Add option to treat Secrets as mutable #2291
Assignees
Labels
Comments
blampe
added a commit
that referenced
this issue
Aug 21, 2024
This introduces the flag `enableSecretMutable` which does for `Secret`s what the existing `enableConfigMapMutable` flag does for `ConfigMap`s. See #1926 for the motivation for this flag. Changes to the `type` field will still trigger a replacement as this field is immutable. Fixes #2291. Fixes #3181. --------- Co-authored-by: Bryce Lampe <bryce@pulumi.com>
blampe
added a commit
that referenced
this issue
Sep 3, 2024
- The new `enableSecretMutable` provider configuration option treats changes to `Secrets` as updates instead of replacements (similar to the `enableConfigMapMutable` option). The default replacement behavior can be preserved for a particular `Secret` by setting its `immutable` field to `true`. (#2291) **Note:** These options (`enableSecretMutable` and `enableConfigMapMutable`) may become the default behavior in a future v5 release of the provider. Programs that depend on the replacement of `Secrets` and `ConfigMaps` (e.g. to trigger updates for downstream dependencies like `Deployments`) are recommended to explicitly specify `immutable: true`. - A warning is now emitted if an object has finalizers which might be blocking deletion. (#1418) - **EXPERIMENTAL**: Generic await logic is now available as an opt-in feature. Running a program with `PULUMI_K8S_AWAIT_ALL=true` will now cause Pulumi to await readiness for _all_ resources, including custom resources. Generic readiness is determined according to some well-known conventions (like the "Ready" condition) as determined by [cli-utils](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus). Pulumi's current behavior, without this feature enabled, is to assume some resources are immediately available, which can cause downstream resources to fail. Existing readiness logic is unaffected by this setting. (#2996) - **EXPERIMENTAL**: The `pulumi.com/waitFor` annotation was introduced to allow for custom readiness checks. This override Pulumi's own await logic for the resource (however the `pulumi.com/skipAwait` annotation still takes precedence). The value of this annotation can take 3 forms: 1. A string prefixed with `jsonpath=` followed by a [JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/) expression and an optional value. The JSONPath expression accepts the same syntax as `kubectl get -o jsonpath={...}`. If a value is provided, the resource is considered ready when the JSONPath expression evaluates to the same value. For example this resource expects its "phase" field to have a value of "Running": `pulumi.com/waitFor: "jsonpath={.status.phase}=Running"` If a value is not provided, the resource will be considered ready when any value exists at the given path, similar to `kubectl wait --for jsonpath=...`. This resource will wait until it has a webhook configured with a CA bundle: `pulumi.com/waitFor: "jsonpath={.webhooks[*].clientConfig.caBundle}"` 2. A string prefixed with `condition=` followed by the type of the condition and an optional status. This matches the behavior of `kubectl wait --for=condition=...` and will wait until the resource has a matching condition. The expected status defaults to "True" if not specified. `pulumi.com/waitFor: "condition=Synced"` `pulumi.com/waitFor: "condition=Reconciling=False"` 3. A string containing a JSON array of multiple `jsonpath=` and `condition=` expressions. `pulumi.com/waitFor: '["jsonpath={.foo}", "condition=Bar"]'` - Pulumi will now emit logs for any Kubernetes "Warning" Events associated with resources being created, updated or deleted. (https://github.com/pulumi/pulumi-kubernetes/pull/3135/files) - The `immutable` field is now respected for `ConfigMaps` when the provider is configured with `enableConfigMapMutable`. (#3181) - Fixed a panic that could occur during deletion. (#3157)
blampe
added a commit
that referenced
this issue
Sep 3, 2024
>[!IMPORTANT] > The `enableSecretMutable` and `enableConfigMapMutable` options may become the default behavior in a future v5 release of the provider. Programs that depend on the replacement of `Secrets` and `ConfigMaps` (e.g. to trigger updates for downstream dependencies like `Deployments`) are recommended to explicitly specify `immutable: true`. ### Added - The new `enableSecretMutable` provider configuration option treats changes to `Secrets` as updates instead of replacements (similar to the `enableConfigMapMutable` option). The default replacement behavior can be preserved for a particular `Secret` by setting its `immutable` field to `true`. (#2291) - A warning is now emitted if an object has finalizers which might be blocking deletion. (#1418) - **EXPERIMENTAL**: Generic await logic is now available as an opt-in feature. Running a program with `PULUMI_K8S_AWAIT_ALL=true` will now cause Pulumi to await readiness for _all_ resources, including custom resources. Generic readiness is determined according to some well-known conventions (like the "Ready" condition) as determined by [cli-utils](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus). Pulumi's current behavior without this feature enabled is to assume some resources are immediately available, which can cause downstream resources to fail. Existing readiness logic is unaffected by this setting. (#2996) - **EXPERIMENTAL**: The `pulumi.com/waitFor` annotation was introduced to allow for custom readiness checks. This override Pulumi's own await logic for the resource (however the `pulumi.com/skipAwait` annotation still takes precedence). The value of this annotation can take 3 forms: 1. A string prefixed with `jsonpath=` followed by a [JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/) expression and an optional value. The JSONPath expression accepts the same syntax as `kubectl get -o jsonpath={...}`. If a value is provided, the resource is considered ready when the JSONPath expression evaluates to the same value. For example this resource expects its "phase" field to have a value of "Running": `pulumi.com/waitFor: "jsonpath={.status.phase}=Running"` If a value is not provided, the resource will be considered ready when any value exists at the given path, similar to `kubectl wait --for jsonpath=...`. This resource will wait until it has a webhook configured with a CA bundle: `pulumi.com/waitFor: "jsonpath={.webhooks[*].clientConfig.caBundle}"` 2. A string prefixed with `condition=` followed by the type of the condition and an optional status. This matches the behavior of `kubectl wait --for=condition=...` and will wait until the resource has a matching condition. The expected status defaults to "True" if not specified. `pulumi.com/waitFor: "condition=Synced"` `pulumi.com/waitFor: "condition=Reconciling=False"` 3. A string containing a JSON array of multiple `jsonpath=` and `condition=` expressions. `pulumi.com/waitFor: '["jsonpath={.foo}", "condition=Bar"]'` - Pulumi will now emit logs for any Kubernetes "Warning" Events associated with resources being created, updated or deleted. (https://github.com/pulumi/pulumi-kubernetes/pull/3135/files) ### Fixed - The `immutable` field is now respected for `ConfigMaps` when the provider is configured with `enableConfigMapMutable`. (#3181) - Fixed a panic that could occur during deletion. (#3157)
lumiere-bot bot
referenced
this issue
in coolguy1771/home-ops
Sep 16, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@pulumi/kubernetes](https://pulumi.com) ([source](https://github.com/pulumi/pulumi-kubernetes)) | dependencies | minor | [`4.17.1` -> `4.18.1`](https://renovatebot.com/diffs/npm/@pulumi%2fkubernetes/4.17.1/4.18.1) | --- ### Release Notes <details> <summary>pulumi/pulumi-kubernetes (@​pulumi/kubernetes)</summary> ### [`v4.18.1`](https://github.com/pulumi/pulumi-kubernetes/blob/HEAD/CHANGELOG.md#4181-September-13-2024) [Compare Source](https://github.com/pulumi/pulumi-kubernetes/compare/v4.18.0...v4.18.1) ##### Added - Schemagen is now a library that can be consumed by other packages. ([https://github.com/pulumi/pulumi-kubernetes/pull/3187](https://github.com/pulumi/pulumi-kubernetes/pull/3187)) ##### Changed - Updated beta Kubernetes client libraries to stable v1.31 release. ([https://github.com/pulumi/pulumi-kubernetes/pull/3196](https://github.com/pulumi/pulumi-kubernetes/pull/3196)) ### [`v4.18.0`](https://github.com/pulumi/pulumi-kubernetes/blob/HEAD/CHANGELOG.md#4180-September-3-2024) [Compare Source](https://github.com/pulumi/pulumi-kubernetes/compare/v4.17.1...v4.18.0) ##### Added - The new `enableSecretMutable` provider configuration option treats changes to `Secrets` as updates instead of replacements (similar to the `enableConfigMapMutable` option). The default replacement behavior can be preserved for a particular `Secret` by setting its `immutable` field to `true`. [https://github.com/pulumi/pulumi-kubernetes/issues/2291](https://github.com/pulumi/pulumi-kubernetes/issues/2291)2291) **Note:** These options (`enableSecretMutable` and `enableConfigMapMutable`) may become the default behavior in a future v5 release of the provider. Programs that depend on the replacement of `Secrets` and `ConfigMaps` (e.g. to trigger updates for downstream dependencies like `Deployments`) are recommended to explicitly specify `immutable: true`. - A warning is now emitted if an object has finalizers which might be blocking