Add enableSecretMutable flag

This does for `Secret`s what the existing `enableConfigMapMutable` flag does for `ConfigMap`s.
pulumi · Aug 14, 2024 · 4deb10c · 4deb10c
1 parent 3c2367c
commit 4deb10c
Show file tree

Hide file tree

Showing 14 changed files with 257 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 ## Unreleased
 
+-  Make Secrets mutable unless marked explicitly (enabled with provider config option) (https://github.com/pulumi/pulumi-kubernetes/pull/1926)
+   *NOTE*: With this change, once `enableSecretMutable` is enabled, all data changes to Secrets will be seen as mutable (changes to `type` will still trigger a replacement). In this mode, you can opt-in to the previous replacement behavior for a particular Secret by setting its `replaceOnChanges` resource option to `[".stringData", ".data"]`.
+   By default, the provider will continue to treat Secrets as immutable, and will replace them if the `stringData` or `data` properties are changed.
+
 ## 4.17.0 (August 13, 2024)
 
 ### Changed

diff --git a/provider/cmd/pulumi-resource-kubernetes/schema.json b/provider/cmd/pulumi-resource-kubernetes/schema.json
@@ -524,6 +524,10 @@
                 "description": "Obsolete. This option has no effect.",
                 "deprecationMessage": "This option is deprecated, and will be removed in a future release."
             },
+            "enableSecretMutable": {
+                "type": "boolean",
+                "description": "BETA FEATURE - If present and set to true, allow Secrets to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableSecretMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable."
+            },
             "enableServerSideApply": {
                 "type": "boolean",
                 "description": "If present and set to false, disable Server-Side Apply mode.\nSee https://github.com/pulumi/pulumi-kubernetes/issues/2011 for additional details."
@@ -73408,6 +73412,15 @@
                     ]
                 }
             },
+            "enableSecretMutable": {
+                "type": "boolean",
+                "description": "BETA FEATURE - If present and set to true, allow Secrets to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableSecretMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.",
+                "defaultInfo": {
+                    "environment": [
+                        "PULUMI_K8S_ENABLE_SECRET_MUTABLE"
+                    ]
+                }
+            },
             "enableServerSideApply": {
                 "type": "boolean",
                 "description": "If present and set to false, disable Server-Side Apply mode.\nSee https://github.com/pulumi/pulumi-kubernetes/issues/2011 for additional details.",

diff --git a/provider/pkg/gen/schema.go b/provider/pkg/gen/schema.go
@@ -94,6 +94,10 @@ func PulumiSchema(swagger map[string]any) pschema.PackageSpec {
 					Description: "BETA FEATURE - If present and set to true, allow ConfigMaps to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableConfigMapMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE` environment variable.",
 					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
 				},
+				"enableSecretMutable": {
+					Description: "BETA FEATURE - If present and set to true, allow Secrets to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableSecretMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.",
+					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
+				},
 				"renderYamlToDirectory": {
 					Description: "BETA FEATURE - If present, render resource manifests to this directory. In this mode, resources will not\nbe created on a Kubernetes cluster, but the rendered manifests will be kept in sync with changes\nto the Pulumi program. This feature is in developer preview, and is disabled by default.\n\nNote that some computed Outputs such as status fields will not be populated\nsince the resources are not created on a Kubernetes cluster. These Output values will remain undefined,\nand may result in an error if they are referenced by other resources. Also note that any secret values\nused in these resources will be rendered in plaintext to the resulting YAML.",
 					TypeSpec:    pschema.TypeSpec{Type: "string"},
@@ -185,6 +189,15 @@ func PulumiSchema(swagger map[string]any) pschema.PackageSpec {
 					Description: "BETA FEATURE - If present and set to true, allow ConfigMaps to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableConfigMapMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE` environment variable.",
 					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
 				},
+				"enableSecretMutable": {
+					DefaultInfo: &pschema.DefaultSpec{
+						Environment: []string{
+							"PULUMI_K8S_ENABLE_SECRET_MUTABLE",
+						},
+					},
+					Description: "BETA FEATURE - If present and set to true, allow Secrets to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableSecretMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.",
+					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
+				},
 				"renderYamlToDirectory": {
 					Description: "BETA FEATURE - If present, render resource manifests to this directory. In this mode, resources will not\nbe created on a Kubernetes cluster, but the rendered manifests will be kept in sync with changes\nto the Pulumi program. This feature is in developer preview, and is disabled by default.\n\nNote that some computed Outputs such as status fields will not be populated\nsince the resources are not created on a Kubernetes cluster. These Output values will remain undefined,\nand may result in an error if they are referenced by other resources. Also note that any secret values\nused in these resources will be rendered in plaintext to the resulting YAML.",
 					TypeSpec:    pschema.TypeSpec{Type: "string"},

