Isolate the PULUMI_HOME directory

pulumi · Sep 9, 2023 · 8bd1658 · 8bd1658
1 parent c0ca450
commit 8bd1658
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 15 deletions.
diff --git a/pkg/controller/stack/flux.go b/pkg/controller/stack/flux.go
@@ -22,6 +22,9 @@ func (sess *reconcileStackSession) SetupWorkdirFromFluxSource(ctx context.Contex
 	// this source artifact fetching code is based closely on
 	// https://github.com/fluxcd/kustomize-controller/blob/db3c321163522259595894ca6c19ed44a876976d/controllers/kustomization_controller.go#L529
 
+	homeDir := sess.getPulumiHome()
+	contentDir := sess.getContentDir()
+
 	artifactURL, err := getArtifactField(source, "url")
 	if err != nil {
 		return "", err
@@ -43,14 +46,18 @@ func (sess *reconcileStackSession) SetupWorkdirFromFluxSource(ctx context.Contex
 	}
 
 	fetcher := fetch.NewArchiveFetcher(1, maxArtifactDownloadSize, maxArtifactDownloadSize*10, "")
-	if err = fetcher.Fetch(artifactURL, digest, sess.rootDir); err != nil {
+	if err = fetcher.Fetch(artifactURL, digest, contentDir); err != nil {
 		return "", fmt.Errorf("failed to get artifact from source: %w", err)
 	}
 
-	// woo! now there's a directory with source in `rootdir`. Construct a workspace.
+	// woo! now there's a directory with source in `contentDir`. Construct a workspace.
 
 	secretsProvider := auto.SecretsProvider(sess.stack.SecretsProvider)
-	w, err := auto.NewLocalWorkspace(ctx, auto.WorkDir(filepath.Join(sess.rootDir, fluxSource.Dir)), secretsProvider)
+	w, err := auto.NewLocalWorkspace(
+		ctx,
+		auto.PulumiHome(homeDir),
+		auto.WorkDir(filepath.Join(contentDir, fluxSource.Dir)),
+		secretsProvider)
 	if err != nil {
 		return "", fmt.Errorf("failed to create local workspace: %w", err)
 	}

diff --git a/pkg/controller/stack/stack_controller.go b/pkg/controller/stack/stack_controller.go
@@ -580,17 +580,15 @@ func (r *ReconcileStack) Reconcile(ctx context.Context, request reconcile.Reques
 	}
 
 	// Create the build working directory. Any problem here is unexpected, and treated as a
-	// controller error.
+	// controller error. The working directory contains the PULUMI_HOME and the program content.
 	workingDir, err := makeWorkingDir(instance)
 	if err != nil {
 		return reconcile.Result{}, fmt.Errorf("unable to create tmp directory for workspace: %w", err)
 	}
 	sess.rootDir = workingDir
-	defer func() {
-		if workingDir != "" {
-			os.RemoveAll(workingDir)
-		}
-	}()
+
+	// Delete the temporary directory after the reconciliation is completed (regardless of success or failure).
+	defer sess.CleanupPulumiDir()
 
 	// Check which kind of source we have.
 
@@ -714,9 +712,6 @@ func (r *ReconcileStack) Reconcile(ctx context.Context, request reconcile.Reques
 		}
 	}
 
-	// Delete the temporary directory after the reconciliation is completed (regardless of success or failure).
-	defer sess.CleanupPulumiDir()
-
 	// Step 2. If there are extra environment variables, read them in now and use them for subsequent commands.
 	if err = sess.SetEnvs(ctx, stack.Envs, request.Namespace); err != nil {
 		err := fmt.Errorf("could not find ConfigMap for Envs: %w", err)
@@ -1240,9 +1235,28 @@ func makeWorkingDir(s *pulumiv1.Stack) (_path string, _err error) {
 	if err = os.MkdirAll(path, 0700); err != nil {
 		return "", fmt.Errorf("error creating working dir: %w", err)
 	}
+
+	homeDir := filepath.Join(path, ".pulumi")
+	if err := os.MkdirAll(homeDir, 0700); err != nil {
+		return "", fmt.Errorf("error creating .pulumi dir: %w", err)
+	}
+
+	contentDir := filepath.Join(path, "content")
+	if err := os.MkdirAll(contentDir, 0700); err != nil {
+		return "", fmt.Errorf("error creating content dir: %w", err)
+	}
+
 	return path, nil
 }
 
+func (sess *reconcileStackSession) getPulumiHome() string {
+	return filepath.Join(sess.rootDir, ".pulumi")
+}
+
+func (sess *reconcileStackSession) getContentDir() string {
+	return filepath.Join(sess.rootDir, "content")
+}
+
 func (sess *reconcileStackSession) SetupWorkdirFromGitSource(ctx context.Context, gitAuth *auto.GitAuth, source *shared.GitSource) (string, error) {
 	repo := auto.GitRepo{
 		URL:         source.ProjectRepo,
@@ -1254,9 +1268,18 @@ func (sess *reconcileStackSession) SetupWorkdirFromGitSource(ctx context.Context
 
 	sess.logger.Debug("Setting up pulumi workdir for stack", "stack", sess.stack)
 	// Create a new workspace.
+
+	homeDir := sess.getPulumiHome()
+	contentDir := sess.getContentDir()
+
 	secretsProvider := auto.SecretsProvider(sess.stack.SecretsProvider)
 
-	w, err := auto.NewLocalWorkspace(ctx, auto.WorkDir(sess.rootDir), auto.Repo(repo), secretsProvider)
+	w, err := auto.NewLocalWorkspace(
+		ctx,
+		auto.PulumiHome(homeDir),
+		auto.WorkDir(contentDir),
+		auto.Repo(repo),
+		secretsProvider)
 	if err != nil {
 		return "", fmt.Errorf("failed to create local workspace: %w", err)
 	}
@@ -1281,6 +1304,9 @@ func (sess *reconcileStackSession) SetupWorkdirFromYAML(ctx context.Context, pro
 
 	// Create a new workspace.
 
+	homeDir := sess.getPulumiHome()
+	contentDir := sess.getContentDir()
+
 	secretsProvider := auto.SecretsProvider(sess.stack.SecretsProvider)
 
 	program := pulumiv1.Program{}
@@ -1304,13 +1330,17 @@ func (sess *reconcileStackSession) SetupWorkdirFromYAML(ctx context.Context, pro
 		return "", fmt.Errorf("failed to marshal program object to YAML: %w", err)
 	}
 
-	err = os.WriteFile(filepath.Join(sess.rootDir, "Pulumi.yaml"), out, 0600)
+	err = os.WriteFile(filepath.Join(contentDir, "Pulumi.yaml"), out, 0600)
 	if err != nil {
 		return "", fmt.Errorf("failed to write YAML to file: %w", err)
 	}
 
 	var w auto.Workspace
-	w, err = auto.NewLocalWorkspace(ctx, auto.WorkDir(sess.rootDir), secretsProvider)
+	w, err = auto.NewLocalWorkspace(
+		ctx,
+		auto.PulumiHome(homeDir),
+		auto.WorkDir(contentDir),
+		secretsProvider)
 	if err != nil {
 		return "", fmt.Errorf("failed to create local workspace: %w", err)
 	}