Fix ServiceAccount update panic (#3169)

The `ServiceAccount` awaiter is the only one which uses `clusterVersion` to decide its behavior, and we were only populating this on creation. #3139 consolidated create/update wait logic, which introduced a panic in this case because we're now calling the init awaiter during update. This PR adds a `nil` check to be safe and also populates `clusterVersion` for update/delete/read in the off chance that another awaiter might want to use it later down the line. Fixes #3166
pulumi · Aug 16, 2024 · 84f503b · 84f503b
1 parent f1b6d7a
commit 84f503b
Show file tree

Hide file tree

Showing 6 changed files with 62 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ### Fixed
 
+- Fixed a panic that would occur when updating `ServiceAccounts`. (https://github.com/pulumi/pulumi-kubernetes/issues/3166)
 - Fixed a panic that could occur when using `clusterIdentifier` provider configuration. (https://github.com/pulumi/pulumi-kubernetes/issues/3168)
 
 ## 4.17.0 (August 13, 2024)

diff --git a/provider/pkg/await/awaiters.go b/provider/pkg/await/awaiters.go
@@ -28,6 +28,7 @@ import (
 	"github.com/pulumi/pulumi-kubernetes/provider/v4/pkg/watcher"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/diag"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
 	logger "github.com/pulumi/pulumi/sdk/v3/go/common/util/logging"
 	corev1 "k8s.io/api/core/v1"
 	storagev1 "k8s.io/api/storage/v1"
@@ -689,6 +690,7 @@ func untilCoreV1ServiceAccountInitialized(c awaitConfig) error {
 	// k8s v1.24 changed the default secret provisioning behavior for ServiceAccount resources, so don't wait for
 	// clusters >= v1.24 to provision a secret before marking the resource as ready.
 	// https://github.com/kubernetes/kubernetes/blob/v1.24.3/CHANGELOG/CHANGELOG-1.24.md#urgent-upgrade-notes
+	contract.Assertf(c.clusterVersion != nil, "clusterVersion must be set")
 	if c.clusterVersion.Compare(cluster.ServerVersion{Major: 1, Minor: 24}) >= 0 {
 		return nil
 	}

diff --git a/provider/pkg/provider/provider.go b/provider/pkg/provider/provider.go
@@ -2158,6 +2158,7 @@ func (k *kubeProvider) Read(ctx context.Context, req *pulumirpc.ReadRequest) (*p
 			URN:               urn,
 			InitialAPIVersion: initialAPIVersion,
 			FieldManager:      fieldManager,
+			ClusterVersion:    &k.k8sVersion,
 			ClientSet:         k.clientSet,
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
@@ -2405,6 +2406,7 @@ func (k *kubeProvider) Update(
 			URN:               urn,
 			InitialAPIVersion: initialAPIVersion,
 			FieldManager:      fieldManager,
+			ClusterVersion:    &k.k8sVersion,
 			ClientSet:         k.clientSet,
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
@@ -2565,6 +2567,7 @@ func (k *kubeProvider) Delete(ctx context.Context, req *pulumirpc.DeleteRequest)
 			URN:               urn,
 			InitialAPIVersion: initialAPIVersion,
 			FieldManager:      fieldManager,
+			ClusterVersion:    &k.k8sVersion,
 			ClientSet:         k.clientSet,
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,

diff --git a/tests/sdk/java/await_test.go b/tests/sdk/java/await_test.go
@@ -115,3 +115,20 @@ func TestAwaitService(t *testing.T) {
 	assert.Equal(t, up.Outputs["selector"], up.Outputs["label"])
 	test.Refresh()
 }
+
+func TestAwaitServiceAccount(t *testing.T) {
+	t.Parallel()
+
+	test := pulumitest.NewPulumiTest(t,
+		"testdata/await/service-account",
+		opttest.SkipInstall(),
+	)
+	t.Cleanup(func() {
+		test.Destroy()
+	})
+
+	test.Up()
+	test.UpdateSource("testdata/await/service-account/step2")
+	test.Up()
+	test.Refresh()
+}
diff --git a/tests/sdk/java/testdata/await/service-account/Pulumi.yaml b/tests/sdk/java/testdata/await/service-account/Pulumi.yaml
@@ -0,0 +1,17 @@
+name: await-service-account
+runtime: yaml
+description: Test await logic with service accounts.
+
+resources:
+  ns:
+    type: kubernetes:core/v1:Namespace
+
+  provider:
+    type: pulumi:providers:kubernetes
+    properties:
+      namespace: ${ns.metadata.name}
+
+  service-account:
+    type: kubernetes:core/v1:ServiceAccount
+    options:
+      provider: ${provider}
diff --git a/tests/sdk/java/testdata/await/service-account/step2/Pulumi.yaml b/tests/sdk/java/testdata/await/service-account/step2/Pulumi.yaml
@@ -0,0 +1,22 @@
+name: await-service-account
+runtime: yaml
+description: Test await logic with service accounts.
+
+resources:
+  ns:
+    type: kubernetes:core/v1:Namespace
+
+  provider:
+    type: pulumi:providers:kubernetes
+    properties:
+      namespace: ${ns.metadata.name}
+
+  service-account:
+    type: kubernetes:core/v1:ServiceAccount
+    properties:
+      # Update the service account's metadata.
+      metadata:
+        annotations:
+          foo: bar
+    options:
+      provider: ${provider}