Config structure unable to accept maps

[xwang0818]

Summary:

The config section under the Stack CRD needs to be able to accept a map. E.g.:

apiVersion: pulumi.com/v1alpha1
kind: Stack
metadata:
  name: stack-name
spec:
  config:
    aws:region: us-east-2
    aws:assumeRole:
      roleArn: arn:aws:iam::xxxxxxxxx:instance-profile/nodes.xw-cluster-1.k8s.local

In the scenario where we would like to specify an AssumeRole using a roleArn, we would run pulumi config set --path aws:assumeRole.roleArn arn:aws:iam::xxxxxxxxx:role/nodes.xw-cluster-1.k8s.local and it would automatically generate the config in Pulumi..yaml. This auto-generated config does not work when it is placed under a Stack yaml file.

error validating data: ValidationError(Stack.spec.config.aws:assumeRole): invalid type for com.pulumi.v1alpha1.Stack.spec.config: got "map", expected "string"

Steps to reproduce

git clone https://github.com/pulumi/pulumi-kubernetes-operator.git
cd pulumi-kubernetes-operator
git fetch --all --tags
git checkout tags/v0.0.17 -b v0.0.17
kubectl apply -f deploy/crds/
kubectl apply -f deploy/yaml
create a Stack yaml (named stack.yaml) with the config shown in the above
create github repo with pulumi project
point Stack yaml to github repo

kubectl apply -f stack.yaml

Expected:
Be able to configure an AssumeRole for pulumi POD to utilize the IAM role on the host
Actual:
Failing because config only accepts strings and not maps

[xwang0818]

Currently, the operator would call SetallConfig(), which calls the pulumi config set-all command line. Currently, SetallConfig() does not support nested value. It requires that the --path tag to be added to the cmd line to support nested values.

Well, you may think that we can do the following:

  config:
    --path aws:assumeRole.roleArn: arn:aws:iam::xxxxxx:instance-profile/nodes.xw-cluster-1.k8s.local

Not quite, because that would give us pulumi config set-all --stack dev --plaintext --path aws:assumeRole.roleArn=arn:aws:iam::xxxxxxx:instance-profile/nodes.xw-cluster-1.k8s.local. That does not work because we need pulumi config set-all --stack dev --path --plaintext aws:assumeRole.roleArn=arn:aws:iam::xxxxxxx:instance-profile/nodes.xw-cluster-1.k8s.local, where --path comes before --plaintext.

*Assuming we are only setting values that are nested because aws:region=us-east-2 is not a nested value and would not work with --path.

[viveklak]

Thanks for opening this @xwang0818 - are you able to use 0.0.18 (released yesterday) to use the checked-in Pulumi stack configuration to work around this?

[xwang0818]

@viveklak I upgraded my pulumi operator to the latest release v0.0.19. However, this version still does not support the stack config described above.

[viveklak]

@viveklak I upgraded my pulumi operator to the latest release v0.0.19. However, this version still does not support the stack config described above.

I haven't had a chance to investigate the issue around the richer stack config. My specific suggestion was to check-in the stack config file (Pulumi.<stack>.yaml) to source control with the desired assume role config and have it be picked up instead of specifying it in the stack CR. v0.0.18 and up include the fix in #187 which should let you load stack yaml files. I was curious if that was a feasible workaround for you for the moment?

[EronWright]

Let's close this as a duplicate of: #258