pulumi-kubernetes-operator icon indicating copy to clipboard operation
pulumi-kubernetes-operator copied to clipboard

Published 20 hours ago verified publisher icon pulumi

Move the reconciliation loop to a model where each run executes as a k8s Job

Open metral opened this issue 5 years ago • 2 comments

Problem description

Currently, the reconciliation loop is shared in-process on the operator.

Ideally, a separate Job/Pod would be used instead per loop to avoid shared context issues across loops and runtimes. See the design doc.

metral avatar Aug 11 '20 23:08 metral

Using a Pod to execute pulumi up may unlock some interesting capabilities. Some example:

  1. mounting of stack-specific volumes to act as an alternate source for the program sources, program data, or even backend state.
  2. Stack-specific service accounts. This would allow us to harden the permissions granted to the operator itself.
  3. Clean separation of log output between the operator and the program.

EronWright avatar Nov 25 '20 22:11 EronWright

Note that if we support https://github.com/pulumi/pulumi-kubernetes-operator/issues/122 we will have to ensure the secret injection mechanism can mount secrets into the job/pod encapsulating the stack.

viveklak avatar Mar 19 '21 22:03 viveklak