RubyGems - kubernetes-deploy - Versions diffs - 0.25.0 → 0.26.0 - Mend

kubernetes-deploy 0.25.0 → 0.26.0

Files changed (37) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.nightly.yml +0 -9
data/.buildkite/pipeline.yml +0 -9
data/CHANGELOG.md +23 -0
data/CONTRIBUTING.md +164 -0
data/README.md +29 -104
data/dev.yml +3 -3
data/exe/kubernetes-deploy +32 -21
data/exe/kubernetes-render +20 -12
data/exe/kubernetes-restart +5 -1
data/lib/kubernetes-deploy.rb +1 -0
data/lib/kubernetes-deploy/bindings_parser.rb +20 -8
data/lib/kubernetes-deploy/cluster_resource_discovery.rb +1 -1
data/lib/kubernetes-deploy/container_logs.rb +6 -0
data/lib/kubernetes-deploy/deploy_task.rb +85 -44
data/lib/kubernetes-deploy/ejson_secret_provisioner.rb +38 -84
data/lib/kubernetes-deploy/errors.rb +8 -0
data/lib/kubernetes-deploy/kubeclient_builder.rb +52 -20
data/lib/kubernetes-deploy/kubeclient_builder/kube_config.rb +1 -1
data/lib/kubernetes-deploy/kubectl.rb +11 -10
data/lib/kubernetes-deploy/kubernetes_resource.rb +47 -9
data/lib/kubernetes-deploy/kubernetes_resource/custom_resource.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/custom_resource_definition.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/deployment.rb +1 -1
data/lib/kubernetes-deploy/kubernetes_resource/horizontal_pod_autoscaler.rb +12 -4
data/lib/kubernetes-deploy/kubernetes_resource/network_policy.rb +22 -0
data/lib/kubernetes-deploy/kubernetes_resource/pod.rb +2 -0
data/lib/kubernetes-deploy/kubernetes_resource/secret.rb +23 -0
data/lib/kubernetes-deploy/label_selector.rb +42 -0
data/lib/kubernetes-deploy/options_helper.rb +31 -15
data/lib/kubernetes-deploy/remote_logs.rb +6 -1
data/lib/kubernetes-deploy/renderer.rb +5 -1
data/lib/kubernetes-deploy/resource_cache.rb +4 -1
data/lib/kubernetes-deploy/restart_task.rb +22 -10
data/lib/kubernetes-deploy/runner_task.rb +5 -3
data/lib/kubernetes-deploy/version.rb +1 -1
metadata +6 -2