deletio[https://github.com/pulumi/pulumi-kubernetes/issues/1418](https://github.com/pulumi/pulumi-kubernetes/issues/1418)1418) - **EXPERIMENTAL**: Generic await logic is now available as an opt-in feature. Running a program with `PULUMI_K8S_AWAIT_ALL=true` will now cause Pulumi to await readiness for *all* resources, including custom resources. Generic readiness is determined according to some well-known conventions (like the "Ready" condition) as determined by [cli-utils](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus). Pulumi's current behavior, without this feature enabled, is to assume some resources are immediately available, which can cause downstream resources to fail. Existing readiness logic is unaffected by this setting. [https://github.com/pulumi/pulumi-kubernetes/issues/2996](https://github.com/pulumi/pulumi-kubernetes/issues/2996)2996) - **EXPERIMENTAL**: The `pulumi.com/waitFor` annotation was introduced to allow for custom readiness checks. This override Pulumi's own await logic for the resource (however the `pulumi.com/skipAwait` annotation still takes precedence). The value of this annotation can take 3 forms: 1. A string prefixed with `jsonpath=` followed by a [JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/) expression and an optional value. The JSONPath expression accepts the same syntax as `kubectl get -o jsonpath={...}`. If a value is provided, the resource is considered ready when the JSONPath expression evaluates to the same value. For example this resource expects its "phase" field to have a value of "Running": `pulumi.com/waitFor: "jsonpath={.status.phase}=Running"` If a value is not provided, the resource will be considered ready when any value exists at the given path, similar to `kubectl wait --for jsonpath=...`. This resource will wait until it has a webhook configured with a CA bundle: `pulumi.com/waitFor: "jsonpath={.webhooks[*].clientConfig.caBundle}"` 2. A string prefixed with `condition=` followed by the type of the condition and an optional status. This matches the behavior of `kubectl wait --for=condition=...` and will wait until the resource has a matching condition. The expected status defaults to "True" if not specified. `pulumi.com/waitFor: "condition=Synced"` `pulumi.com/waitFor: "condition=Reconciling=False"` 3. A string containing a JSON array of multiple `jsonpath=` and `condition=` expressions. `pulumi.com/waitFor: '["jsonpath={.foo}", "condition=Bar"]'` - Pulumi will now emit logs for any Kubernetes "Warning" Events associated with resources being created, updated or delete[https://github.com/pulumi/pulumi-kubernetes/pull/3135](https://github.com/pulumi/pulumi-kubernetes/pull/3135)ull/3135/files) ##### Fixed - The `immutable` field is now respected for `ConfigMaps` when the provider is configured with `enableConfigMapMutable`. [https://github.com/pulumi/pulumi-kubernetes/issues/3181](https://github.com/pulumi/pulumi-kubernetes/issues/3181)3181) - Fixed a panic that could occur during deletion. ([https://github.com/pulumi/pulumi-kubernetes/issues/3157](https://github.com/pulumi/pulumi-kubernetes/issues/3157)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguNzcuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidHlwZS9taW5vciJdfQ==--> Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
lumiere-bot bot
referenced
this issue
in coolguy1771/home-ops
Sep 16, 2024
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@pulumi/kubernetes](https://pulumi.com) ([source](https://github.com/pulumi/pulumi-kubernetes)) | dependencies | minor | [`4.17.1` -> `4.18.1`](https://renovatebot.com/diffs/npm/@pulumi%2fkubernetes/4.17.1/4.18.1) | --- ### Release Notes <details> <summary>pulumi/pulumi-kubernetes (@​pulumi/kubernetes)</summary> ### [`v4.18.1`](https://github.com/pulumi/pulumi-kubernetes/blob/HEAD/CHANGELOG.md#4181-September-13-2024) [Compare Source](https://github.com/pulumi/pulumi-kubernetes/compare/v4.18.0...v4.18.1) ##### Added - Schemagen is now a library that can be consumed by other packages. ([https://github.com/pulumi/pulumi-kubernetes/pull/3187](https://github.com/pulumi/pulumi-kubernetes/pull/3187)) ##### Changed - Updated beta Kubernetes client libraries to stable v1.31 release. ([https://github.com/pulumi/pulumi-kubernetes/pull/3196](https://github.com/pulumi/pulumi-kubernetes/pull/3196)) ### [`v4.18.0`](https://github.com/pulumi/pulumi-kubernetes/blob/HEAD/CHANGELOG.md#4180-September-3-2024) [Compare Source](https://github.com/pulumi/pulumi-kubernetes/compare/v4.17.1...v4.18.0) ##### Added - The new `enableSecretMutable` provider configuration option treats changes to `Secrets` as updates instead of replacements (similar to the `enableConfigMapMutable` option). The default replacement behavior can be preserved