New example: pulumi-ts (#843)

Contributes a new example showing how to use Pulumi IAC to manage
`Stacks`.

A unique aspect of this example is that it automatically provisions a
Pulumi Cloud access token for the stack to use. Note this important
limitation of `@pulumi/pulumiservice`:

> While you can use this provider to provision access tokens, you’ll
still need to have an access token available to generate an access token
with the provider.

Author: EronWright

Diff for: CHANGELOG.md

@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+## Unreleased
+
+- New example: pulumi-ts [#843](https://github.com/pulumi/pulumi-kubernetes-operator/pull/843)
+
 ## 2.0.0 (2025-02-18)
 
 - Sample network policies [#839](https://github.com/pulumi/pulumi-kubernetes-operator/pull/839)

Diff for: README.md

@@ -100,7 +100,11 @@ Working with sources:
 - [Program resources](./examples/program-source)
 - [Custom sources](./examples/custom-source)
 
-Advanced:
+Better together with Pulumi IAC:
+
+- [Pulumi (TypeScript)](./examples/pulumi-ts)
+
+Advanced configurations:
 
 - [Workspace customization](./examples/custom-workspace)
 

Diff for: examples/pulumi-ts/.gitignore

@@ -0,0 +1,2 @@
+/bin/
+/node_modules/

Diff for: examples/pulumi-ts/Pulumi.yaml

@@ -0,0 +1,10 @@
+name: pulumi-ts
+description: A Pulumi program to deploy a Stack using the Pulumi Kubernetes Operator
+runtime:
+  name: nodejs
+  options:
+    packagemanager: npm
+config:
+  pulumi:tags:
+    value:
+      pulumi:template: kubernetes-typescript

Diff for: examples/pulumi-ts/index.ts

@@ -0,0 +1,62 @@
+import * as pulumi from "@pulumi/pulumi";
+import * as k8s from "@pulumi/kubernetes";
+import * as pulumiservice from "@pulumi/pulumiservice";
+
+// Create a Kubernetes ServiceAccount for the Pulumi workspace pod
+const sa = new k8s.core.v1.ServiceAccount("random-yaml", {});
+
+// Grant system:auth-delegator to the ServiceAccount
+const crb = new k8s.rbac.v1.ClusterRoleBinding("random-yaml:system:auth-delegator", {
+    roleRef: {
+        apiGroup: "rbac.authorization.k8s.io",
+        kind: "ClusterRole",
+        name: "system:auth-delegator",
+    },
+    subjects: [{
+        kind: "ServiceAccount",
+        name: sa.metadata.name,
+        namespace: sa.metadata.namespace,
+    }],
+});
+
+// Provision a Pulumi Cloud access token and store it in a Kubernetes Secret
+const accessToken = new pulumiservice.AccessToken("random-yaml", {
+    description: `For stack "${pulumi.runtime.getOrganization()}/${pulumi.runtime.getProject()}/${pulumi.runtime.getStack()}"`,
+});
+const apiSecret = new k8s.core.v1.Secret("random-yaml", {
+    stringData: {
+        "accessToken": accessToken.value,
+    }
+});
+
+// Deploy the "random-yaml" program from the github.com/pulumi/examples repository.
+const stack = new k8s.apiextensions.CustomResource("random-yaml", {
+    apiVersion: 'pulumi.com/v1',
+    kind: 'Stack',
+    spec: {
+        serviceAccountName: sa.metadata.name,
+        projectRepo: "https://github.com/pulumi/examples",
+        repoDir: "random-yaml/",
+        branch: "master",
+        shallow: true,
+        stack: "pulumi-ts",
+        refresh: true,
+        destroyOnFinalize: true,
+        envRefs: {
+            PULUMI_ACCESS_TOKEN: {
+                type: "Secret",
+                secret: {
+                    name: apiSecret.metadata.name,
+                    key: "accessToken",
+                },
+            },
+        },
+        workspaceTemplate: {
+            spec: {
+                image: "pulumi/pulumi:3.147.0-nonroot",
+            },
+        },
+    },
+}, {dependsOn: [sa, crb, apiSecret]});
+
+// export const stackName = stack.metadata.name;