flat-laptop-90489
05/23/2022, 8:23 PMorange-policeman-59119
05/23/2022, 9:10 PMPulumi.$stackName.yaml
are working great
⢠You're then deploying a cluster with the eks
provider
⢠And you're deploying resource to that second cluster from the first via the operatoreks
provider itself reporting an error?flat-laptop-90489
05/24/2022, 2:55 PMeks provider gives error
ProviderCredentialOpts
which seems to control the way the generated kubeconfig does authentication. Unfortunately, it doesn't allow me to pass different aws credentials, just a profile name or a role arn. I tried the role arn, but that seems to be where the problem exists - it's trying to assume that role arn with the credentials that the pod has (or whatever is running Pulumi), rather than the credentials passed in via the aws provider I generated.
https://pkg.go.dev/github.com/pulumi/pulumi-eks/sdk@v0.40.0/go/eks#KubeconfigOptionsArgs
This further leads me to believe that I need to go the more "manual" approach, not using the eks provider, but the aws/eks provider instead.orange-policeman-59119
05/24/2022, 3:45 PMflat-laptop-90489
05/24/2022, 3:47 PMcluster, err := eks.NewCluster(ctx, awsCluster.Name, &eks.ClusterArgs{
Version: pulumi.String("1.21"),
Name: pulumi.String(awsCluster.Name),
PublicSubnetIds: pulumi.ToStringArrayOutput(publicSubnetIds),
PrivateSubnetIds: pulumi.ToStringArrayOutput(privateSubnetIds),
VpcId: awsCluster.vpc.ID(),
InstanceRoles: iam.RoleArray{
awsCluster.nodeIamRole,
},
ClusterSecurityGroupTags: mergeDefaultTags(pulumi.StringMap{
"Name": pulumi.String(awsCluster.Name),
"Cluster": pulumi.String(awsCluster.Name),
}),
Tags: mergeDefaultTags(pulumi.StringMap{
"Name": pulumi.String(awsCluster.Name),
"Cluster": pulumi.String(awsCluster.Name),
}),
SkipDefaultNodeGroup: pulumi.BoolPtr(true),
RoleMappings: eks.RoleMappingArray{
eks.RoleMappingArgs{
// TODO: Probably need to create a special role for this
RoleArn: pulumi.String("arn:aws:iam::REDACTED:role/FairwindsAdministrator"),
Groups: pulumi.StringArray{pulumi.String("kubernetes-admins")},
Username: pulumi.String("arn:aws:iam::REDACTED:role/FairwindsAdministrator"),
},
},
ProviderCredentialOpts: eks.KubeconfigOptionsArgs{
RoleArn: pulumi.String("arn:aws:iam::REDACTED:role/FairwindsAdministrator"),
},
}, pulumi.Provider(awsCluster.provider))
if err != nil {
return err
}
orange-policeman-59119
05/24/2022, 3:47 PMflat-laptop-90489
05/24/2022, 3:49 PMtype Cluster struct {
Name string `yaml:"name"`
Region string `yaml:"region"`
VpcCidr string `yaml:"vpcCidr"`
Subnets []Subnet `yaml:"subnets"`
StaticNodeGroup StaticNodeGroup `yaml:"staticNodeGroup"`
AddOns AddOns `yaml:"addOns"`
// pulumi created objects to find the outputs later
provider *aws.Provider
vpc *ec2.Vpc
igw *ec2.InternetGateway
azList []string
cluster *eks.Cluster
staticNodeGroup *eks.ManagedNodeGroup
nodeIamRole *iam.Role
}
orange-policeman-59119
05/24/2022, 3:49 PMflat-laptop-90489
05/24/2022, 3:50 PMorange-policeman-59119
05/24/2022, 3:50 PMflat-laptop-90489
05/24/2022, 3:50 PMorange-policeman-59119
05/24/2022, 3:50 PMflat-laptop-90489
05/24/2022, 3:51 PMenv
, I could probably do that.orange-policeman-59119
05/24/2022, 3:54 PMflat-laptop-90489
05/24/2022, 3:56 PMkubernetes:core/v1:ConfigMap
eks:index:VpcCni
orange-policeman-59119
05/24/2022, 4:10 PMflat-laptop-90489
05/24/2022, 4:15 PMorange-policeman-59119
05/24/2022, 6:04 PMpulumi.Secret()
, by the way?sparse-park-68967
05/24/2022, 6:16 PMflat-laptop-90489
05/24/2022, 7:01 PMorange-policeman-59119
05/24/2022, 7:02 PMflat-laptop-90489
05/24/2022, 7:02 PM