pulumi · EronWright · Oct 9, 2023 · Oct 7, 2023 · Oct 7, 2023 · Oct 7, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -71,6 +71,7 @@ Other changes:
 - Upgrade to latest helm dependency (https://github.com/pulumi/pulumi-kubernetes/pull/2474)
 - Improve error handling for List resources (https://github.com/pulumi/pulumi-kubernetes/pull/2493)
 - Normalize provider inputs and make available as outputs (https://github.com/pulumi/pulumi-kubernetes/pull/2598)
+- Improved error handling when loading kubeconfig (https://github.com/pulumi/pulumi-kubernetes/pull/2599)
 
 ## 3.30.2 (July 11, 2023)
 

diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -242,13 +242,21 @@ func (k *kubeProvider) CheckConfig(ctx context.Context, req *pulumirpc.CheckRequ
 	label := fmt.Sprintf("%s.CheckConfig(%s)", k.label(), urn)
 	logger.V(9).Infof("%s executing", label)
 
+	olds, err := plugin.UnmarshalProperties(req.GetOlds(), plugin.MarshalOptions{
+		Label:        fmt.Sprintf("%s.olds", label),
+		KeepUnknowns: true,
+		SkipNulls:    true,
+	})
+	if err != nil {
+		return nil, pkgerrors.Wrapf(err, "CheckConfig failed because of malformed resource inputs (olds)")
+	}
 	news, err := plugin.UnmarshalProperties(req.GetNews(), plugin.MarshalOptions{
 		Label:        fmt.Sprintf("%s.news", label),
 		KeepUnknowns: true,
 		SkipNulls:    true,
 	})
 	if err != nil {
-		return nil, pkgerrors.Wrapf(err, "CheckConfig failed because of malformed resource inputs")
+		return nil, pkgerrors.Wrapf(err, "CheckConfig failed because of malformed resource inputs (news)")
 	}
 
 	truthyValue := func(argName resource.PropertyKey, props resource.PropertyMap) bool {
@@ -336,9 +344,7 @@ func (k *kubeProvider) CheckConfig(ctx context.Context, req *pulumirpc.CheckRequ
 	// Normalize the inputs (e.g. apply defaults).
 	// Note that the inputs are reflected as provider outputs as per:
 	// https://github.com/pulumi/pulumi-kubernetes/issues/2486
-	normalizeInputs := func() []*pulumirpc.CheckFailure {
-		var failures []*pulumirpc.CheckFailure
-
+	normalizeInputs := func() error {
 		overrides := &clientcmd.ConfigOverrides{}
 		if v, ok := news["cluster"]; ok && v.HasValue() && v.IsString() {
 			overrides.Context.Cluster = v.StringValue()
@@ -355,20 +361,12 @@ func (k *kubeProvider) CheckConfig(ctx context.Context, req *pulumirpc.CheckRequ
 		}
 		kubeconfig, apiConfig, err := loadKubeconfig(pathOrContents, overrides)
 		if err != nil {
-			failures = append(failures, &pulumirpc.CheckFailure{
-				Property: "kubeconfig",
-				Reason:   err.Error(),
-			})
-			return failures
+			return err
 		}
 
 		configurationNamespace, _, err := kubeconfig.Namespace()
 		if err != nil {
-			failures = append(failures, &pulumirpc.CheckFailure{
-				Property: "kubeconfig",
-				Reason:   err.Error(),
-			})
-			return failures
+			return err
 		}
 		news["namespace"] = resource.NewStringProperty(configurationNamespace)
 
@@ -392,21 +390,28 @@ func (k *kubeProvider) CheckConfig(ctx context.Context, req *pulumirpc.CheckRequ
 		if v, ok := os.LookupEnv("PULUMI_K8S_NORMALIZE_KUBECONFIG"); ok && cmdutil.IsTruthy(v) {
 			configurationKubeconfig, err := clientcmd.Write(*apiConfig)
 			if err != nil {
-				failures = append(failures, &pulumirpc.CheckFailure{
-					Property: "kubeconfig",
-					Reason:   err.Error(),
-				})
-				return failures
+				return err
 			}
 			news["kubeconfig"] = resource.NewStringProperty(string(configurationKubeconfig))
 		}
-
-		return failures
+		return nil
 	}
-	failures := normalizeInputs()
-	if len(failures) > 0 {
-		// Rather than erroring out on an invalid k8s config, leave the original values in-place.
-		logger.V(9).Infof("%s: unable to normalize inputs: %v", label, failures)
+	err = normalizeInputs()
+	if err != nil {
+		logger.V(9).Infof("%s: unable to normalize inputs: %v", label, err)
+
+		// Rather than erroring out on an invalid k8s config, leave the existing values in place to minimize diffs.
+		// The error will be seen again in Configure, which will result in clusterUnreachable being set.
+		if _, ok := news["namespace"]; !ok {
+			news["namespace"] = olds["namespace"]
+		}
+		if _, ok := news["context"]; !ok {
+			news["context"] = olds["context"]
+		}
+		if _, ok := news["cluster"]; !ok {
+			news["cluster"] = olds["cluster"]
+		}
+		_ = k.host.Log(ctx, diag.Warning, urn, fmt.Sprintf("the Kubernetes provider has a configuration problem: %v", err))
 	}
 
