pulumi-kubernetes-operator-v2.3.0

Pulumi Kubernetes Operator v2.3.0

We're excited to announce the release of Pulumi Kubernetes Operator v2.3.0, featuring two major enhancements that expand GitOps workflows: preview mode and structured configuration support.

What's New

Preview Mode for Stack API

Preview mode enables running Pulumi stacks in a dry-run fashion, allowing you to visualize infrastructure changes before applying them. This feature supports sophisticated GitOps workflows where you can:

• Run what-if scenarios by creating multiple Stack objects for the same underlying Pulumi stack, with all-but-one operating in preview mode
• Preview changes across different branches/tags to validate configuration updates before deployment
• Roll out changes incrementally using a tick-tock approach by toggling the preview flag on and off with external verification between each step

Simply add preview: true to your Stack spec to enable preview-only mode. The Stack's Ready condition will indicate preview success, and you'll get full status including preview links, standard output, and program outputs.

Example:

apiVersion: pulumi.com/v1
kind: Stack
metadata:
  name: my-stack-preview-v2
spec:
  stack: org/project/stack
  projectRepo: https://github.com/example/infra
  branch: feature-branch
  preview: true

#1012 | Closes #16

Structured Configuration Support

Configuration management gets a major upgrade with native support for complex configuration values and ConfigMap references. This feature addresses two long-standing requests:

• Complex configuration values: Objects, arrays, numbers, and booleans are now first-class citizens in Stack configuration
• ConfigMap integration: Load configuration from ConfigMaps with automatic JSON parsing support
• Fully backwards compatible: Existing string-only configurations continue to work unchanged

The implementation leverages Pulumi CLI's JSON configuration support (v3.202.0+) with automatic version detection and clear upgrade guidance when needed.

Example:

apiVersion: pulumi.com/v1
kind: Stack
spec:
  config:
    # Simple string (existing)
    simpleKey: "value"
    
    # Structured object (NEW)
    dbConfig:
      host: "localhost"
      port: 5432
      
    # Array (NEW)
    regions: ["us-west-2", "us-east-1"]
    
    # Number and boolean (NEW)
    maxConns: 100
    enableSSL: true
    
  # ConfigMap references (NEW)
  configRef:
    appSettings:
      name: app-config
      key: settings.json
      json: true

#1023 | Closes #258, #872

Additional Improvements

• Stack name validation: Added validation to limit Stack names to 42 characters, preventing issues with long resource names #899

Bug Fixes

• secretsProvider: Fixed issue where secretsProvider wasn't being applied to newly created stacks #935
• Helm template parsing: Resolved YAML parsing error for podLabels in Helm chart #1014
• Stack deletion: Fixed Stack deletion being blocked when prerequisites are missing #751
• Update TTL: Fixed TTL not being properly respected for completed Update objects #960

Upgrade Notes

CRD Updates Required

IMPORTANT: This release includes updates to the CRDs with new and changed fields to support preview mode and structured configuration.

If upgrading via Helm: Helm v3 does not automatically upgrade CRDs. You must manually apply the updated CRDs before upgrading:

kubectl apply --server-side -k 'github.com/pulumi/pulumi-kubernetes-operator//operator/config/crd?ref=v2.3.0'
helm upgrade -n pulumi-kubernetes-operator pulumi-kubernetes-operator \
    oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 2.3.0

If using the quickstart YAML: The CRDs will be updated automatically via kubectl apply.

Other Upgrade Considerations

• For structured configuration support, ensure your workspace pods use Pulumi CLI v3.202.0 or later
• The operator will automatically detect CLI version and provide clear error messages if an upgrade is needed
• All changes are backwards compatible - no manifest modifications required for existing Stack resources

Installation

Helm (recommended):

# For new installations:
helm install --create-namespace -n pulumi-kubernetes-operator pulumi-kubernetes-operator \
    oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 2.3.0

# For upgrades, apply CRDs first:
kubectl apply --server-side -k 'github.com/pulumi/pulumi-kubernetes-operator//operator/config/crd?ref=v2.3.0'
helm upgrade -n pulumi-kubernetes-operator pulumi-kubernetes-operator \
    oci://ghcr.io/pulumi/helm-charts/pulumi-kubernetes-operator --version 2.3.0

Quickstart YAML:

kubectl apply -f https://raw.githubusercontent.com/pulumi/pulumi-kubernetes-operator/v2.3.0/deploy/quickstart/install.yaml

Full Changelog

See CHANGELOG.md for complete details.

pulumi-kubernetes-operator-2.3.0

A Helm chart for the Pulumi Kubernetes Operator

pulumi-kubernetes-operator-v2.2.0

New Feature Release

v2.2.0 is a feature release of the Pulumi Kubernetes Operator, a cloud-native way to manage and deploy cloud infrastructure using Pulumi from within your Kubernetes environment (see the 2.x announcement post).

