes:core/v1:ServiceAccount                                          cert-manager/cert_manager_controller-cert-manager-cainjector                **creating failed**
 +      β”œβ”€ kubernetes:core/v1:ServiceAccount                                          cert-manager/cert_manager_controller-cert-manager                           **creating failed**
l
Yeah I'm not sure why that creation failed. there should be an error somewhere. 🀷
t
RBAC
but the cert-manager.io is gone
at least here in Mexico I can not view
l
Oh yeah, it seems to be down atm
t
Github to the Rescue!!!
😊 1
I need to create this firs with Pulumi:
Copy code
Note: When running on GKE (Google Kubernetes Engine), you may encounter a 'permission denied' error when creating some of these resources. This is a nuance of the way GKE handles RBAC and IAM permissions, and as such you should 'elevate' your own privileges to that of a 'cluster-admin' before running the above command. If you have already run the above command, you should run them again after elevating your permissions:
some error on cert-manager
Copy code
kubernetes:apps/v1:Deployment (cert-manager/cert_manager_controller-cert-manager-cainjector):
    error: resource cert-manager/cert_manager_controller-cert-manager-cainjector was not successfully created by the Kubernetes API server : Deployment.apps "cert_manager_controller-cert-manager-cainjector" is invalid: [metadata.name: Invalid value: "cert_manager_controller-cert-manager-cainjector": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. '<http://example.com|example.com>', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*'), spec.template.spec.serviceAccountName: Invalid value: "cert_manager_controller-cert-manager-cainjector": a DNS-1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. '<http://example.com|example.com>', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')]
l
Yeah it's just as it says, the "cert_manager_controller" value should be changed to use hyphens instead of underscores
45 Views
Open in Slack
PreviousNext
Powered by