Convert the k8s API resources to deploy the operator into Go:

• service account
• role
• role binding
• operator

Base off of YAML example: https://github.com/pulumi/pulumi-kubernetes-operator/tree/master/deploy/yaml

Related #42

Catch-all issue to track the refactor of the StackController and reconciliation loop to work with the API defined in #4, and implement the interface design in #5.

Generate the updated CRD, CR and Operator YAML manifests once they are in their final shape.

The initial implementation of Python support in #77 did not enable support for Python projects that do not have a virtualenv configuration, as installing requirements for these projects would require global changes, which are not safe in the operator until reconciliation is performed in separate Jobs. Once we support stack update isolation, we can bring back support for non-virtualenv Python projects.

Problem description

Support adding Stack events to k8s event system, such that kubectl describe will show a populated Events field, along with kubectl get events to return events in the namespace.

$ kubectl describe stack my-stack-xq5sis2q
Name:         my-stack-xq5sis2q
Namespace:    default
Labels:       app.kubernetes.io/managed-by=pulumi
Annotations:  pulumi.com/autonamed: true
API Version:  pulumi.com/v1alpha1
Kind:         Stack
Metadata:
  Creation Timestamp:  2020-08-10T22:06:18Z
  Finalizers:
    finalizer.stack.pulumi.com
  Generation:        1
  Resource Version:  14697165
  Self Link:         /apis/pulumi.com/v1alpha1/namespaces/default/stacks/my-stack-xq5sis2q
  UID:               9b1ee8f2-d0b9-4b79-9bfb-ee118084302d
Spec:
  Access Token Secret:  accesstoken-1fwvxnra
  Commit:               bd1edfac28577d62068b7ace0586df595bda33be
  Config:
    aws:region:         us-west-2
  Destroy On Finalize:  true
  Env Secrets:
    aws-creds-0fipbnea
  Init On Create:  true
  Project Repo:    https://github.com/metral/test-s3-op-project
  Stack:           metral/s3-op-project/dev
Status:
  Last Update:
    Permalink:  https://app.pulumi.com/metral/s3-op-project/dev/updates/1
    State:      bd1edfac28577d62068b7ace0586df595bda33be
  Outputs:
    Bucket Names:
      my-bucket-0-4d9ee8e
      my-bucket-1-3946b0d
Events:  <none>

Pulumi support storing the state in a backend similar to Terraform - AWS S3, GCS etc
The suggestion is to add support for this - allow to set in the secret, instead of access token, the relevant backend:

stringData:
  account: "gs://pulumi-state"

Looking at the code, this is relatively simple to add - unless there is a reason it is not there from the beginning :)
This could also support on-prem deployments of pulumi - by setting the account key to the relevant server URL.

Problem description

v0.0.6 was just cut, but it introduced an error w.r.t. GitAuth and SSH sockets in a container image.

As a result, we've reverted v0.0.6 for now from the commits and docs until this issue is fixed.

Errors & Logs

SSH agent requested but SSH_AUTH_SOCK not-specified

Affected product version(s)

Reproducing the issue

Run the operator using v0.0.6 and deploy a stack that uses git authentication e.g. https://github.com/pulumi/pulumi-kubernetes-operator/blob/master/stack-examples/yaml/s3_bucket_stack_access_token.yaml

Suggestions for a fix

Installing openssh-server in the Dockefile didn't work but it appears that it is related to this.

Showcase the operator and Stack CR by creating a demo related to CI/CD scenarios, such as a Blue/Green deployment.

Convert the k8s API resources to deploy the operator into Python:

• service account
• role
• role binding
• operator

Base off of YAML example: https://github.com/pulumi/pulumi-kubernetes-operator/tree/master/deploy/yaml

Related #42

In the scenarios that stacks can be stuck in a failure, resources in flight could be in a pending or failed state.
We should provide the information listed in the pending_operations.

• Log the resources orphaned in the update
• Reflect the log of orphaned resources in CR spec.status field

The current implementation aims to have support for publishing Outputs, and @joeduffy's video showed them working, but when I run the operator, I do not see any outputs getting published into the CR.

Problem description

Given that updates are run through automation API per #86, complete, detailed stack logs won't flow. A solution here is to wire up ProgressStreams from pulumi/pulumi#5367 for up/refresh/destroy/preview with the io.Writer from the logging interface.