diff --git a/provider/pkg/provider/diff.go b/provider/pkg/provider/diff.go
@@ -28,6 +28,8 @@ func (k *kubeProvider) forceNewProperties(obj *unstructured.Unstructured) []stri
 				props = append(props, kindFields...)
 			} else if clients.IsConfigMap(obj) && !k.enableConfigMapMutable {
 				props = append(props, properties{".binaryData", ".data"}...)
+			} else if clients.IsSecret(obj) && !k.enableSecretMutable {
+				props = append(props, properties{".stringData", ".data"}...)
 			}
 		}
 	}
@@ -151,8 +153,6 @@ var core = _versions{
 		},
 		"Secret": properties{
 			".type",
-			".stringData",
-			".data",
 		},
 		"Service": properties{
 			".spec.clusterIP",

diff --git a/provider/pkg/provider/diff_test.go b/provider/pkg/provider/diff_test.go
@@ -185,6 +185,39 @@ func TestPatchToDiff(t *testing.T) {
 				"data.property1": U,
 			},
 		},
+		{
+			name:  `Secret resources trigger a replace when enableSecretMutable is not set.`,
+			group: "core", version: "v1", kind: "Secret",
+			old: object{"data": object{"property1": "3"}},
+			new: object{"data": object{"property1": "4"}},
+			expected: expected{
+				"data.property1": UR,
+			},
+		},
+		{
+			name:  `Secret resources don't trigger a replace when mutable.`,
+			group: "core", version: "v1", kind: "Secret",
+			old: object{"data": object{"property1": "3"}},
+			new: object{"data": object{"property1": "4"}},
+			customizeProvider: func(p *kubeProvider) {
+				p.enableSecretMutable = true
+			},
+			expected: expected{
+				"data.property1": U,
+			},
+		},
+		{
+			name:  `Secret resources trigger a replace when type changes even if enableSecretMutable is set.`,
+			group: "core", version: "v1", kind: "Secret",
+			old: object{"type": "kubernetes.io/dockerconfigjson", "data": object{"property1": "3"}},
+			new: object{"type": "Opaque", "data": object{"property1": "3"}},
+			customizeProvider: func(p *kubeProvider) {
+				p.enableSecretMutable = true
+			},
+			expected: expected{
+				"data.property1": UR,
+			},
+		},
 		{
 			name:  `ConfigMap resources trigger a replace when enableConfigMapMutable is not set.`,
 			group: "core", version: "v1", kind: "ConfigMap",

diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -133,6 +133,7 @@ type kubeProvider struct {
 	deleteUnreachable           bool
 	skipUpdateUnreachable       bool
 	enableConfigMapMutable      bool
+	enableSecretMutable         bool
 	enableSecrets               bool
 	suppressDeprecationWarnings bool
 	suppressHelmHookWarnings    bool
@@ -575,6 +576,22 @@ func (k *kubeProvider) Configure(_ context.Context, req *pulumirpc.ConfigureRequ
 		k.enableConfigMapMutable = true
 	}
 
+	enableSecretMutable := func() bool {
+		// If the provider flag is set, use that value to determine behavior. This will override the ENV var.
+		if enabled, exists := vars["kubernetes:config:enableSecretMutable"]; exists {
+			return enabled == trueStr
+		}
+		// If the provider flag is not set, fall back to the ENV var.
+		if enabled, exists := os.LookupEnv("PULUMI_K8S_ENABLE_SECRET_MUTABLE"); exists {
+			return enabled == trueStr
+		}
+		// Default to false.
+		return false
+	}
+	if enableSecretMutable() {
+		k.enableSecretMutable = true
+	}
+
 	suppressDeprecationWarnings := func() bool {
 		// If the provider flag is set, use that value to determine behavior. This will override the ENV var.
 		if enabled, exists := vars["kubernetes:config:suppressDeprecationWarnings"]; exists {

diff --git a/sdk/dotnet/Config/Config.cs b/sdk/dotnet/Config/Config.cs
@@ -101,6 +101,21 @@ public static bool? EnableReplaceCRD
             set => _enableReplaceCRD.Set(value);
         }
 
