clean-engineer-75963
12/10/2019, 12:15 AMwith
block) and it doesn't seem to be respecting the context. Details to follow...with
block.vault_provider = pulumi_vault.Provider(
"vault-provider",
address="<https://127.0.0.1:8200>",
skip_tls_verify=True,
token=corev1.Secret.get(
"vault_init_results",
pulumi.Output.concat(
base_namespace.metadata["name"], "/vault-init-results")
).data["root_token"]
with PortForward(get_ready_vault_pod(), "8200"):
vault_token = pulumi_vault.Token(
"vault-token",
display_name="my-token",
policies=["my-policy"],
renewable=True,
ttl=20 * 60,
__opts__=pulumi.ResourceOptions(provider=vault_provider),
)
class PortForward:
"""Context manager which starts a port-forward for the duration of the context.
The Python Kubernetes client library does not yet support port-forwards, so
this calls kubectl for now.
<https://github.com/kubernetes-client/python/issues/166#issuecomment-504216584>
"""
def __init__(self, pod, port, local_port=None):
self._pod = pod
self._remote_port = port
if local_port is not None:
self._local_port = local_port
else:
self._local_port = port
self.address = f"127.0.0.1:{self._local_port}"
def __enter__(self):
<http://self.pf|self.pf> = pexpect.spawn("kubectl", ["port-forward",
self._pod, f"{self._local_port}:{self._remote_port}"])
self.pf.expect_exact(
f"Forwarding from {self.address}"
f" -> {self._remote_port}\r\n")
self.pf.expect_exact(
f"Forwarding from [::1]:{self._local_port}"
f" -> {self._remote_port}\r\n")
return self
def __exit__(self, exc_type, exc_val, exc_tb):
self.pf.terminate(force=True)
return False
pulumi up
is this:
Diagnostics:
vault:index:Token (vault-token):
error: Get <https://127.0.0.1:8200/v1/auth/token/lookup-self>: dial tcp 127.0.0.1:8200: connect: connection refused
Suggesting that the port-forward is not active while the resource is being created.get_ready_vault_pod()
function, which normally goes and finds the right Vault pod to connect to.white-balloon-205
Token
constructor is called. The latter causes the resource to be registered as part of the desired state, but the decision about whether to create or update a resource as a result and then the act of doing that is asynchronous wrt the resource being registered (the call the Token
returning).
I think what you really want here is either dynamic providers (a custom provider implemented inside your Pulumi program that can participate in the resource graph - https://www.pulumi.com/docs/intro/concepts/programming-model/#dynamicproviders) or lifecycle hooks (not yet available but tracked in https://github.com/pulumi/pulumi/issues/1691).