See #86 (review)

cc @EvanBoyle

The operator-sdk supports MaxConcurrentReconcilations, which is the number of workers a given operator can spawn to handle reconciliation loops. By default this is set to 1, but we set it to 10 (an arbitrary value greater than the default).

While this handles concurrency within a single operator to work with the APIserver, it does not handle concurrency across multiple instances/replicas of an operator. This means competing operators will fight to process the same Stack CRs, and causes concurrency issues that ultimately lead to extraneous reconciliation loops, and indeterministic stack update sequences.

The operator will need to be configured with leader election to settle contention between multiple Operator instances by using an active-passive setup.

Related: operator-framework/operator-sdk#3585

Replace build/build.sh with a makefile.

Enhance the current Stack CRD type beyond what currently exists, to reflect a user experience that aims to cover most use cases we expect of initial users.

• Use private git repos for the Pulumi project source (opt-in)
• Use git repo commit or branch
• Change project directories (opt-in) if Pulumi.yaml is not in top-level project repo root
• Create new stack, with optional secrets provider (opt-in)
• Refresh stack (opt-in)
• Expect refresh changes (opt-in)
• Use config secrets (opt-in)

Issue

Kubernetes uses optimistic concurrency, which can lead to invalid operations if an object becomes stale. This a feature in k8s, not a bug.

Working with GETs and UPDATES for CustomResources like the Stack means that we will occasionally hit stale data during operations. Here are some examples w.r.t the finalizer being added and executed, and hitting outdated objects. When this happens, we requeue the request iff the step is required for the run -- setting a finalizer is one of these steps.

2020-07-22T18:38:00.022Z        INFO    controller_stack        Adding Finalizer for the Stack  {"Request.Namespace": "default", "Request.Name": "stack-test-aws-s3-commit-change-mmit4b", "Stack.Name": "stack-test-aws-s3-commit-change-mmit4b"}
2020-07-22T18:38:00.846Z        ERROR   controller-runtime.controller   Reconciler error        {"controller": "stack-controller", "request": "default/stack-test-aws-s3-commit-change-mmit4b", 
"error": "Operation cannot be fulfilled on stacks.pulumi.com \"stack-test-aws-s3-commit-change-mmit4b\": the object has been modified; please apply your changes to the latest version and try again"}

Failed to add Pulumi finalizer  {"Request.Namespace": "default", "Request.Name": "stack-test-aws-s3-6itteb", "Stack.Name": "metral/s3-op-project/dev-zvei3i",
error": "Operation cannot be fulfilled on stacks.pulumi.com \"stack-test-aws-s3-6itteb\": the object has been modified; please apply your changes to the latest version and try again”}

2020-07-22T18:39:44.171Z        ERROR   controller_stack        Failed to run Pulumi finalizer  {"Request.Namespace": "default", "Request.Name": "stack-test-aws-s3-commit-change-mmit4b", "Stack.Name": "metral/s3-op-project/dev-commit-change-autkr6", "error": "destroying resources for stack 'metral/s3-op-project/dev-commit-change-autkr6': exit status 255", "error

We can also see how requeued requests may fail if another loop got further along, e.g. update conflicts or destroy conflicts. We mitigate update conflicts by default by not using the RetryOnUpdateConflict option in the StackSpec, which dismisses conflicted update loops. Destroys (running the finalizer) are left as-is as these repeating themselves is not harmful if the intent to destroy was registered.

2020-07-22T22:12:38.273Z        INFO    controller_stack        Conflict with another concurrent update -- NOT retrying {"Request.Namespace": "default", "Request.Name": "stack-test-aws-s3-g37qr3", "Stack.Name": "metral/s3-op-project/dev-la4p4f", 
"Err:": "exit status 255"}

Extensive testing, use of retries on APIserver conflicts, and hardening of the reconcile loop has turned these extra loop errors mostly into warnings, and in most cases can be ignored.

Suggestions for a fix

• Identify and elide extra AddFinalizer invocation. We only invoke if not set, but some unidentified event is leading to 2 finalizer registration attempts per test. Favorably, only one loop ever succeeds.
• Permutations of predicates have not proved effective beyond the resourceGeneration, which ignores events for an Update if the generation number of the API object does not change -- no generation changes is only true for updates to spec.status and metadata changes. Disabling predicates can create extra reconcile loops and an inconsistent stack update activity, so turning them off is not a path forward, however, identifying if there is anything else that can be done here to lower the total number of reconciliation loops would be beneficial.

Currently we create tempdirs for each project stack source repo when fetching it.

