This message was deleted.
s
sparse-intern-71089
11/02/2022, 4:47 PMThis message was deleted.
b
billowy-army-68599
11/02/2022, 4:51 PM
can you share your code and the expanded diff?
✅ 1
b
blue-shampoo-62911
11/02/2022, 5:06 PM Copy code
Previewing update (prod):
pulumi:pulumi:Stack: (same)
[urn=urn:pulumi:prod::infra::pulumi:pulumi:Stack::infra-prod]
> pulumi:pulumi:StackReference: (read)
[id=infra]
[urn=urn:pulumi:prod::infra::pulumi:pulumi:StackReference::infra]
name: "infra"
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd/linkerd-crds]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-crds|helm.sh/v3:Release::linkerd-crds>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1|CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1>: [
- [0]: "<http://authorizationpolicies.policy.linkerd.io|authorizationpolicies.policy.linkerd.io>"
- [1]: "<http://httproutes.policy.linkerd.io|httproutes.policy.linkerd.io>"
- [2]: "<http://meshtlsauthentications.policy.linkerd.io|meshtlsauthentications.policy.linkerd.io>"
- [3]: "<http://networkauthentications.policy.linkerd.io|networkauthentications.policy.linkerd.io>"
- [4]: "<http://serverauthorizations.policy.linkerd.io|serverauthorizations.policy.linkerd.io>"
- [5]: "<http://servers.policy.linkerd.io|servers.policy.linkerd.io>"
- [6]: "<http://serviceprofiles.linkerd.io|serviceprofiles.linkerd.io>"
]
}
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd/linkerd-control-plane]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-control-plane|helm.sh/v3:Release::linkerd-control-plane>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-heartbeat"
- [1]: "linkerd-linkerd-destination"
- [2]: "linkerd-linkerd-identity"
- [3]: "linkerd-linkerd-proxy-injector"
- [4]: "linkerd-policy"
]
- <http://ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-destination-policy"
- [1]: "linkerd-heartbeat"
- [2]: "linkerd-linkerd-destination"
- [3]: "linkerd-linkerd-identity"
- [4]: "linkerd-linkerd-proxy-injector"
]
- ConfigMap/v1 : [
- [0]: "linkerd/linkerd-config"
- [1]: "linkerd/linkerd-identity-trust-roots"
]
- CronJob.batch/batch/v1 : [
- [0]: "linkerd/linkerd-heartbeat"
]
- Deployment.apps/apps/v1 : [
- [0]: "linkerd/linkerd-destination"
- [1]: "linkerd/linkerd-identity"
- [2]: "linkerd/linkerd-proxy-injector"
]
- <http://MutatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1|MutatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1> : [
- [0]: "linkerd-proxy-injector-webhook-config"
]
- <http://Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd/linkerd-heartbeat"
]
- <http://RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd/linkerd-heartbeat"
]
- Secret/v1 : [
- [0]: "linkerd/linkerd-identity-issuer"
- [1]: "linkerd/linkerd-policy-validator-k8s-tls"
- [2]: "linkerd/linkerd-proxy-injector-k8s-tls"
- [3]: "linkerd/linkerd-sp-validator-k8s-tls"
]
- Service/v1 : [
- [0]: "linkerd/linkerd-dst"
- [1]: "linkerd/linkerd-dst-headless"
- [2]: "linkerd/linkerd-identity"
- [3]: "linkerd/linkerd-identity-headless"
- [4]: "linkerd/linkerd-policy"
- [5]: "linkerd/linkerd-policy-validator"
- [6]: "linkerd/linkerd-proxy-injector"
- [7]: "linkerd/linkerd-sp-validator"
]
- ServiceAccount/v1 : [
- [0]: "linkerd/linkerd-destination"
- [1]: "linkerd/linkerd-heartbeat"
