Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource timeout for YAML manifests with many resources #1098

Open
prkstaff opened this issue May 5, 2020 · 3 comments
Open

Resource timeout for YAML manifests with many resources #1098

prkstaff opened this issue May 5, 2020 · 3 comments
Labels
impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec

Comments

@prkstaff
Copy link

prkstaff commented May 5, 2020
edited
Loading

Problem description

I am trying to create a Kubernetes Cluster that contains, cert-manager, istio and a sample Nginx Application that uses both cert-manager and istio CRD, and all this 3 are yamls in a total of 149 resources to be created, that I am creating with python pulumi_kubernetes configFile.

I am aware of pulumi await logic here

I am having problem creating the cert-manager CRD ClusterIssuer, it seems to ignore the await logic, even when I use the annotation pulumi.com/timeoutSeconds It fails in 5 min, ignoring the value I set. the resource fails because other resource is not ready yet, it fails with the error:

kubernetes:cert-manager.io:ClusterIssuer (cert-manager/letsencrypt-stage):
    error: resource cert-manager/letsencrypt-prod was not successfully created by the Kubernetes API server : Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post
https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: no endpoints available for service "cert-manager-webhook"

I have the impression that Pulumi is trying to create the resources in the wrong order.
Because in this example the ClusterIssuer is waiting to make a post to a service that will only be ready when a deployment is created, but pulumi not scheduled the Cert-manager deplyoments yet. I have this impression because when the clusterIssuer fails, then pulumi fails without not event trying to create the deployments. I think that the fault is in the creation order, you can see in the logs bellow that pulumit not even tryed to create the deployment of the webhook.

the webhook fail log:

  kubernetes:core:Service (cert-manager/cert-manager-webhook):
    error: 2 errors occurred:
        * resource cert-manager/cert-manager-webhook was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'cert-manager-webhook' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

The deployment that pulumi not tryed to create and is required to the completion:

 +   │  ├─ kubernetes:apps:Deployment                                              cert-manager/cert-manager-webhook                                                create

Is there a documentation about this creation orders?