We need to implement the cleanup of these tempdirs.

Problem description

Currently we assume the CRDs are installed and don't call it out in https://github.com/pulumi/pulumi-kubernetes-operator#deploy-the-operator. We should add a section to install the CRDs (and potentially provide pulumi snippets for them).

Currently nodejs is the only runtime supported when setting up a Stack's dependencies in the operator. This means Pulumi programs written in other runtimes are not yet runnable.

Add support for other runtimes:

• Python
• .NET
• Go

We added support for Python, .NET and Go programs in #77. We should add test coverage for all languages as well as a follow-up.

Currently, a Stack's desired state is based on the git checkout and deployment of a given Pulumi program commit.

The StackSpec supports a Branch field, but it is currently not used if set.

To continue with the desired state model using a commit SHA, we should resolve a branch if supplied to its current commit.

Fill in .NET / Csharp specific example code for authoring a Stack CustomResource.

See TODOs in docs/create-stacks-using-pulumi-dotnet.md

Base it off code from TS example: https://github.com/pulumi/pulumi-kubernetes-operator/blob/master/docs/create-stacks-using-pulumi-ts.md#nginx-deployment

Related - #42

Design an Interface for the StackController operations needed to reflect a typical use case for most users, that can be pluggable for alternative implementations.

• Fetch project source
• Set relative working dir in source repo
• Log into the Pulumi service
• Install Node, Python, Go, .NET dependencies
• Stack init and --secrets-provider configuration (both opt-in)
• Stack config (will need to be updated for Stack CRD API and StackController Interface)
• Stack config --secret (opt-in)
• Stack refresh (opt-in)
• Stack update (will need to be updated for Stack CRD API and StackController Interface)
• Get all Stack output (will need to be updated for Stack CRD API and StackController Interface)
• Stack destroy (opt-in)
• Stack remove (opt-in)
• Update stack status

Problem description

Cut v0.0.7 release

The operator-sdk is moving away from subcommands like operator-sdk test, operator-sdk run operator-sdk generate to kubebuilder per changelog-a and changelog-b.

Tests should follow operator-sdk recommendations of moving to kube-builder style projects and testing, which is a WIP in redefining:

• Kubebuilder - writing tests
  • Example Azure databricks operator test suite
  • Uses envtest for working with existing clusters, or spinning up local control plane, and Ginkgo - a Go BDD test framework.

In order to use a branch as a desired state for a Git repo, we'll want to add the ability to poll branches to receive updates through webhooks.

This approach is used to not have stale branches after an update, and for the operator to continuously drive towards the commit state of the tracked branch.

The operator seems to currently only support public repos. Is there a way to pass a token in the Stack resource so that private repos can be used?

The operator is occasionally hitting this error where the stack outputs cannot be unmarshaled to the map in GetStackOutputs(). It happens rarely, but does seem to be tied to how we're working with stdout and stack export --json.

Error: "error":"unmarshaling stack outputs (to map): unexpected end of JSON input"

Full logs.

Log Line:

{
   "level":"error",
   "ts":1594371934.4927378,
   "logger":"controller_stack",
   "msg":"Failed to get Stack outputs",
   "Request.Namespace":"default",
   "Request.Name":"s3-bucket-stack-01",
   "Stack.Name":"metral/s3-op-project/dev-123",
   "error":"unmarshaling stack outputs (to map): unexpected end of JSON input",
   "errorVerbose":"unexpected end of JSON input\nunmarshaling stack outputs (to map)\ngithub.com/pulumi/pulumi-kubernetes-operator/pkg/controller/stack.(*reconcileStackSession).GetStackOutputs\n\tpulumi-kubernetes-operator/pkg/controller/stack/stack_controller.go:634\ngithub.com/pulumi/pulumi-kubernetes-operator/pkg/controller/stack.(*ReconcileStack).Reconcile\n\tpulumi-kubernetes-operator/pkg/controller/stack/stack_controller.go:233\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90\nruntime.goexit\n\t/home/metral/.gvm/gos/go1.14.2/src/runtime/asm_amd64.s:1373",
   "stacktrace":"github.com/go-logr/zapr.(*zapLogger).Error\n\t/home/metral/go/pkg/mod/github.com/go-logr/[email protected]/zapr.go:128\ngithub.com/pulumi/pulumi-kubernetes-operator/pkg/controller/stack.(*ReconcileStack).Reconcile\n\tpulumi-kubernetes-operator/pkg/controller/stack/stack_controller.go:235\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:256\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:232\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).worker\n\t/home/metral/go/pkg/mod/sigs.k8s.io/[email protected]/pkg/internal/controller/controller.go:211\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil.func1\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:155\nk8s.io/apimachinery/pkg/util/wait.BackoffUntil\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:156\nk8s.io/apimachinery/pkg/util/wait.JitterUntil\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:133\nk8s.io/apimachinery/pkg/util/wait.Until\n\t/home/metral/go/pkg/mod/k8s.io/[email protected]/pkg/util/wait/wait.go:90"
}