data/lib/kubernetes-deploy/ejson_secret_provisioner.rb CHANGED Viewed

@@ -7,85 +7,64 @@ require 'kubernetes-deploy/kubectl'
 module KubernetesDeploy
   class EjsonSecretError < FatalDeploymentError
     def initialize(msg)
-      super("Creation of Kubernetes secrets from ejson failed: #{msg}")
+      super("Generation of Kubernetes secrets from ejson failed: #{msg}")
     end
   end
   class EjsonSecretProvisioner
-    MANAGEMENT_ANNOTATION = "kubernetes-deploy.shopify.io/ejson-secret"
-    MANAGED_SECRET_EJSON_KEY = "kubernetes_secrets"
+    EJSON_SECRET_ANNOTATION = "kubernetes-deploy.shopify.io/ejson-secret"
+    EJSON_SECRET_KEY = "kubernetes_secrets"
     EJSON_SECRETS_FILE = "secrets.ejson"
     EJSON_KEYS_SECRET = "ejson-keys"
-    def initialize(namespace:, context:, template_dir:, logger:, prune: true)
+    def initialize(namespace:, context:, template_dir:, logger:, statsd_tags:, selector: nil)
       @namespace = namespace
       @context = context
       @ejson_file = "#{template_dir}/#{EJSON_SECRETS_FILE}"
       @logger = logger
-      @prune = prune
+      @statsd_tags = statsd_tags
+      @selector = selector
       @kubectl = Kubectl.new(
         namespace: @namespace,
         context: @context,
         logger: @logger,
         log_failure_by_default: false,
-        output_is_sensitive: true # output may contain ejson secrets
+        output_is_sensitive_default: true # output may contain ejson secrets
       )
     end
-    def secret_changes_required?
-      File.exist?(@ejson_file) || managed_secrets_exist?
+    def resources
+      @resources ||= build_secrets
     end
-    def run
-      create_secrets
-      prune_managed_secrets if @prune
+    def ejson_keys_secret
+      @ejson_keys_secret ||= begin
+        out, err, st = @kubectl.run("get", "secret", EJSON_KEYS_SECRET, output: "json",
+          raise_if_not_found: true, attempts: 3, output_is_sensitive: true, log_failure: true)
+        unless st.success?
+          raise EjsonSecretError, "Error retrieving Secret/#{EJSON_KEYS_SECRET}: #{err}"
+        end
+        JSON.parse(out)
+      end
     end
     private
-    def create_secrets
+    def build_secrets
+      return [] unless File.exist?(@ejson_file)
       with_decrypted_ejson do |decrypted|
-        secrets = decrypted[MANAGED_SECRET_EJSON_KEY]
+        secrets = decrypted[EJSON_SECRET_KEY]
         unless secrets.present?
-          @logger.warn("#{EJSON_SECRETS_FILE} does not have key #{MANAGED_SECRET_EJSON_KEY}."\
+          @logger.warn("#{EJSON_SECRETS_FILE} does not have key #{EJSON_SECRET_KEY}."\
             "No secrets will be created.")
-          return
+          return []
         end
-        secrets.each do |secret_name, secret_spec|
+        secrets.map do |secret_name, secret_spec|
           validate_secret_spec(secret_name, secret_spec)
-          create_or_update_secret(secret_name, secret_spec["_type"], secret_spec["data"])
+          generate_secret_resource(secret_name, secret_spec["_type"], secret_spec["data"])
         end
-        @logger.summary.add_action("created/updated #{secrets.length} #{'secret'.pluralize(secrets.length)}")
-      end
-    end
-    def prune_managed_secrets
-      ejson_secret_names = encrypted_ejson.fetch(MANAGED_SECRET_EJSON_KEY, {}).keys
-      live_secrets = run_kubectl_json("get", "secrets")
-      prune_count = 0
-      live_secrets.each do |secret|
-        secret_name = secret["metadata"]["name"]
-        next unless secret_managed?(secret)
-        next if ejson_secret_names.include?(secret_name)
-        @logger.info("Pruning secret #{secret_name}")
-        prune_count += 1
-        out, err, st = @kubectl.run("delete", "secret", secret_name)
-        @logger.debug(out)
-        raise EjsonSecretError, "Failed to prune secrets" unless st.success?
       end
-      @logger.summary.add_action("pruned #{prune_count} #{'secret'.pluralize(prune_count)}") if prune_count > 0
-    end
-    def managed_secrets_exist?
-      all_secrets = run_kubectl_json("get", "secrets")
-      all_secrets.any? { |secret| secret_managed?(secret) }
-    end
-    def secret_managed?(secret)
-      secret["metadata"].fetch("annotations", {}).key?(MANAGEMENT_ANNOTATION)
     end
     def encrypted_ejson
@@ -110,23 +89,7 @@ module KubernetesDeploy
       end
     end
-    def create_or_update_secret(secret_name, secret_type, data)
-      msg = secret_exists?(secret_name) ? "Updating secret #{secret_name}" : "Creating secret #{secret_name}"
-      @logger.info(msg)
-      secret_yaml = generate_secret_yaml(secret_name, secret_type, data)
-      file = Tempfile.new(secret_name)
-      file.write(secret_yaml)
-      file.close
-      out, err, st = @kubectl.run("apply", "--filename=#{file.path}")
-      @logger.debug(out)
-      raise EjsonSecretError, "Failed to create or update secrets" unless st.success?
-    ensure
-      file&.unlink
-    end
-    def generate_secret_yaml(secret_name, secret_type, data)
+    def generate_secret_resource(secret_name, secret_type, data)
       unless data.is_a?(Hash) && data.values.all? { |v| v.is_a?(String) } # Secret data is map[string]string
         raise EjsonSecretError, "Data for secret #{secret_name} was invalid. Only key-value pairs are permitted."
       end
@@ -137,24 +100,25 @@ module KubernetesDeploy
         encoded[secret_key] = Base64.strict_encode64(value)
       end
+      labels = { "name" => secret_name }
+      labels.reverse_merge!(@selector) if @selector
       secret = {
         'kind' => 'Secret',
         'apiVersion' => 'v1',
         'type' => secret_type,
         'metadata' => {
           "name" => secret_name,
-          "labels" => { "name" => secret_name },
+          "labels" => labels,
           "namespace" => @namespace,
-          "annotations" => { MANAGEMENT_ANNOTATION => "true" },
+          "annotations" => { EJSON_SECRET_ANNOTATION => "true" },
         },
         "data" => encoded_data,
       }
-      secret.to_yaml
-    end
-    def secret_exists?(secret_name)
-      _out, _err, st = @kubectl.run("get", "secret", secret_name)
-      st.success?
+      KubernetesDeploy::Secret.build(
+        namespace: @namespace, context: @context, logger: @logger, definition: secret, statsd_tags: @statsd_tags,
+      )
     end
     def load_ejson_from_file
@@ -175,33 +139,23 @@ module KubernetesDeploy
     end
     def decrypt_ejson(key_dir)
-      @logger.info("Decrypting #{EJSON_SECRETS_FILE}")
       # ejson seems to dump both errors and output to STDOUT
       out_err, st = Open3.capture2e("EJSON_KEYDIR=#{key_dir} ejson decrypt #{@ejson_file}")
       raise EjsonSecretError, out_err unless st.success?
       JSON.parse(out_err)
-    rescue JSON::ParserError => e
+    rescue JSON::ParserError
       raise EjsonSecretError, "Failed to parse decrypted ejson"
     end
     def fetch_private_key_from_secret
-      @logger.info("Fetching ejson private key from secret #{EJSON_KEYS_SECRET}")
-      secret = run_kubectl_json("get", "secret", EJSON_KEYS_SECRET)
-      encoded_private_key = secret["data"][public_key]
+      encoded_private_key = ejson_keys_secret["data"][public_key]
       unless encoded_private_key
         raise EjsonSecretError, "Private key for #{public_key} not found in #{EJSON_KEYS_SECRET} secret"
       end
       Base64.decode64(encoded_private_key)
-    end
-    def run_kubectl_json(*args)
-      args += ["--output=json"]
-      out, err, st = @kubectl.run(*args)
-      raise EjsonSecretError, err unless st.success?
-      result = JSON.parse(out)
-      result.fetch('items', result)
+    rescue Kubectl::ResourceNotFoundError
+      raise EjsonSecretError, "Secret/#{EJSON_KEYS_SECRET} is required to decrypt EJSON and could not be found"
     end
   end
 end