- [2]: "linkerd/linkerd-identity"
- [3]: "linkerd/linkerd-proxy-injector"
]
- <http://ValidatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1|ValidatingWebhookConfiguration.admissionregistration.k8s.io/admissionregistration.k8s.io/v1>: [
- [0]: "linkerd-policy-validator-webhook-config"
- [1]: "linkerd-sp-validator-webhook-config"
]
}
~ kubernetes:<http://helm.sh/v3:Release|helm.sh/v3:Release>: (update)
[id=linkerd-multicluster/linkerd-multicluster]
[urn=urn:pulumi:prod::infra::kubernetes:<http://helm.sh/v3:Release::linkerd-multicluster|helm.sh/v3:Release::linkerd-multicluster>]
[provider=urn:pulumi:prod::infra::pulumi:providers:kubernetes::default_3_21_4::086e4490-9af1-4939-8bc6-613a867d731d]
- resourceNames: {
- <http://ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRole.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
]
- <http://ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|ClusterRoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1>: [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
]
- <http://CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1|CustomResourceDefinition.apiextensions.k8s.io/apiextensions.k8s.io/v1> : [
- [0]: "<http://links.multicluster.linkerd.io|links.multicluster.linkerd.io>"
]
- Job.batch/batch/v1 : [
- [0]: "namespace-metadata"
]
- <http://Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|Role.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "namespace-metadata"
]
- <http://RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1|RoleBinding.rbac.authorization.k8s.io/rbac.authorization.k8s.io/v1> : [
- [0]: "namespace-metadata"
]
- Secret/v1 : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default-token"
]
- <http://Server.policy.linkerd.io/policy.linkerd.io/v1beta1|Server.policy.linkerd.io/policy.linkerd.io/v1beta1> : [
- [0]: "linkerd-multicluster/gateway-proxy-admin"
- [1]: "linkerd-multicluster/service-mirror"
- [2]: "linkerd-multicluster/service-mirror-proxy-admin"
]
- <http://ServerAuthorization.policy.linkerd.io/policy.linkerd.io/v1beta1|ServerAuthorization.policy.linkerd.io/policy.linkerd.io/v1beta1> : [
- [0]: "linkerd-multicluster/proxy-admin"
- [1]: "linkerd-multicluster/service-mirror"
- [2]: "linkerd-multicluster/service-mirror-proxy-admin"
]
- ServiceAccount/v1 : [
- [0]: "linkerd-multicluster/linkerd-service-mirror-remote-access-default"
- [1]: "namespace-metadata"
]
}
Resources:
~ 3 to update
10 unchangedblue-shampoo-62911
11/02/2022, 5:08 PM Copy code
import * as k8s from "@pulumi/kubernetes";
import { Release } from "@pulumi/kubernetes/helm/v3";
import { Input } from "@pulumi/pulumi";
import * as tls from "@pulumi/tls";
export const privateKeyCa = new tls.PrivateKey("linkerd-mtls-private-key-ca", {
algorithm: "ECDSA",
ecdsaCurve: "P256",
});
export const certCa = new tls.SelfSignedCert("linkerd-mtls-ca-cert", {
privateKeyPem: privateKeyCa.privateKeyPem,
allowedUses: [
"digital_signature",
"cert_signing",
"client_auth",
"server_auth",
"any_extended",
],
validityPeriodHours: 24 * 7 * 52 * 2, // 2 years
isCaCertificate: true,
subject: {
commonName: "cendo-linkerd-root",
},
});
export const privateKeyIntermediate = new tls.PrivateKey(
"linkerd-mtls-private-key-intermediate",
{
algorithm: "ECDSA",
ecdsaCurve: "P256",
}
);