Errors & Logs

k8s-provision/pulumi on  pulumi [!] via k8s-provision via 🐍 2.7.15 at ☸️  stage took 17m 43s
[I] ➜ ./pulumi.sh up
Previewing update (dev):
     Type                                                                          Name                                      Plan
 +   pulumi:pulumi:Stack                                                           jeitto-provision-dev                      create
 +   pulumi:pulumi:Stack                                                           jeitto-provision-dev                      create.
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                meshpolicies.authentication.istio.io      create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                httpapispecbindings.config.istio.io       create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                quotaspecs.config.istio.io                create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                httpapispecs.config.istio.io              create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                quotaspecbindings.config.istio.io         create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                policies.authentication.istio.io          create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                destinationrules.networking.istio.io      create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                envoyfilters.networking.istio.io          create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                serviceentries.networking.istio.io        create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                gateways.networking.istio.io              create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                workloadentries.networking.istio.io       create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                sidecars.networking.istio.io              create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                attributemanifests.config.istio.io        create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                handlers.config.istio.io                  create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                rules.config.istio.io                     create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                virtualservices.networking.istio.io       create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                instances.config.istio.io                 create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                rbacconfigs.rbac.istio.io                 create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                clusterrbacconfigs.rbac.istio.io          create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                servicerolebindings.rbac.istio.io         create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                serviceroles.rbac.istio.io                create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                peerauthentications.security.istio.io     create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                authorizationpolicies.security.istio.io   create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                adapters.config.istio.io                  create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                requestauthentications.security.istio.io  create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                templates.config.istio.io                 create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                istiooperators.install.istio.io           create
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  istio-galley                              create
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  istiod-istio-system                                                       create
 +   │  ├─ kubernetes:admissionregistration.k8s.io:MutatingWebhookConfiguration    istio-sidecar-injector                                                           create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        kiali                                                                            create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        prometheus-istio-system                                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 kiali                                                                            create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        istiod-istio-system                                                              create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 prometheus-istio-system                                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 istio-reader-istio-system                                                        create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 istiod-pilot-istio-system                                                        create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        istio-reader-istio-system                                                        create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        kiali-viewer                                                                     create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-istio-mesh-dashboard         create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-istio-performance-dashboard  create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-istio-workload-dashboard     create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-pilot-dashboard              create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana                                                       create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-mixer-dashboard              create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/grafana                                                             create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/kiali                                                               create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/kiali-service-account                                               create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-collector-headless                                           create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/prometheus                                                          create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-query                                                        create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-collector                                                    create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/prometheus                                                          create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/zipkin                                                              create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-pilot-service-account                                         create
 +   │  ├─ kubernetes:policy:PodDisruptionBudget                                   istio-system/istio-egressgateway                                                 create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-egressgateway-service-account                                 create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/prometheus                                                          create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-ingressgateway-service-account                                create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-grafana-configuration-dashboards-istio-service-dashboard      create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.4                                               create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-agent                                                        create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/tracing                                                             create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-metadata-exchange-1.5                                           create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/kiali                                                               create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.6                                               create
 +   │  ├─ kubernetes:authentication.istio.io:Policy                               istio-system/grafana-ports-mtls-disabled                                         create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istio-egressgateway                                                 create
 +   │  ├─ kubernetes:policy:PodDisruptionBudget                                   istio-system/istio-ingressgateway                                                create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.6                                                    create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-stats-filter-1.5                                                create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istio-ingressgateway                                                create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istio-ingressgateway                                                create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-stats-filter-1.5                                                create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.4                                                    create
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istiod                                                              create
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-reader-service-account                                        create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-stats-filter-1.6                                                create
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-sidecar-injector                                              create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-metadata-exchange-1.6                                           create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.5                                               create
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.5                                                    create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:RoleBinding                        istio-system/istio-ingressgateway-sds                                            create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:Role                               istio-system/istio-ingressgateway-sds                                            create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/grafana                                                             create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/prometheus                                                          create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istio-egressgateway                                                 create
 +   │  ├─ kubernetes:core:Secret                                                  istio-system/kiali                                                               create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istiod                                                              create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istio-tracing                                                       create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istio-ingressgateway                                                create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istio-tracing                                                       create
 +   ├─ pulumi:providers:kubernetes                                                render-yaml                                                                      create
 +   │  ├─ kubernetes:apps:Deployment                                              istio-system/istio-ingressgateway                                                create
 +   ├─ random:index:RandomPassword                                                password                                                                         create
 +   pulumi:pulumi:Stack                                                           jeitto-provision-dev                                                             create
 +   ├─ gcp:container:Cluster                                                      pulumi-dev-provision                                                             create
 +   ├─ gcp:storage:Bucket                                                         pulumi-provision-bucket                                                          create
 +   ├─ pulumi:providers:kubernetes                                                gke_k8s                                                                          create
 +   ├─ kubernetes:core:Namespace                                                  istio-namespace                                                                  create
 +   ├─ kubernetes:yaml:ConfigFile                                                 cert-manager-yaml                                                                create
 +   │  ├─ kubernetes:core:Namespace                                               cert-manager                                                                     create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                certificaterequests.cert-manager.io                                              create
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  cert-manager-webhook                                                             create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-cainjector                                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-issuers                                                  create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-issuers                                                  create
 +   │  ├─ kubernetes:admissionregistration.k8s.io:MutatingWebhookConfiguration    cert-manager-webhook                                                             create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-orders                                                   create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-orders                                                   create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-view                                                                create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-challenges                                               create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-clusterissuers                                           create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-clusterissuers                                           create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-certificates                                             create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-ingress-shim                                             create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                orders.acme.cert-manager.io                                                      create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-edit                                                                create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-certificates                                             create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-cainjector                                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-ingress-shim                                             create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 cert-manager-controller-challenges                                               create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                challenges.acme.cert-manager.io                                                  create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                certificates.cert-manager.io                                                     create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                issuers.cert-manager.io                                                          create
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                clusterissuers.cert-manager.io                                                   create
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager                                                        create
 +   │  ├─ kubernetes:core:Service                                                 cert-manager/cert-manager                                                        create
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager-cainjector                                             create
 +   │  ├─ kubernetes:core:Service                                                 cert-manager/cert-manager-webhook                                                create
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager-webhook                                                create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:Role                               kube-system/cert-manager-cainjector:leaderelection                               create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:Role                               kube-system/cert-manager:leaderelection                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:RoleBinding                        kube-system/cert-manager:leaderelection                                          create
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:RoleBinding                        kube-system/cert-manager-cainjector:leaderelection                               create
 +   │  ├─ kubernetes:apps:Deployment                                              cert-manager/cert-manager-webhook                                                create
 +   │  ├─ kubernetes:apps:Deployment                                              cert-manager/cert-manager-cainjector                                             create
 +   │  └─ kubernetes:apps:Deployment                                              cert-manager/cert-manager                                                        create
 +   ├─ kubernetes:yaml:ConfigFile                                                 nginx-yaml                                                                       create
 +   │  ├─ kubernetes:networking.istio.io:VirtualService                           nginx                                                                            create
 +   │  ├─ kubernetes:core:Service                                                 default/nginx-service                                                            create
 +   │  ├─ kubernetes:cert-manager.io:ClusterIssuer                                cert-manager/letsencrypt-stage                                                   create
 +   │  ├─ kubernetes:cert-manager.io:Certificate                                  istio-system/ingress-cert                                                        create
 +   │  ├─ kubernetes:networking.istio.io:Gateway                                  default/nginx-gateway                                                            create
 +   │  ├─ kubernetes:cert-manager.io:ClusterIssuer                                cert-manager/letsencrypt-prod                                                    create
 +   │  └─ kubernetes:apps:Deployment                                              default/nginx-deployment                                                         create
 +   └─ gcp:dns:RecordSet                                                          dns-api                                                                          create