Key Enhancements

Security Fix: Avoid Logging of Config Secrets (#990)

Avoid logging of the config secrets into the pod log during deployment operations.

Extensibility: Dynamic Environment Variables (#976)

Makes it possible to set environment variables affecting the Pulumi CLI using an init container. Unlike variables set thru the Stack spec, these variables are set by writing to an environment file named $PULUMI_ENV. For example:

initContainers:
  - name: extra
    image: busybox
    command:
      - sh
      - -c
      - |
          echo 'PULUMI_CONFIG_PASSPHRASE=test' >> $PULUMI_ENV

GitOps: Reset Cooldown On New Commit (#951)

Run an update if a new commit is detected even if previous update(s) had failed and the system is in a backoff state.

GitOps: New Backoff Parameters (#827)

When a stack update fails, the system retries the update using exponential backoff. The initial
retry rate was increased, and a new Stack parameter spec.retryMaxBackoffDurationSeconds was added to
set the maximum backoff duration (default: one update per day).

Note: at any time, use the following command to manually kick off an update:

$ kubectl annotate stack random-yaml "pulumi.com/reconciliation-request=$(date)" --overwrite  
stack.pulumi.com/random-yaml annotated

What's Changed

• Update pulumi/actions action to v6.4.0 by @pulumi-renovate[bot] in #969
• Update first-party Pulumi dependencies to v3.186.0 by @pulumi-renovate[bot] in #973
• Update dependency @pulumi/pulumiservice to v0.31.0 by @pulumi-renovate[bot] in #980
• Update dependency @pulumi/pulumi to v3.188.0 by @pulumi-renovate[bot] in #981
• Update pulumi/pulumi Docker tag to v3.188.0 by @pulumi-renovate[bot] in #983
• Update pulumi/pulumi:3.188.0-nonroot Docker digest to 602d6be by @pulumi-renovate[bot] in #987
• feat: Allow configuring packages in Program CR by @dirien in #956
• Improve handling of failed updates - delete and new commits by @nicu-da in #966
• implement dynamic environment variables by @EronWright in #976
• Add max backoff stack property to calculate the cooldown period by @nicu-da in #949
• Automated pulumi/pulumi upgrade by @pulumi-bot in #982
• Avoid logging of autoapi structs by @EronWright in #990
• Prepare for PKO v2.2.0 by @EronWright in #989

New Contributors

• @nicu-da made their first contribution in #966

Full Changelog: v2.1.0...v2.2.0

pulumi-kubernetes-operator-2.2.0

A Helm chart for the Pulumi Kubernetes Operator

What's Changed

• Updated operator version to v2.2.0

pulumi-kubernetes-operator-v2.1.0

New Feature Release

v2.1.0 is a feature release of the Pulumi Kubernetes Operator, a cloud-native way to manage and deploy cloud infrastructure using Pulumi from within your Kubernetes environment. This release builds on v2.0.0 (see the announcement post).

Key Enhancements

New: Pulumi ESC Integration (#924)

Pulumi ESC (Environments, Secrets, and Configuration) provides centralized secrets management & orchestration. Pulumi ESC integrates tightly with Pulumi IaC, allowing environments to be accessed during the deployment process.

Now you can easily attach ESC environments to your Stack object to incorporate its settings and secrets.

apiVersion: pulumi.com/v1
kind: Stack
metadata:
  name: myapp
spec:
  stack: dev
  environment:
    - myorg/myapp/dev

New: Update Templates (#925)

The Stack controller creates Update objects to drive Pulumi deployment operations. It is now possible to customize the objects, e.g. to configure the retention policy (ttlAfterCompleted) and to add metadata labels.

apiVersion: pulumi.com/v1
kind: Stack
metadata:
  name: myapp
spec:
  workspaceTemplate:
    spec:
      image: pulumi/pulumi:3.173.0-nonroot
  updateTemplate:
    metadata:
      labels:
        app.kubernetes.io/instance: "example"
    spec:
      ttlAfterCompleted: 42m

Fixed: Init Container Ordering (#923)

Init containers are a way to customize the stack environment, e.g. how your program’s source code is obtained. See "Customization and Extensibility" for more background.

