Expose config to disable upsert behavior

CHANGELOG.md

@@ -2,6 +2,7 @@
 
 - Fix Release behavior to deep merge `valueYamlFiles` to match Helm. (https://github.com/pulumi/pulumi-kubernetes/pull/2963)
 - Add field manager's name to server-side apply conflict errors. (https://github.com/pulumi/pulumi-kubernetes/pull/2983)
+- Add `enableUpsert` provider configuration to control apply behavior on resource creation. (https://github.com/pulumi/pulumi-kubernetes/pull/3000)
 
 ## 4.11.0 (April 17, 2024)
 
@@ -57,32 +58,32 @@ Note that transformations aren't supported in this release (see https://github.c
 - Fix option propagation in component resources (Go SDK) (https://github.com/pulumi/pulumi-kubernetes/pull/2709)
 
 ### Breaking Changes
-In previous versions of the pulumi-kubernetes .NET SDK, the `ConfigFile` and `ConfigGroup` component resources inadvertently assigned the wrong parent to the child resource(s). 
+In previous versions of the pulumi-kubernetes .NET SDK, the `ConfigFile` and `ConfigGroup` component resources inadvertently assigned the wrong parent to the child resource(s).
 This would happen when the component resource itself had a parent; the child would be assigned that same parent. This also had the effect of disregarding the component resource's provider in favor of the parent's provider.
 
 For example, here's a before/after look at the component hierarchy:
 
 Before:
 
 ```
-├─ pkg:index:MyComponent            parent                                               
-│  ├─ kubernetes:core/v1:ConfigMap  cg-options-cg-options-cm-1                           
+├─ pkg:index:MyComponent            parent
+│  ├─ kubernetes:core/v1:ConfigMap  cg-options-cg-options-cm-1
 │  ├─ kubernetes:yaml:ConfigFile    cg-options-testdata/options/configgroup/manifest.yaml
-│  ├─ kubernetes:core/v1:ConfigMap  cg-options-configgroup-cm-1                          
-│  ├─ kubernetes:yaml:ConfigFile    cg-options-testdata/options/configgroup/empty.yaml   
-│  └─ kubernetes:yaml:ConfigGroup   cg-options  
+│  ├─ kubernetes:core/v1:ConfigMap  cg-options-configgroup-cm-1
+│  ├─ kubernetes:yaml:ConfigFile    cg-options-testdata/options/configgroup/empty.yaml
+│  └─ kubernetes:yaml:ConfigGroup   cg-options
 ```
 
 After:
 
 ```
-└─ pkg:index:MyComponent                  parent                                               
-   └─ kubernetes:yaml:ConfigGroup         cg-options                                           
+└─ pkg:index:MyComponent                  parent
+   └─ kubernetes:yaml:ConfigGroup         cg-options
       ├─ kubernetes:yaml:ConfigFile       cg-options-testdata/options/configgroup/manifest.yaml
-      │  └─ kubernetes:core/v1:ConfigMap  cg-options-configgroup-cm-1                          
-      └─ kubernetes:core/v1:ConfigMap     cg-options-cg-options-cm-1     
+      │  └─ kubernetes:core/v1:ConfigMap  cg-options-configgroup-cm-1
+      └─ kubernetes:core/v1:ConfigMap     cg-options-cg-options-cm-1
 ```
-      
+
 This release addresses this issue and attempts to heal existing stacks using aliases. This is effective at avoiding a replacement except in the case where the child was created with the wrong provider. In this case, __Pulumi will suggest a replacement of the child resource(s), such that they use the correct provider__.
 
 ## 4.6.1 (December 14, 2023)

provider/pkg/await/await.go

@@ -70,6 +70,7 @@ type ProviderConfig struct {
 	FieldManager      string
 	ClusterVersion    *cluster.ServerVersion
 	ServerSideApply   bool
+	EnableUpsert      bool
 
 	ClientSet   *clients.DynamicClientSet
 	DedupLogger *logging.DedupLogger
@@ -192,7 +193,7 @@ func Creation(c CreateConfig) (*unstructured.Unstructured, error) {
 				}
 			}
 