Resources:
    + 149 to create

Do you want to perform this update? yes
Updating (dev):
     Type                                              Name                                                                             Status       Info
 +   pulumi:pulumi:Stack                               jeitto-provision-dev                                                             creating
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating..
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating...
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating.
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating..
 +   │  ├─ kubernetes:core:ConfigMap                   istio-system/istio-grafana-configuration-dashboards-mixer-dashboard              created
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating...
 +   ├─ kubernetes:yaml:ConfigFile                     istio-yaml                                                                       creating
 +   │  ├─ kubernetes:authentication.istio.io:Policy   istio-system/grafana-ports-mtls-disabled                                         creating..   Retry #0; creation failed: no match
 +   │  ├─ kubernetes:core:Service                        istio-system/grafana                                                             creating..
 +   │  ├─ kubernetes:core:ConfigMap                      istio-system/kiali                                                               created
 +   │  ├─ kubernetes:core:Service                                   istio-system/kiali                                                               creating..   [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                   istio-system/kiali                                                               creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:ConfigMap                                 istio-system/prometheus                                                          created
 +   │  ├─ kubernetes:core:Service                                   istio-system/prometheus                                                          creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:ServiceAccount                            istio-system/prometheus                                                          created
 +   │  ├─ kubernetes:core:Service                                   istio-system/jaeger-query                                                        creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                   istio-system/jaeger-collector                                                    creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-collector-headless                                           creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/jaeger-agent                                                        creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/zipkin                                                              creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/tracing                                                             creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-reader-service-account                                        created
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-pilot-service-account                                         created
 +   │  ├─ kubernetes:core:Service                                                 istio-system/tracing                                                             creating..   [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istio-egressgateway                                                 creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:policy:PodDisruptionBudget                                   istio-system/istio-ingressgateway                                                created
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-egressgateway-service-account                                 created
 +   │  ├─ kubernetes:core:ServiceAccount                                          istio-system/istio-ingressgateway-service-account                                created
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio                                                               created
 +   │  ├─ kubernetes:core:ConfigMap                                               istio-system/istio-sidecar-injector                                              created
 +   │  ├─ kubernetes:policy:PodDisruptionBudget                                   istio-system/istiod                                                              created
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istio-ingressgateway                                                creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:core:Service                                                 istio-system/istiod                                                              creating     [1/3] Finding Pods to direct traffic to
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.5                                                    created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.4                                                    created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.5                                               created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-metadata-exchange-1.5                                           created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.4                                               created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-stats-filter-1.5                                                created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/metadata-exchange-1.6                                               created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-metadata-exchange-1.6                                           created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/stats-filter-1.6                                                    created
 +   │  ├─ kubernetes:networking.istio.io:EnvoyFilter                              istio-system/tcp-stats-filter-1.6                                                created
 +   │  ├─ kubernetes:core:Secret                                                  istio-system/kiali                                                               created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                meshpolicies.authentication.istio.io                                             created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                policies.authentication.istio.io                                                 created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                httpapispecs.config.istio.io                                                     created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                httpapispecbindings.config.istio.io                                              created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                quotaspecs.config.istio.io                                                       created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                quotaspecbindings.config.istio.io                                                created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                destinationrules.networking.istio.io                                             created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                envoyfilters.networking.istio.io                                                 created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                gateways.networking.istio.io                                                     created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                serviceentries.networking.istio.io                                               created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                sidecars.networking.istio.io                                                     created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                workloadentries.networking.istio.io                                              created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                virtualservices.networking.istio.io                                              created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                attributemanifests.config.istio.io                                               created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                handlers.config.istio.io                                                         created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                instances.config.istio.io                                                        created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                rules.config.istio.io                                                            created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                clusterrbacconfigs.rbac.istio.io                                                 created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                rbacconfigs.rbac.istio.io                                                        created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                serviceroles.rbac.istio.io                                                       created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                servicerolebindings.rbac.istio.io                                                created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                authorizationpolicies.security.istio.io                                          created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                peerauthentications.security.istio.io                                            created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                requestauthentications.security.istio.io                                         created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                adapters.config.istio.io                                                         created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                templates.config.istio.io                                                        created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                istiooperators.install.istio.io                                                  created
