Channels
pulumi-ai
package-authoring
pulumi-cdk
oracle-cloud-infrastructure
learn-pulumi-events
linen
registry
built-with-pulumi
pulumi-cloud
contribex
testingtesting321
hacktoberfest
cloudengineering
yaml
pulumi-crosscode
content-share
finops
multi-language-hackathon
office-hours
workshops
blog-posts
localstack
welcome
gitlab
pulumi-kubernetes-operator
jobs
aws
pulumi-deployments
dotnet
golang
announcements
java
pulumiverse
python
install
getting-started
cloudengineering-support
testingtesting123
hackathon-03-19-2020
typescript
google-cloud
contribute
azure
kubernetes
docs
automation-api
status
general
Title
s
square-laptop-45713
01/05/2023, 8:09 PMRan into a major issue and I want to know where the best place to file the bug is:
• Updated my dependencies of the pulumi SDK and Github Actions
• We use Pulumi to manage an EKS Cluster in AWS
• Ran GH Actions to refresh cloud state - this worked
• GH Actions automated to run an
updaterecreateaws-authaws-authmetaData.managedFields.0.manager"pulumi-resource-kubernetes""pulumi-kubernetes"recreatehere is the diff of that resource in the job that performed the
recreateeks:index:Cluster$kubernetes:core/v1:ConfigMap (kettleos-eks-dev-nodeAccess)
++ kubernetes:core/v1:ConfigMap (create-replacement)
[id=kube-system/aws-auth]
[urn=urn:pulumi:dev::base::eks:index:Cluster$kubernetes:core/v1:ConfigMap::kettleos-eks-dev-nodeAccess]
__inputs : {
data : {
mapRoles: "- rolearn: 'arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab'
username: 'system:node:{{EC2PrivateDNSName}}'
groups:
- 'system:bootstrappers'
- 'system:nodes'
" => "- rolearn: arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
"
}
}
data : {
mapRoles: "- rolearn: 'arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab'
username: 'system:node:{{EC2PrivateDNSName}}'
groups:
- 'system:bootstrappers'
- 'system:nodes'
- rolearn: 'arn:aws:iam::[AWSDevAccount]:role/OrganizationAccountAccessRole'
username: 'developer'
groups:
- 'system:masters'
- rolearn: 'arn:aws:iam::[AWSDevAccount]:role/OrganizationAccountReadOnlyRole'
username: 'developer'
groups:
- 'system:masters'
" => "- rolearn: arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
"
}
metadata : {
annotations : {
<http://kubectl.kubernetes.io/last-applied-configuration|kubectl.kubernetes.io/last-applied-configuration>: "{"apiVersion":"v1","data":{"mapRoles":"- rolearn: 'arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab'\n username: 'system:node:{{EC2PrivateDNSName}}'\n groups:\n - 'system:bootstrappers'\n - 'system:nodes'\n"},"kind":"ConfigMap","metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
" => "{"apiVersion":"v1","data":{"mapRoles":"- rolearn: arn:aws:iam::[AWSDevAccount]:role/kettleos-eks-dev-ng-role-4a11bab\n username: system:node:{{EC2PrivateDNSName}}\n groups:\n - system:bootstrappers\n - system:nodes\n"},"kind":"ConfigMap","metadata":{"labels":{"<http://app.kubernetes.io/managed-by|app.kubernetes.io/managed-by>":"pulumi"},"name":"aws-auth","namespace":"kube-system"}}
"
}
creationTimestamp: "2021-04-18T04:32:06Z" => "2022-12-28T06:51:37Z"
managedFields : [
[0]: {
fieldsV1 : {
f:data : {
. : {}
f:mapRoles: {}
}
}
manager : "pulumi-resource-kubernetes" => "pulumi-kubernetes"
time : "2021-04-18T04:32:06Z" => "2022-12-28T06:51:37Z"
}
[1]: {
apiVersion: "v1"
fieldsType: "FieldsV1"
fieldsV1 : {
f:data: {
f:mapRoles: {}
}
}
manager : "kubectl-edit"
operation : "Update"
time : "2021-04-18T05:11:50Z"
}
]
resourceVersion : "190307907" => "210893469"
uid : "5ea6eea4-d11e-4a72-969d-19ab38f9b590" => "16f0f6ce-e58b-44c9-8a3b-c58910640b21"
}
Diagnostics:m
many-telephone-49025
01/05/2023, 8:37 PMHi,
Not sure if i misread the output what is the difference in
system:masterss
