This PR seeks to isolate the credentials associated with a given Stack, to solve the problem of credentials leaking across stacks. Some underlying details here:
Pulumi CLI stores login credentials in PULUMI_HOME (e.g. ~/.pulumi/credentials.json).
A side-effect of using PULUMI_ACCESS_TOKEN is that the CLI login credentials are set.
Pulumi CLI prefers the persisted login credentials to PULUMI_ACCESS_TOKEN.
This PR takes the conservative approach of encapsulating the PULUMI_HOME into a per-stack working directory, as opposed to reusing ~/.pulumi across stacks. The working directory is retained across reconciliation passes, and cleaned up during stack finalization. Note that the workspace directory is erased at the end of each reconciliation pass, as is the current behavior.
This PR does NOT solve the (lack of) mutability of PULUMI_ACCESS_TOKEN across stack updates.
Note that this PR contains some commits (related to hacking on the operator) that will be moved to a separate PR.
Technical Details
Relevant terminology used within the controller codebase:
root directory - a temporary directory for each stack, retained until finalization
home directory - the PULUMI_HOME directory, located within the stack's root directory
workspace directory - the Pulumi workspace directory containing the program and stack configuration.
The current behavior of the operator is to erase the workspace directory on each reconciliation pass, e.g. to ensure a clean git checkout. This PR retains this behavior while keeping the home directory across passes, e.g. to reuse the providers.
Proposed changes
Closes #483
This PR seeks to isolate the credentials associated with a given
Stack, to solve the problem of credentials leaking across stacks. Some underlying details here:~/.pulumi/credentials.json).PULUMI_ACCESS_TOKENis that the CLI login credentials are set.PULUMI_ACCESS_TOKEN.This PR takes the conservative approach of encapsulating the PULUMI_HOME into a per-stack working directory, as opposed to reusing
~/.pulumiacross stacks. The working directory is retained across reconciliation passes, and cleaned up during stack finalization. Note that the workspace directory is erased at the end of each reconciliation pass, as is the current behavior.This PR does NOT solve the (lack of) mutability of
PULUMI_ACCESS_TOKENacross stack updates.Note that this PR contains some commits (related to hacking on the operator) that will be moved to a separate PR.
Technical Details
Relevant terminology used within the controller codebase:
PULUMI_HOMEdirectory, located within the stack's root directoryThe current behavior of the operator is to erase the workspace directory on each reconciliation pass, e.g. to ensure a clean git checkout. This PR retains this behavior while keeping the home directory across passes, e.g. to reuse the providers.
Related issues (optional)