RubyGems - kubernetes-deploy - Versions diffs - 0.25.0 → 0.26.0 - Mend

kubernetes-deploy 0.25.0 → 0.26.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.nightly.yml +0 -9
data/.buildkite/pipeline.yml +0 -9
data/CHANGELOG.md +23 -0
data/CONTRIBUTING.md +164 -0
data/README.md +29 -104
data/dev.yml +3 -3
data/exe/kubernetes-deploy +32 -21
data/exe/kubernetes-render +20 -12
data/exe/kubernetes-restart +5 -1
data/lib/kubernetes-deploy.rb +1 -0
data/lib/kubernetes-deploy/bindings_parser.rb +20 -8
data/lib/kubernetes-deploy/cluster_resource_discovery.rb +1 -1
data/lib/kubernetes-deploy/container_logs.rb +6 -0
data/lib/kubernetes-deploy/deploy_task.rb +85 -44
data/lib/kubernetes-deploy/ejson_secret_provisioner.rb +38 -84
data/lib/kubernetes-deploy/errors.rb +8 -0
data/lib/kubernetes-deploy/kubeclient_builder.rb +52 -20
data/lib/kubernetes-deploy/kubeclient_builder/kube_config.rb +1 -1
data/lib/kubernetes-deploy/kubectl.rb +11 -10
data/lib/kubernetes-deploy/kubernetes_resource.rb +47 -9
data/lib/kubernetes-deploy/kubernetes_resource/custom_resource.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/custom_resource_definition.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/deployment.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/horizontal_pod_autoscaler.rb +12 -4
data/lib/kubernetes-deploy/kubernetes_resource/network_policy.rb +22 -0
data/lib/kubernetes-deploy/kubernetes_resource/pod.rb +2 -0
data/lib/kubernetes-deploy/kubernetes_resource/secret.rb +23 -0
data/lib/kubernetes-deploy/label_selector.rb +42 -0
data/lib/kubernetes-deploy/options_helper.rb +31 -15
data/lib/kubernetes-deploy/remote_logs.rb +6 -1
data/lib/kubernetes-deploy/renderer.rb +5 -1
data/lib/kubernetes-deploy/resource_cache.rb +4 -1
data/lib/kubernetes-deploy/restart_task.rb +22 -10
data/lib/kubernetes-deploy/runner_task.rb +5 -3
data/lib/kubernetes-deploy/version.rb +1 -1
metadata +6 -2

data/lib/kubernetes-deploy/ejson_secret_provisioner.rb CHANGED Viewed

@@ -7,85 +7,64 @@ require 'kubernetes-deploy/kubectl'
 module KubernetesDeploy
   class EjsonSecretError < FatalDeploymentError
     def initialize(msg)
-      super("Creation of Kubernetes secrets from ejson failed: #{msg}")
+      super("Generation of Kubernetes secrets from ejson failed: #{msg}")
     end
   end
   class EjsonSecretProvisioner
-    MANAGEMENT_ANNOTATION = "kubernetes-deploy.shopify.io/ejson-secret"
-    MANAGED_SECRET_EJSON_KEY = "kubernetes_secrets"
+    EJSON_SECRET_ANNOTATION = "kubernetes-deploy.shopify.io/ejson-secret"
+    EJSON_SECRET_KEY = "kubernetes_secrets"
     EJSON_SECRETS_FILE = "secrets.ejson"
     EJSON_KEYS_SECRET = "ejson-keys"
-    def initialize(namespace:, context:, template_dir:, logger:, prune: true)
+    def initialize(namespace:, context:, template_dir:, logger:, statsd_tags:, selector: nil)
       @namespace = namespace
       @context = context
       @ejson_file = "#{template_dir}/#{EJSON_SECRETS_FILE}"
       @logger = logger
-      @prune = prune
+      @statsd_tags = statsd_tags
+      @selector = selector
       @kubectl = Kubectl.new(
         namespace: @namespace,
         context: @context,
         logger: @logger,
         log_failure_by_default: false,
-        output_is_sensitive: true # output may contain ejson secrets
+        output_is_sensitive_default: true # output may contain ejson secrets
       )
     end
-    def secret_changes_required?
-      File.exist?(@ejson_file) || managed_secrets_exist?
+    def resources
+      @resources ||= build_secrets
     end
-    def run
-      create_secrets
-      prune_managed_secrets if @prune
+    def ejson_keys_secret
+      @ejson_keys_secret ||= begin
+        out, err, st = @kubectl.run("get", "secret", EJSON_KEYS_SECRET, output: "json",
+          raise_if_not_found: true, attempts: 3, output_is_sensitive: true, log_failure: true)
+        unless st.success?
+          raise EjsonSecretError, "Error retrieving Secret/#{EJSON_KEYS_SECRET}: #{err}"
+        end
+        JSON.parse(out)
+      end
     end
     private
-    def create_secrets
+    def build_secrets
+      return [] unless File.exist?(@ejson_file)
       with_decrypted_ejson do |decrypted|
-        secrets = decrypted[MANAGED_SECRET_EJSON_KEY]
+        secrets = decrypted[EJSON_SECRET_KEY]
         unless secrets.present?
-          @logger.warn("#{EJSON_SECRETS_FILE} does not have key #{MANAGED_SECRET_EJSON_KEY}."\
+          @logger.warn("#{EJSON_SECRETS_FILE} does not have key #{EJSON_SECRET_KEY}."\
             "No secrets will be created.")
-          return
+          return []
         end
-        secrets.each do |secret_name, secret_spec|
+        secrets.map do |secret_name, secret_spec|
           validate_secret_spec(secret_name, secret_spec)
-          create_or_update_secret(secret_name, secret_spec["_type"], secret_spec["data"])
+          generate_secret_resource(secret_name, secret_spec["_type"], secret_spec["data"])
         end
-        @logger.summary.add_action("created/updated #{secrets.length} #{'secret'.pluralize(secrets.length)}")
-      end
-    end
-    def prune_managed_secrets
-      ejson_secret_names = encrypted_ejson.fetch(MANAGED_SECRET_EJSON_KEY, {}).keys
-      live_secrets = run_kubectl_json("get", "secrets")
-      prune_count = 0
-      live_secrets.each do |secret|
-        secret_name = secret["metadata"]["name"]
-        next unless secret_managed?(secret)
-        next if ejson_secret_names.include?(secret_name)
-        @logger.info("Pruning secret #{secret_name}")
-        prune_count += 1
-        out, err, st = @kubectl.run("delete", "secret", secret_name)
-        @logger.debug(out)
-        raise EjsonSecretError, "Failed to prune secrets" unless st.success?
       end
-      @logger.summary.add_action("pruned #{prune_count} #{'secret'.pluralize(prune_count)}") if prune_count > 0
-    end
-    def managed_secrets_exist?
-      all_secrets = run_kubectl_json("get", "secrets")
-      all_secrets.any? { |secret| secret_managed?(secret) }
-    end
-    def secret_managed?(secret)
-      secret["metadata"].fetch("annotations", {}).key?(MANAGEMENT_ANNOTATION)
     end
     def encrypted_ejson
@@ -110,23 +89,7 @@ module KubernetesDeploy
       end
     end
-    def create_or_update_secret(secret_name, secret_type, data)
-      msg = secret_exists?(secret_name) ? "Updating secret #{secret_name}" : "Creating secret #{secret_name}"
-      @logger.info(msg)
-      secret_yaml = generate_secret_yaml(secret_name, secret_type, data)
-      file = Tempfile.new(secret_name)
-      file.write(secret_yaml)
-      file.close
-      out, err, st = @kubectl.run("apply", "--filename=#{file.path}")
-      @logger.debug(out)
-      raise EjsonSecretError, "Failed to create or update secrets" unless st.success?
-    ensure
-      file&.unlink
-    end
-    def generate_secret_yaml(secret_name, secret_type, data)
+    def generate_secret_resource(secret_name, secret_type, data)
       unless data.is_a?(Hash) && data.values.all? { |v| v.is_a?(String) } # Secret data is map[string]string
         raise EjsonSecretError, "Data for secret #{secret_name} was invalid. Only key-value pairs are permitted."
       end
@@ -137,24 +100,25 @@ module KubernetesDeploy
         encoded[secret_key] = Base64.strict_encode64(value)
       end
+      labels = { "name" => secret_name }
+      labels.reverse_merge!(@selector) if @selector
       secret = {
         'kind' => 'Secret',
         'apiVersion' => 'v1',
         'type' => secret_type,
         'metadata' => {
           "name" => secret_name,
-          "labels" => { "name" => secret_name },
+          "labels" => labels,
           "namespace" => @namespace,
-          "annotations" => { MANAGEMENT_ANNOTATION => "true" },
+          "annotations" => { EJSON_SECRET_ANNOTATION => "true" },
         },
         "data" => encoded_data,
       }
-      secret.to_yaml
-    end
-    def secret_exists?(secret_name)
-      _out, _err, st = @kubectl.run("get", "secret", secret_name)
-      st.success?
+      KubernetesDeploy::Secret.build(
+        namespace: @namespace, context: @context, logger: @logger, definition: secret, statsd_tags: @statsd_tags,
+      )
     end
     def load_ejson_from_file
@@ -175,33 +139,23 @@ module KubernetesDeploy
     end
     def decrypt_ejson(key_dir)
-      @logger.info("Decrypting #{EJSON_SECRETS_FILE}")
       # ejson seems to dump both errors and output to STDOUT
       out_err, st = Open3.capture2e("EJSON_KEYDIR=#{key_dir} ejson decrypt #{@ejson_file}")
       raise EjsonSecretError, out_err unless st.success?
       JSON.parse(out_err)
-    rescue JSON::ParserError => e
+    rescue JSON::ParserError
       raise EjsonSecretError, "Failed to parse decrypted ejson"
     end
     def fetch_private_key_from_secret
-      @logger.info("Fetching ejson private key from secret #{EJSON_KEYS_SECRET}")
-      secret = run_kubectl_json("get", "secret", EJSON_KEYS_SECRET)
-      encoded_private_key = secret["data"][public_key]
+      encoded_private_key = ejson_keys_secret["data"][public_key]
       unless encoded_private_key
         raise EjsonSecretError, "Private key for #{public_key} not found in #{EJSON_KEYS_SECRET} secret"
       end
       Base64.decode64(encoded_private_key)
-    end
-    def run_kubectl_json(*args)
-      args += ["--output=json"]
-      out, err, st = @kubectl.run(*args)
-      raise EjsonSecretError, err unless st.success?
-      result = JSON.parse(out)
-      result.fetch('items', result)
+    rescue Kubectl::ResourceNotFoundError
+      raise EjsonSecretError, "Secret/#{EJSON_KEYS_SECRET} is required to decrypt EJSON and could not be found"
     end
   end
 end

data/lib/kubernetes-deploy/errors.rb CHANGED Viewed

@@ -23,6 +23,14 @@ module KubernetesDeploy
   class DeploymentTimeoutError < FatalDeploymentError; end
+  class EjsonPrunableError < FatalDeploymentError
+    def initialize
+      super("Found #{KubernetesResource::LAST_APPLIED_ANNOTATION} annotation on " \
+          "#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} secret. " \
+          "kubernetes-deploy will not continue since it is extremely unlikely that this secret should be pruned.")
+    end
+  end
   module Errors
     extend self
     def server_version_warning(server_version)

data/lib/kubernetes-deploy/kubeclient_builder.rb CHANGED Viewed

@@ -3,25 +3,33 @@ require 'kubeclient'
 require 'kubernetes-deploy/kubeclient_builder/kube_config'
 module KubernetesDeploy
-  module KubeclientBuilder
+  class KubeclientBuilder
     class ContextMissingError < FatalDeploymentError
-      def initialize(context_name)
+      def initialize(context_name, kubeconfig)
         super("`#{context_name}` context must be configured in your " \
-          "KUBECONFIG file(s) (#{ENV['KUBECONFIG']}).")
+          "KUBECONFIG file(s) (#{kubeconfig}).")
       end
     end
-    private
+    def self.kubeconfig
+      new.kubeconfig
+    end
+    attr_reader :kubeconfig
+    def initialize(kubeconfig: ENV["KUBECONFIG"])
+      @kubeconfig = kubeconfig || "#{Dir.home}/.kube/config"
+    end
     def build_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context
       )
     end
     def build_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/extensions/"
@@ -29,7 +37,7 @@ module KubernetesDeploy
     end
     def build_batch_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/batch/"
@@ -37,7 +45,7 @@ module KubernetesDeploy
     end
     def build_batch_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context,
         endpoint_path: "/apis/batch/"
@@ -45,7 +53,7 @@ module KubernetesDeploy
     end
     def build_policy_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/policy/"
@@ -53,7 +61,7 @@ module KubernetesDeploy
     end
     def build_apps_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/apps"
@@ -61,7 +69,7 @@ module KubernetesDeploy
     end
     def build_apiextensions_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/apiextensions.k8s.io"
@@ -69,7 +77,7 @@ module KubernetesDeploy
     end
     def build_autoscaling_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v2beta1",
         context: context,
         endpoint_path: "/apis/autoscaling"
@@ -77,19 +85,48 @@ module KubernetesDeploy
     end
     def build_rbac_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context,
         endpoint_path: "/apis/rbac.authorization.k8s.io"
       )
     end
-    def _build_kubeclient(api_version:, context:, endpoint_path: nil)
+    def build_networking_v1_kubeclient(context)
+      build_kubeclient(
+        api_version: "v1",
+        context: context,
+        endpoint_path: "/apis/networking.k8s.io"
+      )
+    end
+    def config_files
+      # Split the list by colon for Linux and Mac, and semicolon for Windows.
+      kubeconfig.split(/[:;]/).map!(&:strip).reject(&:empty?)
+    end
+    def validate_config_files
+      errors = []
+      if config_files.empty?
+        errors << "Kube config file name(s) not set in $KUBECONFIG"
+      else
+        config_files.each do |f|
+          unless File.file?(f)
+            errors << "Kube config not found at #{f}"
+          end
+        end
+      end
+      errors
+    end
+    private
+    def build_kubeclient(api_version:, context:, endpoint_path: nil)
       # Find a context defined in kube conf files that matches the input context by name
       configs = config_files.map { |f| KubeConfig.read(f) }
       config = configs.find { |c| c.contexts.include?(context) }
-      raise ContextMissingError, context unless config
+      raise ContextMissingError.new(context, kubeconfig) unless config
       kube_context = config.context(context)
       client = Kubeclient::Client.new(
@@ -105,10 +142,5 @@ module KubernetesDeploy
       client.discover
       client
     end
-    def config_files
-      # Split the list by colon for Linux and Mac, and semicolon for Windows.
-      ENV.fetch("KUBECONFIG").split(/[:;]/).map!(&:strip).reject(&:empty?)
-    end
   end
 end

data/lib/kubernetes-deploy/kubeclient_builder/kube_config.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 require 'googleauth'
 module KubernetesDeploy
-  module KubeclientBuilder
+  class KubeclientBuilder
     class KubeConfig < Kubeclient::Config
       def self.read(filename)
         parsed = YAML.safe_load(File.read(filename), [Date, Time])

data/lib/kubernetes-deploy/kubectl.rb CHANGED Viewed

@@ -8,43 +8,48 @@ module KubernetesDeploy
     class ResourceNotFoundError < StandardError; end
     def initialize(namespace:, context:, logger:, log_failure_by_default:, default_timeout: DEFAULT_TIMEOUT,
-      output_is_sensitive: false)
+      output_is_sensitive_default: false)
+      @kubeconfig = KubeclientBuilder.kubeconfig
       @namespace = namespace
       @context = context
       @logger = logger
       @log_failure_by_default = log_failure_by_default
       @default_timeout = default_timeout
-      @output_is_sensitive = output_is_sensitive
+      @output_is_sensitive_default = output_is_sensitive_default
       raise ArgumentError, "namespace is required" if namespace.blank?
       raise ArgumentError, "context is required" if context.blank?
     end
-    def run(*args, log_failure: nil, use_context: true, use_namespace: true, raise_if_not_found: false, attempts: 1)
+    def run(*args, log_failure: nil, use_context: true, use_namespace: true, output: nil,
+      raise_if_not_found: false, attempts: 1, output_is_sensitive: nil)
       log_failure = @log_failure_by_default if log_failure.nil?
+      output_is_sensitive = @output_is_sensitive_default if output_is_sensitive.nil?
       args = args.unshift("kubectl")
+      args.push("--kubeconfig=#{@kubeconfig}")
       args.push("--namespace=#{@namespace}") if use_namespace
       args.push("--context=#{@context}")     if use_context
+      args.push("--output=#{output}") if output
       args.push("--request-timeout=#{@default_timeout}") if @default_timeout
       out, err, st = nil
       (1..attempts).to_a.each do |attempt|
         @logger.debug("Running command (attempt #{attempt}): #{args.join(' ')}")
         out, err, st = Open3.capture3(*args)
-        @logger.debug("Kubectl out: " + out.gsub(/\s+/, ' ')) unless output_is_sensitive?
+        @logger.debug("Kubectl out: " + out.gsub(/\s+/, ' ')) unless output_is_sensitive
         break if st.success?
         if log_failure
           @logger.warn("The following command failed (attempt #{attempt}/#{attempts}): #{Shellwords.join(args)}")
-          @logger.warn(err) unless output_is_sensitive?
+          @logger.warn(err) unless output_is_sensitive
         end
         if err.match(NOT_FOUND_ERROR_TEXT)
           raise(ResourceNotFoundError, err) if raise_if_not_found
         else
-          @logger.debug("Kubectl err: #{err}") unless output_is_sensitive?
+          @logger.debug("Kubectl err: #{err}") unless output_is_sensitive
           StatsD.increment('kubectl.error', 1, tags: { context: @context, namespace: @namespace, cmd: args[1] })
         end
         sleep(retry_delay(attempt)) unless attempt == attempts
@@ -76,10 +81,6 @@ module KubernetesDeploy
     private
-    def output_is_sensitive?
-      @output_is_sensitive
-    end
     def extract_version_info_from_kubectl_response(response)
       info = {}
       response.each_line do |l|