 	checked, err := plugin.MarshalProperties(
@@ -530,13 +535,17 @@ func (k *kubeProvider) Configure(_ context.Context, req *pulumirpc.ConfigureRequ
 	//
 	if defaultNamespace := vars["kubernetes:config:namespace"]; defaultNamespace != "" {
 		k.defaultNamespace = defaultNamespace
+	} else {
+		// CheckConfig applies a good default unless there's a configuration problem
+		// and there's no old value available. At minimum, ensure there's a default namespace.
+		k.defaultNamespace = "default"
 	}
 
 	// Compute config overrides.
 	overrides := &clientcmd.ConfigOverrides{
 		Context: clientapi.Context{
 			Cluster:   vars["kubernetes:config:cluster"],
-			Namespace: k.defaultNamespace,
+			Namespace: vars["kubernetes:config:namespace"],
 		},
 		CurrentContext: vars["kubernetes:config:context"],
 	}
@@ -723,8 +732,7 @@ func (k *kubeProvider) Configure(_ context.Context, req *pulumirpc.ConfigureRequ
 	// Rather than erroring out on an invalid k8s config, mark the cluster as unreachable and conditionally bail out on
 	// operations that require a valid cluster. This will allow us to perform invoke operations using the default
 	// provider.
-	kubeconfig, apiConfig, err := loadKubeconfig(vars["kubernetes:config:kubeconfig"], overrides)
-	if err != nil {
+	clusterUnreachable := func(err error) {
 		k.clusterUnreachable = true
 		if vars["kubernetes:config:kubeconfig"] != "" {
 			k.clusterUnreachableReason = fmt.Sprintf(
@@ -733,11 +741,10 @@ func (k *kubeProvider) Configure(_ context.Context, req *pulumirpc.ConfigureRequ
 			k.clusterUnreachableReason = fmt.Sprintf(
 				"failed to parse kubeconfig data in local environment: %v", err)
 		}
-	} else {
-		configurationNamespace, _, err := kubeconfig.Namespace()
-		if err == nil {
-			k.defaultNamespace = configurationNamespace
-		}
+	}
+	kubeconfig, apiConfig, err := loadKubeconfig(vars["kubernetes:config:kubeconfig"], overrides)
+	if err != nil {
+		clusterUnreachable(err)
 	}
 
 	var kubeClientSettings KubeClientSettings
@@ -1439,7 +1446,7 @@ func (k *kubeProvider) Check(ctx context.Context, req *pulumirpc.CheckRequest) (
 
 	// If a default namespace is set on the provider for this resource, check if the resource has Namespaced
 	// or Global scope. For namespaced resources, set the namespace to the default value if unset.
-	if k.defaultNamespace != "" && len(newInputs.GetNamespace()) == 0 {
+	if len(newInputs.GetNamespace()) == 0 {
 		namespacedKind, err := clients.IsNamespacedKind(gvk, k.clientSet)
 		if err != nil {
 			if clients.IsNoNamespaceInfoErr(err) {

diff --git a/provider/pkg/provider/util.go b/provider/pkg/provider/util.go
@@ -104,7 +104,7 @@ func loadKubeconfig(pathOrContents string, overrides *clientcmd.ConfigOverrides)
 
 		// If the variable is a valid filepath, load the file and parse the contents as a k8s config.
 		_, err := os.Stat(pathOrContents)
-		if err == nil {
+		if err == nil || filepath.IsAbs(pathOrContents) || strings.HasPrefix(pathOrContents, ".") {
 			b, err := os.ReadFile(pathOrContents)
 			if err != nil {
 				return nil, nil, err
@@ -129,7 +129,7 @@ func loadKubeconfig(pathOrContents string, overrides *clientcmd.ConfigOverrides)
 	// flags.
 	loadingRules := clientcmd.NewDefaultClientConfigLoadingRules()
 	loadingRules.DefaultClientConfig = &clientcmd.DefaultClientConfig
-	kubeconfig := clientcmd.NewInteractiveDeferredLoadingClientConfig(loadingRules, overrides, os.Stdin)
+	kubeconfig := clientcmd.NewNonInteractiveDeferredLoadingClientConfig(loadingRules, overrides)
 	apiConfig, err := kubeconfig.RawConfig()
 	if err != nil {
 		return nil, nil, err