https://pulumi.com logo
Join Slack
Powered by
This message was deleted.
# general
s
This message was deleted.
👆 2
💯 1
b
hey, sorry for the delay replying here @future-refrigerator-88869! the reason this happens is because we use 
helm template
to render the charts, so anything that generates a TLS certificates gets regenerated every time the chart is run. To get around this issue, I would recommend omitting those resources from the chart, and generated your own TLS certificates using the tls provider. You can see an example of me doing this here: https://github.com/jaxxstorm/pulumi-aws-loadbalancercontroller/blob/main/nodejs/src/index.ts#L276-L295 https://github.com/jaxxstorm/pulumi-aws-loadbalancercontroller/blob/main/nodejs/src/index.ts#L501-L544
f
Thanks for the answer @billowy-army-68599. Quick follow-up: I can see that in your examples you're building self signed certificates. Are those used by the load balancer internally in k8s ? The reason i`m asking is to figure out if i could use certificates from 
aws certificate manager
(or if it is necessary even).
b
you totally can use certs from certificate manager! it's not strictly necessary because it's the k8s API server that needs to validate it, so in this case I just build a self signed cert, but any valid cert works
f
Hey @billowy-army-68599. I have been trying to use a custom certificate creating it locally like in your example. I have tried to use it with the helm chart but i can't seem to find a way to make it work. Are you aware if it is possible to overwrite the secret using the helm chart? checking this (https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/templates/deployment.yaml#L36) it seems like if you name it right, it should be working ? However, I still have another one created all the time.
b
f
@billowy-army-68599 thanks a lot for your help. I feel like I am very close to finishing this. I have checked the template a bit more and it seems that the certificate options 
caCert
, 
clientCert
and 
clientKey
are loaded from the template and are automatically generated. They don't seem to have a 
values
equivalent (https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/values.yaml). I have found an option for 
cert-manager
but I am not sure if it can actually solve my issue (never used it before). I have found the following options for me: 1. edit the helm chart and allow values for cert 2. use pretty much your solution from your github with some modifications 3. use cert-manager (if it can be applied). What is your suggestion ? Please let me know if i'm missing something.
Just to be clear on this. Everything works fine. I managed to use ssl and dns for the services. The only issue is that every time i run 
pulumi up
it will update the secret from the chart
b
@future-refrigerator-88869 you can use a transformation, so you'd intercept the helm template and inject the correct values, which languages SDK are you using, i can whip up example
can you share your diff too/
f
I am using typescript. What diff are you referring to ? I have shared what pulumi generates on every 
pulumi up
(in the thread)
Or maybe you`re looking for the 
details
option ?
b
yeah the details
f
give me a few minutes to recreate the env
just to make sure i have a clean output
@billowy-army-68599 can i send the diff in private channel ?
b
sure!
here we go, comments inline: https://gist.github.com/jaxxstorm/6317d030307c34783ba82afb2769fb3c let me know if there's any confusion
(transformations are really, really powerful)
f
Perfect. I get the idea of what it does. I'll give it a try and report back. Thanks a lot for the help
Hey @billowy-army-68599. I have managed to make it work ! I had to add the webhooks and the cert myself and after that, all good ! Now I have an issue with destroying the k8s cluster. It seems that some resources are unresponsive but I think i can figure it out. Thanks again for the help 🙂
b
i'm happy to hear it!
4 Views
Open in Slack
PreviousNext
Powered by