The system now runs your custom init containers later than before, giving you access to the program code.

New: IaC Example (#843)

The repository has a new example in showing how to use Pulumi IAC to deploy a Stack object, in examples/pulumi-ts. The program provisions a Pulumi Cloud access token for the stack's backend, and stores it as a Secret. It then creates a ServiceAccount, ClusterRoleBinding, and Stack object.

Installation

Follow the instructions in README.md to install the operator. Please uninstall v1.x before installing v2.x, and see the "Migration Guide" on how to update your Stack resources.

Optional: install Flux (instructions) to use Flux sources.

Having issues? See the "Troubleshooting Guide" and open issues.

Migration Guide (2.0 to 2.1)

This release has a few minor breaking changes, please review this section.

Stack API: Changes to ordering of init containers (#923)

If you use the Stack's podTemplate to inject init container(s), be aware that they'll now run after the bootstrap and fetch containers. This means that the /share volume will be present, and your program code will have been downloaded, before your init container runs.

Stack API: Remove ResourceSelectorType "FS" and "Env" (#920)

The Stack definition allows you to set stack configuration values from a variety of sources including literals and from Secret objects. To improve the security of the system, support for the "FS" and "env" sources was removed in this release. These source types allowed a Stack to exfiltrate information from the operator pod. Other source types are still supported.

Stack API: Changes to lastSuccessfulCommit (#929)

The status block contains a lastSuccessfulCommit field that serves as an indication of the Git commit of your stack. When using a Flux source or a Program source, that field now contains the artifact's revision tag, as opposed to its SHA1 digest. The behavior when using a Git source is unchanged.

What's Changed

• New example: pulumi-ts by @EronWright in #843
• Optimize image size by @EronWright in #917
• Deprecate ResourceSelectorType "FS" and "Env" by @EronWright in #920
• Support for ESC environments in the Stack resource by @EronWright in #924
• Stabilize the ordering of initContainers by @EronWright in #923
• Add an updateTemplate to the Stack spec by @EronWright in #925
• Update to Go 1.24 by @EronWright in #926
• More cloud logging options by @EronWright in #927
• Program status to be fully Flux-compatible by @EronWright in #928
• Improved Flux compatibility for Stack controller by @EronWright in #929

New Contributors

• @rassie made their first contribution in #875

Full Changelog: v2.0.0...v2.1.0

pulumi-kubernetes-operator-2.1.0

A Helm chart for the Pulumi Kubernetes Operator

What's Changed

• Fix image reference in chart metadata by @EronWright in #842
• Helm: indentation in cluster role with extra rules by @rassie in #875
• Helm: configure the agent image by @EronWright in #919

pulumi-kubernetes-operator-v2.0.0

🎉 New Major Version 🎉

This is a major new feature release of the Pulumi Kubernetes Operator, a cloud-native way to manage and deploy cloud infrastructure using Pulumi from within your Kubernetes environment.

Key Enhancements

The v2.0 release is based on a whole new architecture for running Pulumi programs in your Kubernetes cluster. The Operator now allocates a dedicated pod for each Stack to serve as the execution environment for Pulumi stack operations. Previously, all stack operations took place within the Operator’s own pod. This new approach effectively isolates each stack’s compute and memory resources, improves the isolation of secrets, and opens up new customization options.

For a full list of enhancements, see the announcement post:
https://www.pulumi.com/blog/pulumi-kubernetes-operator-2-0/

Installation

Follow the instructions in README.md to install the operator. Please uninstall v1.x before installing v2.x, and see the "Migration Guide" on how to update your Stack resources.

Optional: install Flux (instructions) to use Flux sources.

Having issues? See the "Troubleshooting Guide" and open issues.