+        private static readonly __Value<bool?> _enableSecretMutable = new __Value<bool?>(() => __config.GetBoolean("enableSecretMutable"));
+        /// <summary>
+        /// BETA FEATURE - If present and set to true, allow Secrets to be mutated.
+        /// This feature is in developer preview, and is disabled by default.
+        /// 
+        /// This config can be specified in the following ways using this precedence:
+        /// 1. This `enableSecretMutable` parameter.
+        /// 2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.
+        /// </summary>
+        public static bool? EnableSecretMutable
+        {
+            get => _enableSecretMutable.Get();
+            set => _enableSecretMutable.Set(value);
+        }
+
         private static readonly __Value<bool?> _enableServerSideApply = new __Value<bool?>(() => __config.GetBoolean("enableServerSideApply"));
         /// <summary>
         /// If present and set to false, disable Server-Side Apply mode.

diff --git a/sdk/dotnet/Provider.cs b/sdk/dotnet/Provider.cs
@@ -85,6 +85,17 @@ public sealed class ProviderArgs : global::Pulumi.ResourceArgs
         [Input("enableConfigMapMutable", json: true)]
         public Input<bool>? EnableConfigMapMutable { get; set; }
 
+        /// <summary>
+        /// BETA FEATURE - If present and set to true, allow Secrets to be mutated.
+        /// This feature is in developer preview, and is disabled by default.
+        /// 
+        /// This config can be specified in the following ways using this precedence:
+        /// 1. This `enableSecretMutable` parameter.
+        /// 2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.
+        /// </summary>
+        [Input("enableSecretMutable", json: true)]
+        public Input<bool>? EnableSecretMutable { get; set; }
+
         /// <summary>
         /// If present and set to false, disable Server-Side Apply mode.
         /// See https://github.com/pulumi/pulumi-kubernetes/issues/2011 for additional details.
@@ -156,6 +167,7 @@ public ProviderArgs()
         {
             DeleteUnreachable = Utilities.GetEnvBoolean("PULUMI_K8S_DELETE_UNREACHABLE");
             EnableConfigMapMutable = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE");
+            EnableSecretMutable = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_SECRET_MUTABLE");
             EnableServerSideApply = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_SERVER_SIDE_APPLY");
             KubeConfig = Utilities.GetEnv("KUBECONFIG");
             SkipUpdateUnreachable = Utilities.GetEnvBoolean("PULUMI_K8S_SKIP_UPDATE_UNREACHABLE");

diff --git a/sdk/go/kubernetes/config/config.go b/sdk/go/kubernetes/config/config.go
diff --git a/sdk/go/kubernetes/provider.go b/sdk/go/kubernetes/provider.go
diff --git a/sdk/java/src/main/java/com/pulumi/kubernetes/Config.java b/sdk/java/src/main/java/com/pulumi/kubernetes/Config.java
@@ -62,6 +62,18 @@ public Optional<Boolean> enableConfigMapMutable() {
     public Optional<Boolean> enableReplaceCRD() {
         return Codegen.booleanProp("enableReplaceCRD").config(config).get();
     }
+/**
+ * BETA FEATURE - If present and set to true, allow Secrets to be mutated.
+ * This feature is in developer preview, and is disabled by default.
+ * 
+ * This config can be specified in the following ways using this precedence:
+ * 1. This `enableSecretMutable` parameter.
+ * 2. The `PULUMI_K8S_ENABLE_SECRET_MUTABLE` environment variable.
+ * 
+ */
+    public Optional<Boolean> enableSecretMutable() {
+        return Codegen.booleanProp("enableSecretMutable").config(config).get();
+    }
 /**
  * If present and set to false, disable Server-Side Apply mode.
  * See https://github.com/pulumi/pulumi-kubernetes/issues/2011 for additional details.