This message was deleted.
# kubernetess
sparse-intern-71089
11/02/2022, 4:47 PMThis message was deleted.
b
billowy-army-68599
11/02/2022, 4:51 PM
can you share your code and the expanded diff?
✅ 1
b
blue-shampoo-62911
11/02/2022, 5:06 PM Copy code
Previewing update (prod):
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:prod::infra::pulumi:pulumi:Stack::infra-prod]
> pulumi:pulumi:StackReference: (read)
[id=infra]
[urn=urn:pulumi:prod::infra::pulumi:pulumi:StackReference::infra]
name: "infra"
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd/linkerd-crds]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-crds|helm.sh/v3:Release::linkerd-crds>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1|CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1>: [
- [0]: "<http://authorizationpolicies.policy.linkerd.io|authorizationpolicies.policy.linkerd.io>"
- [1]: "<http://httproutes.policy.linkerd.io|httproutes.policy.linkerd.io>"
- [2]: "<http://meshtlsauthentications.policy.linkerd.io|meshtlsauthentications.policy.linkerd.io>"
- [3]: "<http://networkauthentications.policy.linkerd.io|networkauthentications.policy.linkerd.io>"
- [4]: "<http://serverauthorizations.policy.linkerd.io|serverauthorizations.policy.linkerd.io>"
- [5]: "<http://servers.policy.linkerd.io|servers.policy.linkerd.io>"
- [6]: "<http://serviceprofiles.linkerd.io|serviceprofiles.linkerd.io>"
]
}
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd/linkerd-control-plane]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-control-plane|helm.sh/v3:Release::linkerd-control-plane>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-heartbeat"
- [1]: "linkerd-linkerd-destination"
- [2]: "linkerd-linkerd-identity"
- [3]: "linkerd-linkerd-proxy-injector"
- [4]: "linkerd-policy"
]
- <http://ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-destination-policy"
- [1]: "linkerd-heartbeat"
- [2]: "linkerd-linkerd-destination"
- [3]: "linkerd-linkerd-identity"
- [4]: "linkerd-linkerd-proxy-injector"
]
- ConfigMap/v1 : [
- [0]: "linkerd/linkerd-config"
- [1]: "linkerd/linkerd-identity-trust-roots"
]
- CronJob.batch/batch/v1 : [
- [0]: "linkerd/linkerd-heartbeat"
]
- Deployment.apps/apps/v1 : [
- [0]: "linkerd/linkerd-destination"
- [1]: "linkerd/linkerd-identity"
- [2]: "linkerd/linkerd-proxy-injector"
]
- <http://MutatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1|MutatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1> : [
- [0]: "linkerd-proxy-injector-webhook-config"
]
- <http://Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd/linkerd-heartbeat"
]
- <http://RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd/linkerd-heartbeat"
]
- Secret/v1 : [
- [0]: "linkerd/linkerd-identity-issuer"
- [1]: "linkerd/linkerd-policy-validator-k8s-tls"
- [2]: "linkerd/linkerd-proxy-injector-k8s-tls"
- [3]: "linkerd/linkerd-sp-validator-k8s-tls"
]
- Service/v1 : [
- [0]: "linkerd/linkerd-dst"
- [1]: "linkerd/linkerd-dst-headless"
- [2]: "linkerd/linkerd-identity"
- [3]: "linkerd/linkerd-identity-headless"
- [4]: "linkerd/linkerd-policy"
- [5]: "linkerd/linkerd-policy-validator"
- [6]: "linkerd/linkerd-proxy-injector"
- [7]: "linkerd/linkerd-sp-validator"
]
- ServiceAccount/v1 : [
- [0]: "linkerd/linkerd-destination"
- [1]: "linkerd/linkerd-heartbeat"
- [2]: "linkerd/linkerd-identity"
- [3]: "linkerd/linkerd-proxy-injector"
]
- <http://ValidatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1|ValidatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1>: [
- [0]: "linkerd-policy-validator-webhook-config"
- [1]: "linkerd-sp-validator-webhook-config"
]
}
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd-multicluster/linkerd-multicluster]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-multicluster|helm.sh/v3:Release::linkerd-multicluster>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
]
- <http://ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1>: [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
]
- <http://CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1|CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1> : [
- [0]: "<http://links.multicluster.linkerd.io|links.multicluster.linkerd.io>"
]
- Job.batch/batch/v1 : [
- [0]: "namespace-metadata"
]
- <http://Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "namespace-metadata"
]
- <http://RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "namespace-metadata"
]
- Secret/v1 : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default-token"
]
- <http://Server.policy.linkerd.io/policy.linkerd.io/v1beta1|Server.policy.linkerd.io/policy.linkerd.io/v1beta1> : [