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  istiod-istio-system                                                              created
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  istio-galley                                                                     created
 +   │  ├─ kubernetes:admissionregistration.k8s.io:MutatingWebhookConfiguration    istio-sidecar-injector                                                           created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        kiali                                                                            created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        kiali-viewer                                                                     created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 kiali                                                                            created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        prometheus-istio-system                                                          created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 prometheus-istio-system                                                          created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        istiod-istio-system                                                              created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        istio-reader-istio-system                                                        created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 istio-reader-istio-system                                                        created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRoleBinding                 istiod-pilot-istio-system                                                        created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:Role                               istio-system/istio-ingressgateway-sds                                            created
 +   │  └─ kubernetes:rbac.authorization.k8s.io:RoleBinding                        istio-system/istio-ingressgateway-sds                                            created
 +   ├─ pulumi:providers:kubernetes                                                render-yaml                                                                      created
 +   ├─ kubernetes:yaml:ConfigFile                                                 cert-manager-yaml                                                                created
 +   │  ├─ kubernetes:core:Namespace                                               cert-manager                                                                     created
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager-cainjector                                             created
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager                                                        created
 +   │  ├─ kubernetes:core:ServiceAccount                                          cert-manager/cert-manager-webhook                                                created
 +   │  ├─ kubernetes:core:Service                                                 cert-manager/cert-manager                                                        **creating failed**     1 error
 +   │  ├─ kubernetes:core:Service                                                 cert-manager/cert-manager-webhook                                                **creating failed**     1 error
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                certificaterequests.cert-manager.io                                              created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                certificates.cert-manager.io                                                     created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                challenges.acme.cert-manager.io                                                  created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                clusterissuers.cert-manager.io                                                   created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                issuers.cert-manager.io                                                          created
 +   │  ├─ kubernetes:apiextensions.k8s.io:CustomResourceDefinition                orders.acme.cert-manager.io                                                      created
 +   │  ├─ kubernetes:admissionregistration.k8s.io:MutatingWebhookConfiguration    cert-manager-webhook                                                             created
 +   │  ├─ kubernetes:admissionregistration.k8s.io:ValidatingWebhookConfiguration  cert-manager-webhook                                                             created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-cainjector                                                          created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-view                                                                created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-ingress-shim                                             created
 +   │  ├─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-issuers                                                  created
 +   │  └─ kubernetes:rbac.authorization.k8s.io:ClusterRole                        cert-manager-controller-certificates                                             created
 +   ├─ gcp:kms:KeyRing                                                            pulumi-provision-keyring                                                         created
 +   ├─ random:index:RandomPassword                                                password                                                                         created
 +   ├─ kubernetes:yaml:ConfigFile                                                 nginx-yaml                                                                       created
 +   │  ├─ kubernetes:networking.istio.io:VirtualService                           nginx                                                                            created
 +   │  ├─ kubernetes:core:Service                                                 default/nginx-service                                                            **creating failed**     1 error
 +   │  ├─ kubernetes:cert-manager.io:ClusterIssuer                                cert-manager/letsencrypt-stage                                                   **creating failed**     1 error
 +   │  ├─ kubernetes:cert-manager.io:ClusterIssuer                                cert-manager/letsencrypt-prod                                                    **creating failed**     1 error
 +   │  ├─ kubernetes:cert-manager.io:Certificate                                  istio-system/ingress-cert                                                        **creating failed**     1 error
 +   │  └─ kubernetes:networking.istio.io:Gateway                                  default/nginx-gateway                                                            created
 +   ├─ gcp:container:Cluster                                                      pulumi-dev-provision                                                             created
 +   ├─ gcp:kms:CryptoKey                                                          pulumi-provision-cryptokey                                                       created
 +   ├─ gcp:storage:Bucket                                                         pulumi-provision-bucket                                                          created
 +   ├─ pulumi:providers:kubernetes                                                gke_k8s                                                                          created
 +   └─ kubernetes:core:Namespace                                                  istio-namespace                                                                  created