-			if c.ServerSideApply {
+			if c.ServerSideApply && c.EnableUpsert {
 				force := patchForce(c.Inputs, nil, c.Preview)
 				options := metav1.PatchOptions{
 					FieldManager:    c.FieldManager,

provider/pkg/await/await_test.go

@@ -325,6 +325,7 @@ func Test_Creation(t *testing.T) {
 					DedupLogger:       logging.NewLogger(context.Background(), host, urn),
 					Resources:         resources,
 					ServerSideApply:   tt.args.serverSideApply,
+					EnableUpsert:      tt.args.serverSideApply,
 					awaiters:          map[string]awaitSpec{},
 				},
 				Inputs:  tt.args.inputs,
@@ -365,6 +366,7 @@ func TestAwaitSSAConflict(t *testing.T) {
 		FieldManager:    "test",
 		ClientSet:       client,
 		ServerSideApply: true,
+		EnableUpsert:    true,
 	}
 	config := CreateConfig{
 		ProviderConfig: pconfig,

provider/pkg/gen/schema.go

@@ -90,6 +90,16 @@ func PulumiSchema(swagger map[string]any) pschema.PackageSpec {
 					Description: "BETA FEATURE - If present and set to true, allow ConfigMaps to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableConfigMapMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE` environment variable.",
 					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
 				},
+				"enableUpsert": {
+					Description: "If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.",
+					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
+					Default:     true,
+					DefaultInfo: &pschema.DefaultSpec{
+						Environment: []string{
+							"PULUMI_K8S_ENABLE_UPSERT",
+						},
+					},
+				},
 				"renderYamlToDirectory": {
 					Description: "BETA FEATURE - If present, render resource manifests to this directory. In this mode, resources will not\nbe created on a Kubernetes cluster, but the rendered manifests will be kept in sync with changes\nto the Pulumi program. This feature is in developer preview, and is disabled by default.\n\nNote that some computed Outputs such as status fields will not be populated\nsince the resources are not created on a Kubernetes cluster. These Output values will remain undefined,\nand may result in an error if they are referenced by other resources. Also note that any secret values\nused in these resources will be rendered in plaintext to the resulting YAML.",
 					TypeSpec:    pschema.TypeSpec{Type: "string"},
@@ -177,6 +187,15 @@ func PulumiSchema(swagger map[string]any) pschema.PackageSpec {
 					Description: "BETA FEATURE - If present and set to true, allow ConfigMaps to be mutated.\nThis feature is in developer preview, and is disabled by default.\n\nThis config can be specified in the following ways using this precedence:\n1. This `enableConfigMapMutable` parameter.\n2. The `PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE` environment variable.",
 					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
 				},
+				"enableUpsert": {
+					Description: "If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.",
+					TypeSpec:    pschema.TypeSpec{Type: "boolean"},
+					DefaultInfo: &pschema.DefaultSpec{
+						Environment: []string{
+							"PULUMI_K8S_ENABLE_UPSERT",
+						},
+					},
+				},
 				"renderYamlToDirectory": {
 					Description: "BETA FEATURE - If present, render resource manifests to this directory. In this mode, resources will not\nbe created on a Kubernetes cluster, but the rendered manifests will be kept in sync with changes\nto the Pulumi program. This feature is in developer preview, and is disabled by default.\n\nNote that some computed Outputs such as status fields will not be populated\nsince the resources are not created on a Kubernetes cluster. These Output values will remain undefined,\nand may result in an error if they are referenced by other resources. Also note that any secret values\nused in these resources will be rendered in plaintext to the resulting YAML.",
 					TypeSpec:    pschema.TypeSpec{Type: "string"},
@@ -425,8 +444,8 @@ func PulumiSchema(swagger map[string]any) pschema.PackageSpec {
 					}
 
 					patchDescription := `Patch resources are used to modify existing Kubernetes resources by using
-Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than 
-one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource. 
+Server-Side Apply updates. The name of the resource must be specified, but all other properties are optional. More than
+one patch may be applied to the same resource, and a random FieldManager name will be used for each Patch resource.
 Conflicts will result in an error by default, but can be forced using the "pulumi.com/patchForce" annotation. See the
 [Server-Side Apply Docs](https://www.pulumi.com/registry/packages/kubernetes/how-to-guides/managing-resources-with-server-side-apply/) for
 additional information about using Server-Side Apply to manage Kubernetes resources with Pulumi.`

provider/pkg/provider/provider.go

@@ -130,6 +130,7 @@ type kubeProvider struct {
 	skipUpdateUnreachable       bool
 	enableConfigMapMutable      bool
 	enableSecrets               bool
+	enableUpsert                bool
 	suppressDeprecationWarnings bool
 	suppressHelmHookWarnings    bool
 	serverSideApplyMode         bool
@@ -543,6 +544,17 @@ func (k *kubeProvider) Configure(_ context.Context, req *pulumirpc.ConfigureRequ
 		k.enableConfigMapMutable = true
 	}
 