for a particular `Secret` by setting its `immutable` field to `true`. [https://github.com/pulumi/pulumi-kubernetes/issues/2291](https://github.com/pulumi/pulumi-kubernetes/issues/2291)2291) **Note:** These options (`enableSecretMutable` and `enableConfigMapMutable`) may become the default behavior in a future v5 release of the provider. Programs that depend on the replacement of `Secrets` and `ConfigMaps` (e.g. to trigger updates for downstream dependencies like `Deployments`) are recommended to explicitly specify `immutable: true`. - A warning is now emitted if an object has finalizers which might be blocking deletio[https://github.com/pulumi/pulumi-kubernetes/issues/1418](https://github.com/pulumi/pulumi-kubernetes/issues/1418)1418) - **EXPERIMENTAL**: Generic await logic is now available as an opt-in feature. Running a program with `PULUMI_K8S_AWAIT_ALL=true` will now cause Pulumi to await readiness for *all* resources, including custom resources. Generic readiness is determined according to some well-known conventions (like the "Ready" condition) as determined by [cli-utils](https://github.com/kubernetes-sigs/cli-utils/tree/master/pkg/kstatus). Pulumi's current behavior, without this feature enabled, is to assume some resources are immediately available, which can cause downstream resources to fail. Existing readiness logic is unaffected by this setting. [https://github.com/pulumi/pulumi-kubernetes/issues/2996](https://github.com/pulumi/pulumi-kubernetes/issues/2996)2996) - **EXPERIMENTAL**: The `pulumi.com/waitFor` annotation was introduced to allow for custom readiness checks. This override Pulumi's own await logic for the resource (however the `pulumi.com/skipAwait` annotation still takes precedence). The value of this annotation can take 3 forms: 1. A string prefixed with `jsonpath=` followed by a [JSONPath](https://kubernetes.io/docs/reference/kubectl/jsonpath/) expression and an optional value. The JSONPath expression accepts the same syntax as `kubectl get -o jsonpath={...}`. If a value is provided, the resource is considered ready when the JSONPath expression evaluates to the same value. For example this resource expects its "phase" field to have a value of "Running": `pulumi.com/waitFor: "jsonpath={.status.phase}=Running"` If a value is not provided, the resource will be considered ready when any value exists at the given path, similar to `kubectl wait --for jsonpath=...`. This resource will wait until it has a webhook configured with a CA bundle: `pulumi.com/waitFor: "jsonpath={.webhooks[*].clientConfig.caBundle}"` 2. A string prefixed with `condition=` followed by the type of the condition and an optional status. This matches the behavior of `kubectl wait --for=condition=...` and will wait until the resource has a matching condition. The expected status defaults to "True" if not specified. `pulumi.com/waitFor: "condition=Synced"` `pulumi.com/waitFor: "condition=Reconciling=False"` 3. A string containing a JSON array of multiple `jsonpath=` and `condition=` expressions. `pulumi.com/waitFor: '["jsonpath={.foo}", "condition=Bar"]'` - Pulumi will now emit logs for any Kubernetes "Warning" Events associated with resources being created, updated or delete[https://github.com/pulumi/pulumi-kubernetes/pull/3135](https://github.com/pulumi/pulumi-kubernetes/pull/3135)ull/3135/files) ##### Fixed - The `immutable` field is now respected for `ConfigMaps` when the provider is configured with `enableConfigMapMutable`. [https://github.com/pulumi/pulumi-kubernetes/issues/3181](https://github.com/pulumi/pulumi-kubernetes/issues/3181)3181) - Fixed a panic that could occur during deletion. ([https://github.com/pulumi/pulumi-kubernetes/issues/3157](https://github.com/pulumi/pulumi-kubernetes/issues/3157)) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOC43Ny4wIiwidXBkYXRlZEluVmVyIjoiMzguNzcuNiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsidHlwZS9taW5vciJdfQ==--> Co-authored-by: lumiere-bot[bot] <98047013+lumiere-bot[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello!
Issue details
Add a workaround for Secret while #1775 awaits some additional support from the schema (pulumi/pulumi#9158)
Enabling the
enableSecretMutableflag will treat Secret resources as mutable - i.e. convert what would previously be a replacement to an update when mutated. If the provider flag is enabled, the previous behavior can be opted-in on a resource by resource basis by specifying thereplaceOnChanges: [*]option. If the flag is not enabled (default), existing replacement behavior would be retained.(See #1926 for a related change for ConfigMap resources)
Affected area/feature
The text was updated successfully, but these errors were encountered: