Add the Pulumi Kubernetes Operator

eks-anywhere-common/Addons/Partner/Pulumi/README.md

@@ -0,0 +1,3 @@
+# Pulumi
+
+This folder contains Kubernetes manifest that install the [Pulumi Kubernetes Operator](https://www.pulumi.com/docs/using-pulumi/continuous-delivery/pulumi-kubernetes-operator/) along with resources necessary to run the automated tests under `../Testers/Pulumi` in this repository.

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: pulumi
+  labels:
+    aws.conformance.vendor: pulumi
+    aws.conformance.vendor-solution: pulumi-kubernetes-operator

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-operator-heml.yaml

@@ -0,0 +1 @@
+# TODO

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-tester-configmap.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pulumi-tester
+  namespace: pulumi
+data:
+  pulumi-org: aws-partnership

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-tester-role.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: pulumi-tester-role
+  namespace: pulumi
+rules:
+  - apiGroups: ["pulumi.com"]
+    resources: ["stacks", "programs"]
+    verbs: ["*"]

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-tester-rolebinding.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: pulumi-tester-rolebinding
+  namespace: pulumi
+subjects:
+  - kind: ServiceAccount
+    name: pulumi-tester
+roleRef:
+  kind: Role
+  name: pulumi-tester-role
+  apiGroup: rbac.authorization.k8s.io

eks-anywhere-common/Addons/Partner/Pulumi/pulumi-tester-serviceaaccount.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pulumi-tester
+  namespace: pulumi

eks-anywhere-common/Testers/Pulumi/pulumi-tester-job.yaml

@@ -0,0 +1,169 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: pulumi-tester-configmap
+  namespace: pulumi
+data:
+  pulumi-k8s-operator-test.sh: |-
+    #!/bin/bash
+    set -e
+
+    if ! which curl ; then
+      echo "curl not found. Installing curl."
+      install_packages curl
+    fi
+
+    if ! which kubectl ; then
+      echo "kubectl not found. Installing kubectl"
+      apt-get update && \
+        apt-get install -y --no-install-recommends ca-certificates && \
+        update-ca-certificates
+      apt-get update && \
+        curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" && \
+        chmod +x kubectl && \
+        mv kubectl /usr/local/bin/
+    fi
+
+    RANDOM_SUFFIX=$(date +%s)-$RANDOM
+    MANIFEST_FILENAME=/tmp/pulumi-test-stack-${RANDOM_SUFFIX}.yaml
+
+    # Create a new, unique stack name. The name of the stack must be unique for each
+    # run for 2 reasons:
+    # 1. To ensure that each test run on the current platform starts from a known
+    #    state, free from any previously test runs.
+    # 2. To ensure that we don't get colliding updates as AWS runs the test
+    #    simultaneously on different EKS-A platforms.
+    TEST_PULUMI_STACK_NAME=test-${RANDOM_SUFFIX}
+
+    STACKPATH=${PULUMI_ORG}/eks-pulumi-operator-test/${TEST_PULUMI_STACK_NAME}
+
+    echo ""
+    echo "Writing out test manifest file '${MANIFEST_FILENAME}'"
+    # Note that while we use a random Pulumi stack name within the Stack resource,
+    # we keep the name of the Kubernetes Stack and Program resources static. This is
+    # intentional. If a test fails, we don't want it to leave superfluous Stack and
+    # Program K8s resources behind because the operator will keep trying to
+    # reconcile them. (The test failed - they should never be re-run again.)
+    # Instead, we want to reuse the same Kubernetes resource over and over but have
+    # it generate a new, uniquely-named Pulumi stack.
+    cat << EOF > $MANIFEST_FILENAME
+    apiVersion: pulumi.com/v1
+    kind: Program
+    metadata:
+      name: eks-pulumi-operator-test
+      namespace: pulumi
+    program:
+      resources:
+        myRandomPet:
+          type: random:RandomPet
+      outputs:
+        petName: \${myRandomPet.id}
+    ---
+    apiVersion: pulumi.com/v1
+    kind: Stack
+    metadata:
+      name: eks-pulumi-operator-test
+      namespace: pulumi
+    spec:
+      stack: ${STACKPATH}
+      programRef:
+        name: eks-pulumi-operator-test
+      destroyOnFinalize: true
+      envRefs:
+        PULUMI_ACCESS_TOKEN:
+          type: Secret
+          secret:
+            name: pulumi-access-token
+            key: value
+    EOF
+
+
+    echo ""
+    echo "Deploying sample stack and program."
+    kubectl apply -f $MANIFEST_FILENAME
+
+    echo ""
+    echo "Waiting for the operator to deploy the stack."
+    sleep 10
+
+    echo ""
+    echo "Verifying that the stack exists."
+    curl \
+      --fail \
+      -H "Accept: application/vnd.pulumi+8" \
+      -H "Content-Type: application/json" \
+      -H "Authorization: token $PULUMI_ACCESS_TOKEN" \
+      https://api.pulumi.com/api/stacks/${STACKPATH}
+
+    echo ""
+    echo "Destroying K8s Stack resource"
+    kubectl delete -n pulumi stacks/eks-pulumi-operator-test
+
+    echo ""
+    echo "Waiting for the operator to remove the stack"
+    sleep 10
+
+    echo ""
+    echo "Verifying the stack no longer exists"
+    STATUSCODE=$(curl \
+      -s \
+      -o /dev/null \
+      --w "%{http_code}" \
+      -H "Accept: application/vnd.pulumi+8" \
+      -H "Content-Type: application/json" \
+      -H "Authorization: token $PULUMI_ACCESS_TOKEN" \
+      https://api.pulumi.com/api/stacks/${STACKPATH}
+    )
+
+    if test $STATUSCODE -ne 404; then
+      echo "ERROR: Expected HTTP status code 404 from the Pulumi Cloud API when querying the stack. Got HTTP status code $STATUSCODE instead."
+      false
+    fi
+
+    # This is for purely for running the script locally. Since the K8s tester Job is
+    # run in an ephemeral container, deleting the file is unnecessary in that
+    # context:
+    echo ""
+    echo "Deleting test manifest file '${MANIFEST_FILENAME}'"
+    rm ${MANIFEST_FILENAME}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  # labels:
+  #   app: script-job
+  name: pulumi-k8s-operator-test
+  namespace: pulumi
+spec:
+  backoffLimit: 1
+  template:
+    spec:
+      serviceAccountName: pulumi-tester
+      containers:
+        - command:
+            - bash
+            - /scripts/pulumi-k8s-operator-test.sh
+          image: "bitnami/minideb:bookworm"
+          name: script
+          env:
+            - name: PULUMI_ACCESS_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: pulumi-access-token
+                  key: value
+            - name: PULUMI_ORG
+              valueFrom:
+                configMapKeyRef:
+                  name: pulumi-tester
+                  key: pulumi-org
+          volumeMounts:
+            - name: pulumi-tester-configmap
+              mountPath: /scripts/pulumi-k8s-operator-test.sh
+              subPath: pulumi-k8s-operator-test.sh
+              readOnly: false
+      restartPolicy: Never
+      volumes:
+        - name: pulumi-tester-configmap
+          configMap:
+            name: pulumi-tester-configmap
+            defaultMode: 0777