Diagnostics:
  kubernetes:core:Service (istio-system/jaeger-agent):
    error: 2 errors occurred:
        * resource istio-system/jaeger-agent was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'jaeger-agent' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/jaeger-query):
    error: 2 errors occurred:
        * resource istio-system/jaeger-query was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'jaeger-query' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:cert-manager.io:Certificate (istio-system/ingress-cert):
    error: resource istio-system/ingress-cert was not successfully created by the Kubernetes API server : Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: no endpoints available for service "cert-manager-webhook"

  kubernetes:core:Service (istio-system/kiali):
    error: 2 errors occurred:
        * resource istio-system/kiali was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'kiali' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/grafana):
    error: 2 errors occurred:
        * resource istio-system/grafana was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'grafana' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:cert-manager.io:ClusterIssuer (cert-manager/letsencrypt-stage):
    error: resource cert-manager/letsencrypt-stage was not successfully created by the Kubernetes API server : Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: no endpoints available for service "cert-manager-webhook"

  kubernetes:core:Service (istio-system/istio-egressgateway):
    error: 2 errors occurred:
        * resource istio-system/istio-egressgateway was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'istio-egressgateway' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/prometheus):
    error: 2 errors occurred:
        * resource istio-system/prometheus was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'prometheus' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  pulumi:pulumi:Stack (jeitto-provision-dev):
    error: update failed