+	enableUpsert := func() bool {
+		if enabled, exists := vars["kubernetes:config:enableUpsert"]; exists {
+			return enabled == trueStr
+		}
+		if enabled, exists := os.LookupEnv("PULUMI_K8S_ENABLE_UPSERT"); exists {
+			return enabled == trueStr
+		}
+		return true
+	}
+	k.enableUpsert = enableUpsert()
+
 	suppressDeprecationWarnings := func() bool {
 		// If the provider flag is set, use that value to determine behavior. This will override the ENV var.
 		if enabled, exists := vars["kubernetes:config:suppressDeprecationWarnings"]; exists {
@@ -1849,6 +1861,7 @@ func (k *kubeProvider) Create(
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
 			ServerSideApply:   k.serverSideApplyMode,
+			EnableUpsert:      k.enableUpsert,
 		},
 		Inputs:  newInputs,
 		Timeout: req.Timeout,
@@ -2096,6 +2109,8 @@ func (k *kubeProvider) Read(ctx context.Context, req *pulumirpc.ReadRequest) (*p
 			ClientSet:         k.clientSet,
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
+			ServerSideApply:   k.serverSideApplyMode,
+			EnableUpsert:      k.enableUpsert,
 		},
 		Inputs:          oldInputs,
 		ReadFromCluster: readFromCluster,
@@ -2344,6 +2359,7 @@ func (k *kubeProvider) Update(
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
 			ServerSideApply:   k.serverSideApplyMode,
+			EnableUpsert:      k.enableUpsert,
 		},
 		OldInputs:     oldLivePruned,
 		OldOutputs:    oldLive,
@@ -2502,6 +2518,7 @@ func (k *kubeProvider) Delete(ctx context.Context, req *pulumirpc.DeleteRequest)
 			DedupLogger:       logging.NewLogger(k.canceler.context, k.host, urn),
 			Resources:         resources,
 			ServerSideApply:   k.serverSideApplyMode,
+			EnableUpsert:      k.enableUpsert,
 		},
 		Inputs:  oldInputs,
 		Outputs: current,

sdk/dotnet/Config/Config.cs

@@ -98,6 +98,16 @@ public static bool? EnableServerSideApply
             set => _enableServerSideApply.Set(value);
         }
 
+        private static readonly __Value<bool?> _enableUpsert = new __Value<bool?>(() => __config.GetBoolean("enableUpsert") ?? Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_UPSERT") ?? true);
+        /// <summary>
+        /// If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+        /// </summary>
+        public static bool? EnableUpsert
+        {
+            get => _enableUpsert.Get();
+            set => _enableUpsert.Set(value);
+        }
+
         private static readonly __Value<string?> _kubeconfig = new __Value<string?>(() => __config.Get("kubeconfig"));
         /// <summary>
         /// The contents of a kubeconfig file or the path to a kubeconfig file. If this is set, this config will be used instead of $KUBECONFIG.

sdk/dotnet/Provider.cs

@@ -82,6 +82,12 @@
         [Input("enableServerSideApply", json: true)]
         public Input<bool>? EnableServerSideApply { get; set; }
 
+        /// <summary>
+        /// If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+        /// </summary>
+        [Input("enableUpsert", json: true)]
+        public Input<bool>? EnableUpsert { get; set; }
+
         /// <summary>
         /// Options to configure the Helm Release resource.
         /// </summary>
@@ -147,7 +153,8 @@
             DeleteUnreachable = Utilities.GetEnvBoolean("PULUMI_K8S_DELETE_UNREACHABLE");
             EnableConfigMapMutable = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE");
             EnableServerSideApply = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_SERVER_SIDE_APPLY");
+            EnableUpsert = Utilities.GetEnvBoolean("PULUMI_K8S_ENABLE_UPSERT");
             KubeConfig = Utilities.GetEnv("KUBECONFIG");
             SkipUpdateUnreachable = Utilities.GetEnvBoolean("PULUMI_K8S_SKIP_UPDATE_UNREACHABLE");
             SuppressDeprecationWarnings = Utilities.GetEnvBoolean("PULUMI_K8S_SUPPRESS_DEPRECATION_WARNINGS");
             SuppressHelmHookWarnings = Utilities.GetEnvBoolean("PULUMI_K8S_SUPPRESS_HELM_HOOK_WARNINGS");