- [0]: "linkerd-multicluster/gateway-proxy-admin"
- [1]: "linkerd-multicluster/service-mirror"
- [2]: "linkerd-multicluster/service-mirror-proxy-admin"
]
- <http://ServerAuthorization.policy.linkerd.io/policy.linkerd.io/v1beta1|ServerAuthorization.policy.linkerd.io/policy.linkerd.io/v1beta1> : [
- [0]: "linkerd-multicluster/proxy-admin"
- [1]: "linkerd-multicluster/service-mirror"
- [2]: "linkerd-multicluster/service-mirror-proxy-admin"
]
- ServiceAccount/v1 : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
- [1]: "namespace-metadata"
]
}
Resources:
~ 3 to update
10 unchangedblue-shampoo-62911
11/02/2022, 5:08 PM Copy code
import * as k8s from "@pulumi/kubernetes";
import { Release } from "@pulumi/kubernetes/helm/v3";
import { Input } from "@pulumi/pulumi";
import * as tls from "@pulumi/tls";
export const privateKeyCa = new tls.PrivateKey("linkerd-mtls-private-key-ca", {
algorithm: "ECDSA",
ecdsaCurve: "P256",
});
export const certCa = new tls.SelfSignedCert("linkerd-mtls-ca-cert", {
privateKeyPem: privateKeyCa.privateKeyPem,
allowedUses: [
"digital_signature",
"cert_signing",
"client_auth",
"server_auth",
"any_extended",
],
validityPeriodHours: 24 * 7 * 52 * 2, // 2 years
isCaCertificate: true,
subject: {
commonName: "cendo-linkerd-root",
},
});
export const privateKeyIntermediate = new tls.PrivateKey(
"linkerd-mtls-private-key-intermediate",
{
algorithm: "ECDSA",
ecdsaCurve: "P256",
}
);
export const certRequestIntermediate = new tls.CertRequest(
"linkerd-mtls-intermediate-certrequest",
{
privateKeyPem: privateKeyIntermediate.privateKeyPem,
subject: {
commonName: "cendo-linkerd-intermediate",
},
}
);
export const certIntermediate = new tls.LocallySignedCert(
"linkerd-mtls-intermediate-cert",
{
allowedUses: [
"digital_signature",
"cert_signing",
"client_auth",
"server_auth",
"any_extended",
],
caCertPem: certCa.certPem,
caPrivateKeyPem: privateKeyCa.privateKeyPem,
certRequestPem: certRequestIntermediate.certRequestPem,
validityPeriodHours: 24 * 7 * 52 * 2, // 2 years
isCaCertificate: true,
}
);
const linkerdNamespace = new k8s.core.v1.Namespace("linkerd-namespace", {
metadata: {
name: "linkerd",
},
});
const linkerdCrds = () =>
new k8s.helm.v3.Release(
"linkerd-crds",
{
chart: "linkerd-crds",
version: "1.4.0",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd",
name: "linkerd-crds",
atomic: true,
timeout: 60,
skipAwait: false,
},
{ dependsOn: linkerdNamespace }
);
const linkerdCP = (
crds: k8s.helm.v3.Release,
caCertPem: Input<string>,
intCertPem: Input<string>,
intPrivkeyPem: Input<string>
) =>
new k8s.helm.v3.Release(
"linkerd-control-plane",
{
chart: "linkerd-control-plane",
version: "1.9.3",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd",
name: "linkerd-control-plane",
atomic: true,
timeout: 150,
values: {
imagePullSecrets: [{ name: "regcred" }],
cniEnabled: false,
identityTrustAnchorsPEM: caCertPem,
identity: {
issuer: {
tls: {
crtPEM: intCertPem,
keyPEM: intPrivkeyPem,
},
},
},
proxyInit: {
runAsRoot: true,
// iptablesMode: "nft", // legacy (default) or nft
},
// controlPlaneTracingNamespace: "linkerd",
},
},
{ dependsOn: crds }
);
const linkerdMulticlusterNs = new k8s.core.v1.Namespace(
"linkerd-multicluster-namespace",
{
metadata: {
name: "linkerd-multicluster",
},
}
);
const linkerdMulticluster = (controlPlane: Release, elbId?: string) =>
new k8s.helm.v3.Release(
"linkerd-multicluster",
{
chart: "linkerd-multicluster",
version: "30.2.3",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd-multicluster",
name: "linkerd-multicluster",
atomic: true,
timeout: 150,
values: {
gateway: {
enabled: elbId ? true : false,
serviceAnnotations: {
"<http://kubernetes.io/elb.id|kubernetes.io/elb.id>": elbId,
},
},
},
},
{ dependsOn: [linkerdMulticlusterNs, controlPlane] }
);
export const linkerd = (
caCertPem: Input<string>,
intCertPem: Input<string>,
intPrivkeyPem: Input<string>,
elbId?: string
) => {
const crds = linkerdCrds();
const cp = linkerdCP(crds, caCertPem, intCertPem, intPrivkeyPem);
const mc = linkerdMulticluster(cp, elbId);
};b
billowy-army-68599
11/02/2022, 5:16 PM
my guess is you’re using different versions of the providers
billowy-army-68599
11/02/2022, 5:16 PM
you can check with
pulumi plugin ls✅ 1
b
blue-shampoo-62911
11/03/2022, 5:15 PM Copy code
❯ pulumi plugin ls
NAME KIND VERSION SIZE INSTALLED LAST USED
kubernetes resource 3.21.4 82 MB 1 day ago 1 day ago
tls resource 4.6.1 33 MB 1 day ago 1 day agob
billowy-army-68599
11/03/2022, 5:18 PM
huh. can you file an issue?
b
blue-shampoo-62911
11/03/2022, 5:18 PMWe also compared all together
pulumi aboutblue-shampoo-62911
11/03/2022, 5:31 PM5 Views