  kubernetes:cert-manager.io:ClusterIssuer (cert-manager/letsencrypt-prod):
    error: resource cert-manager/letsencrypt-prod was not successfully created by the Kubernetes API server : Internal error occurred: failed calling webhook "webhook.cert-manager.io": Post https://cert-manager-webhook.cert-manager.svc:443/mutate?timeout=30s: no endpoints available for service "cert-manager-webhook"

  kubernetes:core:Service (cert-manager/cert-manager):
    error: 2 errors occurred:
        * resource cert-manager/cert-manager was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'cert-manager' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/jaeger-collector):
    error: 2 errors occurred:
        * resource istio-system/jaeger-collector was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'jaeger-collector' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/tracing):
    error: 2 errors occurred:
        * resource istio-system/tracing was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'tracing' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/istio-ingressgateway):
    error: 2 errors occurred:
        * resource istio-system/istio-ingressgateway was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'istio-ingressgateway' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/jaeger-collector-headless):
    error: 2 errors occurred:
        * resource istio-system/jaeger-collector-headless was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'jaeger-collector-headless' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/zipkin):
    error: 2 errors occurred:
        * resource istio-system/zipkin was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'zipkin' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (cert-manager/cert-manager-webhook):
    error: 2 errors occurred:
        * resource cert-manager/cert-manager-webhook was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'cert-manager-webhook' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (istio-system/istiod):
    error: 2 errors occurred:
        * resource istio-system/istiod was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'istiod' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

  kubernetes:core:Service (default/nginx-service):
    error: 2 errors occurred:
        * resource default/nginx-service was successfully created, but the Kubernetes API server reported that it failed to fully initialize or become live: 'nginx-service' timed out waiting to be Ready
        * Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

Resources:
    + 104 created

Duration: 14m21s

Permalink: https://app.pulumi.com/prkstaff/jeitto-provision/dev/updates/101
warning: A new version of Pulumi is available. To upgrade from version '2.0.0' to '2.1.0', run
   $ curl -sSL https://get.pulumi.com | sh
or visit https://pulumi.com/docs/reference/install/ for manual instructions and release notes.

k8s-provision/pulumi on  pulumi [!] via k8s-provision via 🐍 2.7.15 at ☸️  stage took 14m 39s

Affected product version(s)

Pulumi

v2.0.0

Pip freeze

Arpeggio==1.9.2
attrs==19.3.0
certifi==2020.4.5.1
chardet==3.0.4
dill==0.3.1.1
grpcio==1.28.1
idna==2.8
parver==0.3.0
pkg-resources==0.0.0
protobuf==3.11.3
pulumi==2.0.0
pulumi-gcp==3.1.0
pulumi-kubernetes==2.0.0
pulumi-random==2.0.0
requests==2.21.0
semver==2.9.1
six==1.14.0
urllib3==1.24.3

Reproducing the issue

If needed I can send the source code.
@lblackstone
Copy link
Member

lblackstone commented May 15, 2020
edited
Loading

The k8s provider has retries built in, so normally you don't have to do anything special to get it working. For large manifests like this, you may want to split the CRDs out into a separate YAML file to make sure they're ready before creating the other resources.

Here's an example for Istio that does this:

pulumi-kubernetes/tests/integration/istio/step1/istio.ts

Lines 43 to 69 in 6c38527

export const istio_init = new k8s.helm.v2.Chart(
`${appName}-init`,
{
path: "charts/istio-init",
// Note: had to use a hardcoded namespace name to avoid error: https://github.com/pulumi/pulumi-kubernetes/issues/814
// namespace: namespace.metadata.name,
namespace: "istio-system",
values: { kiali: { enabled: true } }
},
{ dependsOn: [namespace, adminBinding], providers: { kubernetes: k8sProvider } }
);
export const crd10 = istio_init.getResource("batch/v1/Job", "istio-system", "istio-init-crd-10");
export const crd11 = istio_init.getResource("batch/v1/Job", "istio-system", "istio-init-crd-11");
export const crd12 = istio_init.getResource("batch/v1/Job", "istio-system", "istio-init-crd-12");
export const istio = new k8s.helm.v2.Chart(
appName,
{
path: "charts/istio",
// Note: had to use a hardcoded namespace name to avoid error: https://github.com/pulumi/pulumi-kubernetes/issues/814
// namespace: namespace.metadata.name,
namespace: "istio-system",
values: { kiali: { enabled: true } }
},
{ dependsOn: [adminBinding, crd10, crd11, crd12], providers: { kubernetes: k8sProvider } }
);
-- Note that #861 makes this a bit more complicated.

@prkstaff
Copy link
Author

Thank you, I will try it.

@marioapardo
Copy link

In our case we create a full EKS cluster and multiple objects are installed we recommend using ComponentResource to correctly use depends_on, I solved the dependency problem in python for istio as follows:

import pulumi_kubernetes as k8s

istio_init = k8s.helm.v3.Chart(release_name=args.chart_name_init,
                               config=k8s.helm.v3.ChartOpts(
                                   chart=args.chart_name_init,
                                   version=args.chart_version,
                                   namespace=layer_ns.metadata["name"],
                                   fetch_opts=k8s.helm.v3.FetchOpts(
                                       repo=args.chart_url
                                   ),
                               ),
                               opts=ResourceOptions(
                                   parent=layer_ns,
                                   depends_on=[layer_ns],
                               )
                               )

values_istio = data.values_render(
    data={
        "vars": {
            "environment": args.environment,
            "domain_name": r53_zone.name,
            "istio_record_ttl": "60",
            "grafana_enabled": "false",
            "kiali_enabled": "false",
            "tracing_enabled": "true",
            "sds_enabled": "true"
        }}
)

job_all_name = f"istio-init-crd-all-{args.chart_version}"
job_mixer_name = f"istio-init-crd-mixer-{args.chart_version}"

job_all_status = istio_init.get_resource(group_version_kind="batch/v1/Job",
                                         name=job_all_name,
                                         namespace=args.istio_namespace,
                                         )

job_mixer_status = istio_init.get_resource(group_version_kind="batch/v1/Job",
                                           name=job_mixer_name,
                                           namespace=args.istio_namespace,
                                           )


def deploy_istio(x):
    return k8s.helm.v3.Chart(
        release_name=args.chart_name,
        config=k8s.helm.v3.ChartOpts(
            chart=args.chart_name,
            version=args.chart_version,
            namespace=layer_ns.metadata["name"],
            values=values_istio,
            fetch_opts=k8s.helm.v3.FetchOpts(
                repo=args.chart_url
            )
        ),
        opts=ResourceOptions(
            parent=layer_ns,
            depends_on=[
                x[0],
                x[1],
            ],
        )
    )


istio = Output.all(job_all_status, job_mixer_status).apply(lambda x: deploy_istio(x))

It was detected that when you have several services at the same time, the implementation is not generated, you must deactivate kiali and grafana for the installation to be successful.

Apparently there is a problem with concurrency and wait state on resources deployed in kubernetes

@gerrywastaken gerrywastaken mentioned this issue Mar 28, 2021
Closed
@lblackstone lblackstone changed the title Pulumi Kubernetes Resources Creation Failing Resource timeout for YAML manifests with many resources Jul 13, 2023
@lblackstone lblackstone removed their assignment Jul 13, 2023
@lblackstone lblackstone added impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed labels Jul 13, 2023
@lblackstone lblackstone removed the resolution/fixed This issue was fixed label Jul 13, 2023
@lblackstone lblackstone mentioned this issue Mar 21, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
impact/reliability Something that feels unreliable or flaky kind/bug Some behavior is incorrect or out of spec
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marioapardo @prkstaff @lblackstone