sdk/java/src/main/java/com/pulumi/kubernetes/Config.java

@@ -59,6 +59,13 @@ public Optional<Boolean> enableReplaceCRD() {
     public Optional<Boolean> enableServerSideApply() {
         return Codegen.booleanProp("enableServerSideApply").config(config).get();
     }
+/**
+ * If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+ * 
+ */
+    public Optional<Boolean> enableUpsert() {
+        return Codegen.booleanProp("enableUpsert").config(config).env("PULUMI_K8S_ENABLE_UPSERT").def(true).get();
+    }
 /**
  * The contents of a kubeconfig file or the path to a kubeconfig file. If this is set, this config will be used instead of $KUBECONFIG.
  * 

sdk/java/src/main/java/com/pulumi/kubernetes/ProviderArgs.java

@@ -106,6 +106,21 @@ public Optional<Output<Boolean>> enableServerSideApply() {
         return Optional.ofNullable(this.enableServerSideApply);
     }
 
+    /**
+     * If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+     * 
+     */
+    @Import(name="enableUpsert", json=true)
+    private @Nullable Output<Boolean> enableUpsert;
+
+    /**
+     * @return If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+     * 
+     */
+    public Optional<Output<Boolean>> enableUpsert() {
+        return Optional.ofNullable(this.enableUpsert);
+    }
+
     /**
      * Options to configure the Helm Release resource.
      * 
@@ -258,6 +273,7 @@ private ProviderArgs(ProviderArgs $) {
         this.deleteUnreachable = $.deleteUnreachable;
         this.enableConfigMapMutable = $.enableConfigMapMutable;
         this.enableServerSideApply = $.enableServerSideApply;
+        this.enableUpsert = $.enableUpsert;
         this.helmReleaseSettings = $.helmReleaseSettings;
         this.kubeClientSettings = $.kubeClientSettings;
         this.kubeconfig = $.kubeconfig;
@@ -403,6 +419,27 @@ public Builder enableServerSideApply(Boolean enableServerSideApply) {
             return enableServerSideApply(Output.of(enableServerSideApply));
         }
 
+        /**
+         * @param enableUpsert If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder enableUpsert(@Nullable Output<Boolean> enableUpsert) {
+            $.enableUpsert = enableUpsert;
+            return this;
+        }
+
+        /**
+         * @param enableUpsert If present and set to false, the provider will surface errors if a create operation would overwrite existing resources in the cluster.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder enableUpsert(Boolean enableUpsert) {
+            return enableUpsert(Output.of(enableUpsert));
+        }
+
         /**
          * @param helmReleaseSettings Options to configure the Helm Release resource.
          * 
@@ -599,6 +636,7 @@ public ProviderArgs build() {
             $.deleteUnreachable = Codegen.booleanProp("deleteUnreachable").output().arg($.deleteUnreachable).env("PULUMI_K8S_DELETE_UNREACHABLE").getNullable();
             $.enableConfigMapMutable = Codegen.booleanProp("enableConfigMapMutable").output().arg($.enableConfigMapMutable).env("PULUMI_K8S_ENABLE_CONFIGMAP_MUTABLE").getNullable();
             $.enableServerSideApply = Codegen.booleanProp("enableServerSideApply").output().arg($.enableServerSideApply).env("PULUMI_K8S_ENABLE_SERVER_SIDE_APPLY").getNullable();
+            $.enableUpsert = Codegen.booleanProp("enableUpsert").output().arg($.enableUpsert).env("PULUMI_K8S_ENABLE_UPSERT").getNullable();
             $.kubeconfig = Codegen.stringProp("kubeconfig").output().arg($.kubeconfig).env("KUBECONFIG").getNullable();
             $.skipUpdateUnreachable = Codegen.booleanProp("skipUpdateUnreachable").output().arg($.skipUpdateUnreachable).env("PULUMI_K8S_SKIP_UPDATE_UNREACHABLE").getNullable();
             $.suppressDeprecationWarnings = Codegen.booleanProp("suppressDeprecationWarnings").output().arg($.suppressDeprecationWarnings).env("PULUMI_K8S_SUPPRESS_DEPRECATION_WARNINGS").getNullable();