data/lib/kubernetes-deploy/errors.rb CHANGED Viewed

@@ -23,6 +23,14 @@ module KubernetesDeploy
   class DeploymentTimeoutError < FatalDeploymentError; end
+  class EjsonPrunableError < FatalDeploymentError
+    def initialize
+      super("Found #{KubernetesResource::LAST_APPLIED_ANNOTATION} annotation on " \
+          "#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} secret. " \
+          "kubernetes-deploy will not continue since it is extremely unlikely that this secret should be pruned.")
+    end
+  end
   module Errors
     extend self
     def server_version_warning(server_version)

data/lib/kubernetes-deploy/kubeclient_builder.rb CHANGED Viewed

@@ -3,25 +3,33 @@ require 'kubeclient'
 require 'kubernetes-deploy/kubeclient_builder/kube_config'
 module KubernetesDeploy
-  module KubeclientBuilder
+  class KubeclientBuilder
     class ContextMissingError < FatalDeploymentError
-      def initialize(context_name)
+      def initialize(context_name, kubeconfig)
         super("`#{context_name}` context must be configured in your " \
-          "KUBECONFIG file(s) (#{ENV['KUBECONFIG']}).")
+          "KUBECONFIG file(s) (#{kubeconfig}).")
       end
     end
-    private
+    def self.kubeconfig
+      new.kubeconfig
+    end
+    attr_reader :kubeconfig
+    def initialize(kubeconfig: ENV["KUBECONFIG"])
+      @kubeconfig = kubeconfig || "#{Dir.home}/.kube/config"
+    end
     def build_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context
       )
     end
     def build_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/extensions/"
@@ -29,7 +37,7 @@ module KubernetesDeploy
     end
     def build_batch_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/batch/"
@@ -37,7 +45,7 @@ module KubernetesDeploy
     end
     def build_batch_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context,
         endpoint_path: "/apis/batch/"
@@ -45,7 +53,7 @@ module KubernetesDeploy
     end
     def build_policy_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/policy/"
@@ -53,7 +61,7 @@ module KubernetesDeploy
     end
     def build_apps_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/apps"
@@ -61,7 +69,7 @@ module KubernetesDeploy
     end
     def build_apiextensions_v1beta1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1beta1",
         context: context,
         endpoint_path: "/apis/apiextensions.k8s.io"
@@ -69,7 +77,7 @@ module KubernetesDeploy
     end
     def build_autoscaling_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v2beta1",
         context: context,
         endpoint_path: "/apis/autoscaling"
@@ -77,19 +85,48 @@ module KubernetesDeploy
     end
     def build_rbac_v1_kubeclient(context)
-      _build_kubeclient(
+      build_kubeclient(
         api_version: "v1",
         context: context,
         endpoint_path: "/apis/rbac.authorization.k8s.io"
       )
     end
-    def _build_kubeclient(api_version:, context:, endpoint_path: nil)
+    def build_networking_v1_kubeclient(context)
+      build_kubeclient(
+        api_version: "v1",
+        context: context,
+        endpoint_path: "/apis/networking.k8s.io"
+      )
+    end
+    def config_files
+      # Split the list by colon for Linux and Mac, and semicolon for Windows.
+      kubeconfig.split(/[:;]/).map!(&:strip).reject(&:empty?)
+    end
+    def validate_config_files
+      errors = []
+      if config_files.empty?
+        errors << "Kube config file name(s) not set in $KUBECONFIG"
+      else
+        config_files.each do |f|
+          unless File.file?(f)
+            errors << "Kube config not found at #{f}"
+          end
+        end
+      end
+      errors
+    end
+    private
+    def build_kubeclient(api_version:, context:, endpoint_path: nil)
       # Find a context defined in kube conf files that matches the input context by name
       configs = config_files.map { |f| KubeConfig.read(f) }
       config = configs.find { |c| c.contexts.include?(context) }
-      raise ContextMissingError, context unless config
+      raise ContextMissingError.new(context, kubeconfig) unless config
       kube_context = config.context(context)
       client = Kubeclient::Client.new(
@@ -105,10 +142,5 @@ module KubernetesDeploy
       client.discover
       client
     end
-    def config_files
-      # Split the list by colon for Linux and Mac, and semicolon for Windows.
-      ENV.fetch("KUBECONFIG").split(/[:;]/).map!(&:strip).reject(&:empty?)
-    end
   end
 end