square-laptop-45713
01/05/2023, 8:39 PMI can check but that part is 💯 managed by pulumi’s EKS module since that is the creator’s mapping that doesn’t get touched
m
many-telephone-49025
01/05/2023, 8:43 PMhmm
s
square-laptop-45713
01/05/2023, 8:44 PMoh no I was wrong about that part @many-telephone-49025
the
system:mastersas mentioned above via the GH Issue, manually editing the
aws-authrecreatem
many-telephone-49025
01/05/2023, 8:47 PMBut edited in Pulumi and not on the cluster? Sorry for asking maybe an obvious qustion
s
square-laptop-45713
01/05/2023, 8:48 PMpulumi doesn’t expose it likely b/c EKS API doesn’t expose it (that’s the reason for that GH Issue) - it can’t be automated atm except through the
eksctlso the only way to edit that ConfigMap is to login and manually edit the ConfigMap resource via kubectl
m
many-telephone-49025
01/05/2023, 8:49 PMthen I would run a pulumi refresh
to update the state with the changes in the cluster so they are in sync
s
square-laptop-45713
01/05/2023, 8:49 PMI refreshed it
afaik it was refreshed b/c I had been running refresh jobs on every change I made
m
many-telephone-49025
01/05/2023, 8:50 PMif you run now the refresh job it should be fine?
as they are now in sync again
s
square-laptop-45713
01/05/2023, 8:51 PMthe previous update was a refresh that succeeded
m
many-telephone-49025
01/05/2023, 8:52 PMdid you update the pulumi-kubernetes provider?
s
square-laptop-45713
01/05/2023, 8:52 PMI’m checking
m
many-telephone-49025
01/05/2023, 8:54 PMThere was a change two weeks ago -> https://github.com/pulumi/pulumi-kubernetes/pull/2271 with the manager name
s
square-laptop-45713
01/05/2023, 8:54 PMI saw that when I was looking into it, that’s why I pointed this out
m
many-telephone-49025
01/05/2023, 8:54 PMYou are not running in SSA mode?
s
square-laptop-45713
01/05/2023, 8:55 PMno
we’re using the OIDC IAM Role
this infrastructure is 2 years old
the manager name shouldn’t trigger a recreate - I would expect it to trigger an update op
btw the
pulumi/kubernetes^3.22.1^3.23.1pulumi/awsx- "@pulumi/aws": "^5.20.0",
- "@pulumi/awsx": "^0.40.1",
- "@pulumi/docker": "^3.6.0",
- "@pulumi/kubernetes": "^3.22.1",
- "@pulumi/pulumi": "^3.46.1",
+ "@pulumi/aws": "^5.25.0",
+ "@pulumi/awsx": "^1.0.1",
+ "@pulumi/docker": "^3.6.1",
+ "@pulumi/kubernetes": "^3.23.1",
+ "@pulumi/pulumi": "^3.50.2",m
many-telephone-49025
01/05/2023, 8:59 PMOh yes
AWSX went GA with version 1.0.0
Let me check the recreate on managed fields quickly to rule out this one
hmm no
no recreate when updating from 3.22.1 tro 3.23.1 on a configmap
s
square-laptop-45713
01/05/2023, 9:14 PMthanks
m
many-telephone-49025
01/05/2023, 9:14 PMI did an edit and a refresh before i updated
it made a update on a field but not a recreate of the whole CM
s
square-laptop-45713
01/05/2023, 9:16 PMdid you use the previous version of the package to create the initial EKS cluster?
m
many-telephone-49025
01/05/2023, 9:17 PMI just used a local k8s to test the only the update of the kubernetes provider
s
square-laptop-45713
01/05/2023, 9:20 PMwell I have to perform this on our production cluster at some point so you’re saying that not refreshing could be the problem
m
many-telephone-49025
01/05/2023, 9:34 PMWould love to connect in a call with you to check before running in prod. So we could more infos about the before state.
Tomorrow I am unfortunatly OOO as it's bank holiday in Germany
s
square-laptop-45713
01/05/2023, 9:39 PMThat would be fantastic. I won’t run in prod until next week
m
many-telephone-49025
01/06/2023, 8:42 AMAwesome! Feel free to send an invite to engin@pulumi.com with a time slot that fits you! I have currently good availability from 10-12am