https://pulumi.com logo
#typescript
Title
# typescript
q

quiet-wolf-18467

10/28/2019, 8:19 AM
I'm trying to create a "special" type of Secret for Kubernetes, which is
dockerconfigjson
with Pulumi. I'm running into problems:
Copy code
export const imagePullSecret = new k8s.core.v1.Secret(
  "docker-hub",
  {
    type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
    metadata: {
      namespace: "community"
    },
    data: {
      ".dockerconfigjson": config
        .requireSecret("docker-hub-token")
        .apply(value => {
          Buffer.from(
            JSON.stringify({
              auths: {
                "<https://index.docker.io/v1/>": {
                  auth: value
                }
              }
            })
          ).toString("base64");
        })
    }
  },
  {
    provider: kubernetesProvider
  }
);
Copy code
Diagnostics:
  kubernetes:core:Secret (docker-hub):
    error: check failed because malformed resource inputs: malformed RPC secret: missing value
Any advice, @creamy-potato-29402?
g

gorgeous-egg-16927

10/28/2019, 3:44 PM
Copy code
export const imagePullSecret = new k8s.core.v1.Secret(
    "docker-hub",
    {
        type: "<http://kubernetes.io/dockerconfigjson|kubernetes.io/dockerconfigjson>",
        metadata: {
            namespace: "community"
        },
        stringData: {
            ".dockerconfigjson": config
                .requireSecret("docker-hub-token")
                .apply(value => {
                    return JSON.stringify({
                        auths: {
                            "<https://index.docker.io/v1/>": {
                                auth: value
                            }
                        }
                    })
                })
        },
    },
    {
        provider: kubernetesProvider
    }
);
^ I think that should do the trick. I made a couple changes: 1. Using the
stringData
field avoids having to base64 encode the string yourself. 2. You weren’t returning a value inside of the
apply
, so the value of
.dockerconfigjson
was
null
.
I realize this is still complicated, but we’re actively working on making this process far easier. Stay tuned for related announcements around KubeCon next month!
q

quiet-wolf-18467

10/28/2019, 3:50 PM
Thank you. I'll give that a try 😀
Do you know if it's possible to create a service account and then fetch the default token that is created?
g

gorgeous-egg-16927

10/28/2019, 3:52 PM
I haven’t done that myself, but it should be doable.
Can you give me an example of how you’re creating the service account and where you need to use the token?
q

quiet-wolf-18467

10/28/2019, 3:54 PM
I have a private repository, called production, that creates a namespace for each team at InfluxDB
Each namespace gets a default service account. I want to use that as an output to consume in each team's repository for their own Pulumi code
I also don't mind creating an explicit service account in the namespace too, if that's easier
I've tried both, but I failed 😀
I think, in my limited knowledge, the challenge is because the token is created async by a controller
My limited knowledge of Pulumi I mean, I'm down with the Kubernetes bit 👍
g

gorgeous-egg-16927

10/28/2019, 4:00 PM
I’m not super familiar with service accounts in k8s, but you can use the
get
APIs to grab info on resources created out of band from Pulumi (e.g., by k8s). Something like this might do the trick:
Copy code
const token = k8s.core.v1.ServiceAccount.get("token", "namespace/token-id");
q

quiet-wolf-18467

10/28/2019, 4:01 PM
I'd probably need to enter an arbitrary sleep to let the reconcile happen,. It that could work. I'll let you know
Thanks
l

limited-rainbow-51650

01/28/2020, 9:35 AM
@gorgeous-egg-16927 has this been made easier meanwhile? I need the same.
g

gorgeous-egg-16927

01/28/2020, 2:22 PM
Not yet, but I could add it to the kx package pretty easily. Can you file an issue to remind me?
l

limited-rainbow-51650

01/28/2020, 2:29 PM
3 Views