What's Changed since 1.16

• Update README.md to remove outdated helm instructions by @mjeffryes in #561
• prometheus monitoring fix - missing label by @Kris686 in #519
• Update controller-gen, fix make test by @blampe in #581
• chore: add badge and update actions by @dirien in #583
• Bump pulumi to 3.114 in published image by @blampe in #580
• Upload code coverage by @blampe in #588
• Use goreleaser v1 by @blampe in #600
• fix: service account naming by @ishuar in #530
• Keep Helm CRDs in sync by @blampe in #598
• [v2] agent RPC server by @EronWright in #624
• Update Dockerfile by @pierskarsenbarg in #629
• Prepare for v1.16.0 release by @rquitales in #642
• Prepare for v0.8.1 of helm chart by @rquitales in #643
• [v2] low-level operator implementation by @EronWright in #626
• [v2] stack controller by @EronWright in #648
• [v2] E2E test groundwork by @blampe in #665
• [v2] Add workspaceTemplate to Stack API by @blampe in #669
• [v2] Git source by @blampe in #658
• [v2] Stack controller tests by @EronWright in #671
• [v2] Stable envRefs by @blampe in #678
• [v2] Program controller and file server for program objects by @rquitales in #673
• [v2] Graceful shutdown by @blampe in #659
• Remove v1 code by @EronWright in #681
• [v2] Capture stack outputs by @blampe in #676
• fixes to push docker image by @EronWright in #688
• [v2] Consolidate go.mod by @blampe in #686
• [v2] Use official nonroot images for e2e tests by @blampe in #692
• [v2] Set default statefulset image based on securityProfile by @rquitales in #693
• [v2] Simplified deployment app by @EronWright in #691
• [v2] Helm chart update by @EronWright in #695
• [v2] Clean up utils file by @rquitales in #708
• [v2] Set some default resource requests on the workspace pod by @EronWright in #707
• [v2] Enable metrics server by @rquitales in #706
• [v2] E2E test for --target by @blampe in #711
• [v2] Retry failed updates with exponential backoff by @blampe in #709
• [v2] Implement an authorization layer for operator-to-workspace communication by @EronWright in #712
• [v2] Clean up "object has already been modified" warnings #700 by @EronWright in #717
• [v2] Use an apply configuration for the workspace template by @blampe in #713
• [v2] Set config all at once by @blampe in #718
• [v2] Use sequential numbering for naming the Update object by @EronWright in #722
• [v2] Add the serviceAccountName field to Stack.spec by @EronWright in #723
• [v2] Update the "max reconciles" for each controller to 25 by @EronWright in #724
• Merge V2 branch by @EronWright in #725
• docs: update chart README.md by @dirien in #726
• Include version in user agent by @blampe in #731
• Fix weekly pu/pu upgrade job by @blampe in #729
• Support for custom program sources by @EronWright in #741
• improved status logging by @EronWright in #742
• support for ReconcileRequest annotation by @EronWright in #745
• Show stack processing state in printer columns by @EronWright in #747
• Some stack outputs cannot be saved to Secret by @EronWright in #746
• Prepare for v2.0.0-beta.2 by @EronWright in #748
• stack controller: watch for delete events by @EronWright in #756
• Fix requeue for git commit tracking by @blampe in #763
• Ensure cleanup of Stack in foreground deletion by @EronWright in #760
• Register the API resources into the "pulumi" kubectl category by @EronWright in #765
• Use shorter DNS name for pod-to-pod networking by @EronWright in #764
• Prep for v2.0.0-beta.3 by @EronWright in #766
• Fix build by @blampe in #782
• Reduce volatility of the workspace due to ordering and caching issues by @EronWright in #803
• feat: add WorkspaceReclaimPolicy to Stack spec by @rquitales in #804
• feat: report status when stack is locked by @rquitales in #807
• fix: do not delete workspace pod on authz errors by @rquitales in #805
• Use 'parallel' policy for workspace pod rollouts to avoid stalls by @EronWright in #802
• Garbage collection for Update objects by @EronWright in #810
• Use correct logic for OwnerReferencesChangedPredicate by @EronWright in #815
• Fix linting issues by @rquitales in #813
• Lint agent/ folder by @rquitales in #817
• Use audience-scoped access token by @EronWright in #816
• copyright headers by @EronWright in #820
• deployment template: fix extraSidecars indentation by @zackse in https://github.com/pulumi/pulumi-kubernetes-operator/pul...

pulumi-kubernetes-operator-2.0.0

A Helm chart for the Pulumi Kubernetes Operator (ArtifactHub)

pulumi-kubernetes-operator-v2.0.0-rc.1

IMPORTANT: this is a prerelease and is not intended for use in a production environment.

