Support dependsOn for YAML ConfigFile/ConfigGroup

[lblackstone]

Hello!

• Vote on this issue by adding a 👍 reaction
• If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

The same underlying problem from #861 also affects our YAML support. Longer term, we intend to fix the ComponentResource dependencies, but for now, we may want to add a Ready parameter like we did for the Helm.Chart resource.

See also: #1773

Affected area/feature

[EronWright]

This issue is fixed with the new "v2" implementations. It is now possible to directly depend on a ConfigFile or ConfigGroup resource, and the dependent will wait for the objects to be created before proceeding. Enjoy!
https://www.pulumi.com/blog/kubernetes-yaml-v2/

[Haknt]

I am encountering a TypeError when attempting to specify multiple dependencies in my Pulumi Python script. The issue arises when I add both a Helm chart and a service account as dependencies to a ConfigFile. Below is the code snippet and the corresponding errors:

from pulumi_kubernetes.yaml.v2 import ConfigFile
from pulumi_kubernetes.helm.v3 import Chart, ChartOpts, FetchOpts

external_secrets_chart = Chart(
    "external-secrets",
    ChartOpts(
        chart="external-secrets",
        version="0.9.17",
        namespace=eso_namespace.metadata.apply(lambda meta: meta.name),
        values={
            "installCRDs": True,
            "webhook": {"port": 9443},
        },
        fetch_opts=FetchOpts(
            repo="https://charts.external-secrets.io"
        )
    ),
    opts=pulumi.ResourceOptions(provider=k8s_provider)
)

service_account = ServiceAccount('sa',
                                 metadata={
                                     'name': 'sa',
                                     'namespace': another_namespace.metadata.apply(lambda meta: meta.name),
                                     'annotations': {
                                         'eks.amazonaws.com/role-arn': role.arn
                                     }
                                 },
                                 opts=pulumi.ResourceOptions(provider=k8s_provider))

# ConfigFile for the AWS secret store with multiple dependencies
secret_store = ConfigFile('aws-secret-store',
                          file='secret-store.yaml',
                          opts=pulumi.ResourceOptions(provider=k8s_provider,
                                                      depends_on=[external_secrets_chart.ready, service_account])
                          )

external_secrets = ConfigFile('external-secrets',
                              file='external-secrets.yaml',
                              opts=pulumi.ResourceOptions(provider=k8s_provider, depends_on=[secret_store]))

Error:

 error: Program failed with an unhandled exception:
    Traceback (most recent call last):
      File "/opt/homebrew/bin/pulumi-language-python-exec", line 191, in <module>
        loop.run_until_complete(coro)
      File "/opt/homebrew/Cellar/python@3.11/3.11.4/Frameworks/Python.framework/Versions/3.11/lib/python3.11/asyncio/base_events.py", line 653, in run_until_complete
        return future.result()
               ^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/stack.py", line 138, in run_in_stack
        await run_pulumi_func(run)
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/stack.py", line 52, in run_pulumi_func
        await wait_for_rpcs()
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/stack.py", line 85, in wait_for_rpcs
        raise exn from cause
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/rpc_manager.py", line 71, in rpc_wrapper
        result = await rpc
                 ^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 909, in do_register
        resolver = await prepare_resource(res, ty, custom, remote, props, opts, typ)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 181, in prepare_resource
        explicit_urn_dependencies = await _resolve_depends_on_urns(
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 1207, in _resolve_depends_on_urns
        all_deps.add(direct_dep)
    TypeError: unhashable type: 'list'

Additional Tests and Errors

1. Single Dependency (No Error, But Does Not Ensure Full Readiness of the Chart):

secret_store = ConfigFile('aws-secret-store',
                          file='secret-store.yaml',
                          opts=pulumi.ResourceOptions(provider=k8s_provider,
                                                      depends_on=external_secrets_chart.ready)
                          )

2. With depends_on adjusted to include direct resource references (Fails):

secret_store = ConfigFile('aws-secret-store',
                          file='eks/external_secrets/secret-store.yaml',
                          opts=pulumi.ResourceOptions(provider=k8s_provider,
                                                      depends_on=[external_secrets_chart, service_account])
                          )

Error:

  File "/opt/homebrew/Cellar/python@3.11/3.11.4/Frameworks/Python.framework/Versions/3.11/lib/python3.11/concurrent/futures/thread.py", line 58, in run
        result = self.fn(*self.args, **self.kwargs)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 1011, in do_rpc_call
        handle_grpc_error(exn)
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/settings.py", line 307, in handle_grpc_error
        raise grpc_error_to_exception(exn)
    Exception: marshaling properties: awaiting input property "resources": failed to determine if the following GVK is namespaced: external-secrets.io/v1beta1, Kind=SecretStore

3. Using resources attribute (Fails):

secret_store = ConfigFile('aws-secret-store',
                          file='eks/external_secrets/secret-store.yaml',
                          opts=pulumi.ResourceOptions(provider=k8s_provider,
                                                      depends_on=[external_secrets_chart.resources, service_account])
                          )

Error:

     File "*/venv/lib/python3.11/site-packages/pulumi/runtime/rpc_manager.py", line 71, in rpc_wrapper
        result = await rpc
                 ^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 909, in do_register
        resolver = await prepare_resource(res, ty, custom, remote, props, opts, typ)
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 181, in prepare_resource
        explicit_urn_dependencies = await _resolve_depends_on_urns(
                                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
      File "*/venv/lib/python3.11/site-packages/pulumi/runtime/resource.py", line 1207, in _resolve_depends_on_urns
        all_deps.add(direct_dep)
    TypeError: unhashable type: 'dict'

I need to ensure that the script waits for both the Helm chart and the service account. Could someone assist in resolving this issue?

[ringods]

@Haknt can you please create a new Github issue for your problem?

[EronWright]

@Haknt please try the "v4" version of Chart in combination with technique (2), to wait for the chart to be completely installed before trying to apply the external secrets. The failure seen in (2) was due to a race between registering the CRD and creating resources based on it.