data/lib/kubernetes-deploy/kubeclient_builder/kube_config.rb CHANGED Viewed

@@ -2,7 +2,7 @@
 require 'googleauth'
 module KubernetesDeploy
-  module KubeclientBuilder
+  class KubeclientBuilder
     class KubeConfig < Kubeclient::Config
       def self.read(filename)
         parsed = YAML.safe_load(File.read(filename), [Date, Time])

data/lib/kubernetes-deploy/kubectl.rb CHANGED Viewed

@@ -8,43 +8,48 @@ module KubernetesDeploy
     class ResourceNotFoundError < StandardError; end
     def initialize(namespace:, context:, logger:, log_failure_by_default:, default_timeout: DEFAULT_TIMEOUT,
-      output_is_sensitive: false)
+      output_is_sensitive_default: false)
+      @kubeconfig = KubeclientBuilder.kubeconfig
       @namespace = namespace
       @context = context
       @logger = logger
       @log_failure_by_default = log_failure_by_default
       @default_timeout = default_timeout
-      @output_is_sensitive = output_is_sensitive
+      @output_is_sensitive_default = output_is_sensitive_default
       raise ArgumentError, "namespace is required" if namespace.blank?
       raise ArgumentError, "context is required" if context.blank?
     end
-    def run(*args, log_failure: nil, use_context: true, use_namespace: true, raise_if_not_found: false, attempts: 1)
+    def run(*args, log_failure: nil, use_context: true, use_namespace: true, output: nil,
+      raise_if_not_found: false, attempts: 1, output_is_sensitive: nil)
       log_failure = @log_failure_by_default if log_failure.nil?
+      output_is_sensitive = @output_is_sensitive_default if output_is_sensitive.nil?
       args = args.unshift("kubectl")
+      args.push("--kubeconfig=#{@kubeconfig}")
       args.push("--namespace=#{@namespace}") if use_namespace
       args.push("--context=#{@context}")     if use_context
+      args.push("--output=#{output}") if output
       args.push("--request-timeout=#{@default_timeout}") if @default_timeout
       out, err, st = nil
       (1..attempts).to_a.each do |attempt|
         @logger.debug("Running command (attempt #{attempt}): #{args.join(' ')}")
         out, err, st = Open3.capture3(*args)
-        @logger.debug("Kubectl out: " + out.gsub(/\s+/, ' ')) unless output_is_sensitive?
+        @logger.debug("Kubectl out: " + out.gsub(/\s+/, ' ')) unless output_is_sensitive
         break if st.success?
         if log_failure
           @logger.warn("The following command failed (attempt #{attempt}/#{attempts}): #{Shellwords.join(args)}")
-          @logger.warn(err) unless output_is_sensitive?
+          @logger.warn(err) unless output_is_sensitive
         end
         if err.match(NOT_FOUND_ERROR_TEXT)
           raise(ResourceNotFoundError, err) if raise_if_not_found
         else
-          @logger.debug("Kubectl err: #{err}") unless output_is_sensitive?
+          @logger.debug("Kubectl err: #{err}") unless output_is_sensitive
           StatsD.increment('kubectl.error', 1, tags: { context: @context, namespace: @namespace, cmd: args[1] })
         end
         sleep(retry_delay(attempt)) unless attempt == attempts
@@ -76,10 +81,6 @@ module KubernetesDeploy
     private
-    def output_is_sensitive?
-      @output_is_sensitive
-    end
     def extract_version_info_from_kubectl_response(response)
       info = {}
       response.each_line do |l|