See announcement:
https://www.pulumi.com/blog/pulumi-kubernetes-operator-2-0/

Installation

Follow the instructions in README.md to install the operator.

Optional: install Flux2 (instructions) to use Flux sources.

What's Changed

• Update module github.com/pulumi/pulumi/sdk/v3 to v3.143.0 by @pulumi-renovate in #772
• Update module github.com/pulumi/pulumi/sdk/v3 to v3.144.0 by @pulumi-renovate in #776
• Update module github.com/pulumi/pulumi/sdk/v3 to v3.144.1 by @pulumi-renovate in #777
• Update kubernetes packages to v0.32.0 by @pulumi-renovate in #767
• Update module k8s.io/kubernetes to v1.32.0 by @pulumi-renovate in #768
• Update module sigs.k8s.io/controller-runtime to v0.19.3 by @pulumi-renovate in #769
• Pin dependencies by @pulumi-renovate in #779
• Fix build by @blampe in #782
• Update module github.com/go-git/go-git/v5 to v5.13.0 [SECURITY] by @pulumi-renovate in #783
• Update first-party Pulumi dependencies to v3.145.0 by @pulumi-renovate in #784
• Update first-party Pulumi dependencies (major) by @pulumi-renovate in #781
• Update pulumi/pulumi Docker tag to v3.145.0 by @pulumi-renovate in #785
• Update pulumi/actions digest to 13b8b71 by @pulumi-renovate in #787
• Update dependency @pulumi/kubernetes to v4.20.0 by @pulumi-renovate in #788
• Update first-party Pulumi dependencies to v3.146.0 by @pulumi-renovate in #789
• Update dependency @pulumi/kubernetes to v4.21.0 by @pulumi-renovate in #792
• Update dependency @pulumi/random to v4.17.0 by @pulumi-renovate in #793
• Update pulumi/pulumi Docker tag to v3.146.0 by @pulumi-renovate in #794
• Update first-party Pulumi dependencies to v3.147.0 by @pulumi-renovate in #796
• Update dependency @pulumi/kubernetes to v4.21.1 by @pulumi-renovate in #798
• Update first-party Pulumi dependencies to v3.148.0 by @pulumi-renovate in #799
• Reduce volatility of the workspace due to ordering and caching issues by @EronWright in #803
• feat: add WorkspaceReclaimPolicy to Stack spec by @rquitales in #804
• feat: report status when stack is locked by @rquitales in #807
• Update first-party Pulumi dependencies to v3.149.0 by @pulumi-renovate in #808
• fix: do not delete workspace pod on authz errors by @rquitales in #805
• Use 'parallel' policy for workspace pod rollouts to avoid stalls by @EronWright in #802
• Update first-party Pulumi dependencies by @pulumi-renovate in #809
• Update pulumi/pulumi Docker tag to v3.150.0 by @pulumi-renovate in #812
• Garbage collection for Update objects by @EronWright in #810
• Use correct logic for OwnerReferencesChangedPredicate by @EronWright in #815
• Fix linting issues by @rquitales in #813
• Lint agent/ folder by @rquitales in #817
• Use audience-scoped access token by @EronWright in #816
• copyright headers by @EronWright in #820
• deployment template: fix extraSidecars indentation by @zackse in #770
• Add artifact hub metadata by @rquitales in #821
• Update module k8s.io/kubernetes to v1.32.2 [SECURITY] by @pulumi-renovate in #825
• Use a prebuilt image for testing helm installation by @rquitales in #822
• fix: do not delete the workspace pod when the last update failed by @rquitales in #828
• Enable setting the log verbosity level of Pulumi CLI for a stack/workspace by @rquitales in #824
• Bump github.com/hashicorp/go-retryablehttp from 0.7.5 to 0.7.7 in the go_modules group across 1 directory by @dependabot in #773
• Use pulumi.com labels by @EronWright in #829
• feat: add CI workflows to sync operator images to ECR and GHCR by @rquitales in #830
• Sync built images to ECR and GHCR on release by @rquitales in #831
• New controller events by @EronWright in #832
• feat: add GHA summary for image sync job by @rquitales in #834
• Prepare for v2.0.0-rc.1 by @EronWright in #835

New Contributors

• @zackse made their first contribution in #770

Full Changelog: v2.0.0-beta.3...v2.0.0-rc.1

pulumi-kubernetes-operator-2.0.0-rc.1

A Helm chart for the Pulumi Kubernetes Operator