export const certRequestIntermediate = new tls.CertRequest(
"linkerd-mtls-intermediate-certrequest",
{
privateKeyPem: privateKeyIntermediate.privateKeyPem,
subject: {
commonName: "cendo-linkerd-intermediate",
},
}
);
export const certIntermediate = new tls.LocallySignedCert(
"linkerd-mtls-intermediate-cert",
{
allowedUses: [
"digital_signature",
"cert_signing",
"client_auth",
"server_auth",
"any_extended",
],
caCertPem: certCa.certPem,
caPrivateKeyPem: privateKeyCa.privateKeyPem,
certRequestPem: certRequestIntermediate.certRequestPem,
validityPeriodHours: 24 * 7 * 52 * 2, // 2 years
isCaCertificate: true,
}
);
const linkerdNamespace = new k8s.core.v1.Namespace("linkerd-namespace", {
metadata: {
name: "linkerd",
},
});
const linkerdCrds = () =>
new k8s.helm.v3.Release(
"linkerd-crds",
{
chart: "linkerd-crds",
version: "1.4.0",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd",
name: "linkerd-crds",
atomic: true,
timeout: 60,
skipAwait: false,
},
{ dependsOn: linkerdNamespace }
);
const linkerdCP = (
crds: k8s.helm.v3.Release,
caCertPem: Input<string>,
intCertPem: Input<string>,
intPrivkeyPem: Input<string>
) =>
new k8s.helm.v3.Release(
"linkerd-control-plane",
{
chart: "linkerd-control-plane",
version: "1.9.3",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd",
name: "linkerd-control-plane",
atomic: true,
timeout: 150,
values: {
imagePullSecrets: [{ name: "regcred" }],
cniEnabled: false,
identityTrustAnchorsPEM: caCertPem,
identity: {
issuer: {
tls: {
crtPEM: intCertPem,
keyPEM: intPrivkeyPem,
},
},
},
proxyInit: {
runAsRoot: true,
// iptablesMode: "nft", // legacy (default) or nft
},
// controlPlaneTracingNamespace: "linkerd",
},
},
{ dependsOn: crds }
);
const linkerdMulticlusterNs = new k8s.core.v1.Namespace(
"linkerd-multicluster-namespace",
{
metadata: {
name: "linkerd-multicluster",
},
}
);
const linkerdMulticluster = (controlPlane: Release, elbId?: string) =>
new k8s.helm.v3.Release(
"linkerd-multicluster",
{
chart: "linkerd-multicluster",
version: "30.2.3",
repositoryOpts: {
repo: "<https://helm.linkerd.io/stable>",
},
namespace: "linkerd-multicluster",
name: "linkerd-multicluster",
atomic: true,
timeout: 150,
values: {
gateway: {
enabled: elbId ? true : false,
serviceAnnotations: {
"<http://kubernetes.io/elb.id|kubernetes.io/elb.id>": elbId,
},
},
},
},
{ dependsOn: [linkerdMulticlusterNs, controlPlane] }
);
export const linkerd = (
caCertPem: Input<string>,
intCertPem: Input<string>,
intPrivkeyPem: Input<string>,
elbId?: string
) => {
const crds = linkerdCrds();
const cp = linkerdCP(crds, caCertPem, intCertPem, intPrivkeyPem);
const mc = linkerdMulticluster(cp, elbId);
};b
billowy-army-68599
11/02/2022, 5:16 PM
my guess is you’re using different versions of the providers
billowy-army-68599
11/02/2022, 5:16 PM
you can check with
pulumi plugin ls✅ 1
b
blue-shampoo-62911
11/03/2022, 5:15 PM Copy code
❯ pulumi plugin ls
NAME KIND VERSION SIZE INSTALLED LAST USED
kubernetes resource 3.21.4 82 MB 1 day ago 1 day ago
tls resource 4.6.1 33 MB 1 day ago 1 day agob
billowy-army-68599
11/03/2022, 5:18 PM
huh. can you file an issue?
b
blue-shampoo-62911
11/03/2022, 5:18 PMWe also compared all together
pulumi aboutblue-shampoo-62911
11/03/2022, 5:31 PM4 Views
Pulumi Community
No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.
Powered by