Convert the k8s API resources to deploy the operator into .NET / Csharp:

• service account
• role
• role binding
• operator

Base off of YAML example: https://github.com/pulumi/pulumi-kubernetes-operator/tree/master/deploy/yaml

Related #42

Fill in Python specific example code for authoring a Stack CustomResource.

See TODOs in docs/create-stacks-using-pulumi-python.md

Base it off code from TS example: https://github.com/pulumi/pulumi-kubernetes-operator/blob/master/docs/create-stacks-using-pulumi-ts.md#nginx-deployment

Related - #42

Fill in Go specific example code for authoring a Stack CustomResource.

See TODOs in docs/create-stacks-using-pulumi-go.md

Base it off code from TS example: https://github.com/pulumi/pulumi-kubernetes-operator/blob/master/docs/create-stacks-using-pulumi-ts.md#nginx-deployment

Related - #42

• Test pending_operations scenario
• Export stack state in the event a pending_operations scenario occurs
• Create any supporting documentation needed to debug this scenario.
• Log potentially leaked resources in the update
• Reflect the log of potentially leaked resources in CR spec.status field

Convert the k8s API resources to deploy the operator into Typescript:

• service account
• role
• role binding
• operator

Base off of YAML example: https://github.com/pulumi/pulumi-kubernetes-operator/tree/master/deploy/yaml

Related #42

Problem description

Currently, the reconciliation loop is shared in-process on the operator.

Ideally, a separate Job/Pod would be used instead per loop to avoid shared context issues across loops and runtimes.
See the design doc.

Problem description

Prep for v0.0.6

Problem description

Cut new v0.0.3 release to include pulumi CLI v2.8.2

The using pulumi section of the README for the operator deployment is using an incorrect apigroup: rbac.

Needs to be rbac.authorization.k8s.io

We need to auth against the DockerHub registry to be able to push built images.

Problem description

Refactor the logic in the controller to use Automation API for stack operations.

Generally refactor:

• Project setup & Create stack
• Update stack
• Refresh stack
• Destroy stack

Stack outputs are currently fetched from a stack using pulumi stack output --json, which returns a JSON blob.
StackOutputs implements outputs, and this object is set to be stored in the stack's spec.status, but after a run, the result is never set and remains empty: spec.status.outputs = {}.

We represent the JSON blob using json.RawMessage and implement simple marshaling & unmarshaling on the Outputs per the recommendation in kubernetes-sigs/controller-tools#155. The outputs data is visible when using printing debugging, but they are not getting stored in the CR spec.

Current implementation:

kubernetes-sigs/controller-tools#155 and kubernetes-sigs/controller-tools#126 (comment) recommends the use of json.RawMessage these days to represent JSON/YAML blobs in the CR spec, and we use this approach.

However, as kubernetes-sigs/controller-tools#126 (comment) points out using a json.RawMessage does not work because when the API is codegen'd using operator-sdk generate crds, the rendered OpenAPI spec for the StackOutputs is given type: string and format: byte, so the input JSON object would need to be serialized in the spec (not ideal). We see the same rendering type and format used in our codegen types, but this approach still does not resolve the issue of the outputs not being set in spec.status.outputs.

The API shape and marshaling of StackOutputs combined with the operator-sdk API codegen seem to be at the core of the issue for why the outputs are not being set.

Consider thinking through if pulumi preview is useful and needed in an operator, and how it would work.

e.g. Do we store preview links in CR statuses, or hook up GitHub PR webhooks to provide the Pulumi GitHub app preview-in-a-PR capability, or is this not needed at all for an operator?

Currently to use a Git AccessToken to pull private repos or to not be rate-limited is configurable via ProjectRepoAccessTokenSecret. However, this is a raw field that should be stored in a k8s Secret like done for the Pulumi API token and any other cloud provider credentials.

Should store the AccessToken in a newly created k8s Secret e.g. how the pulumi API access token is done: