RubyGems - kubernetes-deploy - Versions diffs - 0.29.0 → 1.0.0.pre.2 - Mend

kubernetes-deploy 0.29.0 → 1.0.0.pre.2

Files changed (97) hide show

checksums.yaml +4 -4
data/.buildkite/pipeline.nightly.yml +7 -0
data/.rubocop.yml +0 -12
data/.shopify-build/{kubernetes-deploy.yml → krane.yml} +8 -2
data/1.0-Upgrade.md +109 -0
data/CHANGELOG.md +60 -0
data/CONTRIBUTING.md +2 -2
data/Gemfile +1 -0
data/README.md +86 -2
data/dev.yml +3 -1
data/dev/flamegraph-from-tests +1 -1
data/exe/kubernetes-deploy +12 -9
data/exe/kubernetes-render +9 -7
data/exe/kubernetes-restart +3 -3
data/exe/kubernetes-run +1 -1
data/kubernetes-deploy.gemspec +5 -5
data/lib/krane.rb +5 -3
data/lib/{kubernetes-deploy → krane}/bindings_parser.rb +1 -1
data/lib/krane/cli/deploy_command.rb +25 -13
data/lib/krane/cli/global_deploy_command.rb +55 -0
data/lib/krane/cli/krane.rb +12 -3
data/lib/krane/cli/render_command.rb +19 -9
data/lib/krane/cli/restart_command.rb +4 -4
data/lib/krane/cli/run_command.rb +4 -4
data/lib/krane/cli/version_command.rb +1 -1
data/lib/krane/cluster_resource_discovery.rb +113 -0
data/lib/{kubernetes-deploy → krane}/common.rb +8 -9
data/lib/krane/concerns/template_reporting.rb +29 -0
data/lib/{kubernetes-deploy → krane}/concurrency.rb +1 -1
data/lib/{kubernetes-deploy → krane}/container_logs.rb +3 -2
data/lib/{kubernetes-deploy → krane}/deferred_summary_logging.rb +2 -2
data/lib/{kubernetes-deploy → krane}/delayed_exceptions.rb +0 -0
data/lib/krane/deploy_task.rb +16 -0
data/lib/krane/deploy_task_config_validator.rb +29 -0
data/lib/krane/deprecated_deploy_task.rb +404 -0
data/lib/{kubernetes-deploy → krane}/duration_parser.rb +1 -3
data/lib/{kubernetes-deploy → krane}/ejson_secret_provisioner.rb +10 -13
data/lib/krane/errors.rb +28 -0
data/lib/{kubernetes-deploy → krane}/formatted_logger.rb +2 -2
data/lib/krane/global_deploy_task.rb +210 -0
data/lib/krane/global_deploy_task_config_validator.rb +12 -0
data/lib/{kubernetes-deploy → krane}/kubeclient_builder.rb +13 -5
data/lib/{kubernetes-deploy → krane}/kubectl.rb +14 -16
data/lib/{kubernetes-deploy → krane}/kubernetes_resource.rb +110 -27
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/cloudsql.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/config_map.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/cron_job.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/custom_resource.rb +2 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/custom_resource_definition.rb +1 -5
data/lib/krane/kubernetes_resource/daemon_set.rb +90 -0
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/deployment.rb +2 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/horizontal_pod_autoscaler.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/ingress.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/job.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/network_policy.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/persistent_volume_claim.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/pod.rb +6 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/pod_disruption_budget.rb +2 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/pod_set_base.rb +3 -3
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/pod_template.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/replica_set.rb +2 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/resource_quota.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/role.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/role_binding.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/secret.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/service.rb +2 -2
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/service_account.rb +1 -1
data/lib/{kubernetes-deploy → krane}/kubernetes_resource/stateful_set.rb +2 -2
data/lib/{kubernetes-deploy → krane}/label_selector.rb +1 -1
data/lib/{kubernetes-deploy → krane}/oj.rb +0 -0
data/lib/{kubernetes-deploy → krane}/options_helper.rb +2 -2
data/lib/{kubernetes-deploy → krane}/remote_logs.rb +2 -2
data/lib/krane/render_task.rb +149 -0
data/lib/{kubernetes-deploy → krane}/renderer.rb +1 -1
data/lib/{kubernetes-deploy → krane}/resource_cache.rb +10 -9
data/lib/krane/resource_deployer.rb +265 -0
data/lib/{kubernetes-deploy → krane}/resource_watcher.rb +24 -25
data/lib/krane/restart_task.rb +228 -0
data/lib/{kubernetes-deploy → krane}/rollout_conditions.rb +1 -1
data/lib/krane/runner_task.rb +212 -0
data/lib/{kubernetes-deploy → krane}/runner_task_config_validator.rb +1 -1
data/lib/{kubernetes-deploy → krane}/statsd.rb +13 -27
data/lib/krane/task_config.rb +22 -0
data/lib/{kubernetes-deploy → krane}/task_config_validator.rb +1 -1
data/lib/{kubernetes-deploy → krane}/template_sets.rb +5 -5
data/lib/krane/version.rb +4 -0
data/lib/kubernetes-deploy/deploy_task.rb +6 -608
data/lib/kubernetes-deploy/errors.rb +1 -26
data/lib/kubernetes-deploy/render_task.rb +5 -122
data/lib/kubernetes-deploy/rescue_krane_exceptions.rb +18 -0
data/lib/kubernetes-deploy/restart_task.rb +6 -198
data/lib/kubernetes-deploy/runner_task.rb +6 -184
metadata +96 -70
data/lib/kubernetes-deploy/cluster_resource_discovery.rb +0 -34
data/lib/kubernetes-deploy/kubernetes_resource/daemon_set.rb +0 -54
data/lib/kubernetes-deploy/task_config.rb +0 -16
data/lib/kubernetes-deploy/version.rb +0 -4

data/lib/{kubernetes-deploy → krane}/runner_task_config_validator.rb RENAMED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-module KubernetesDeploy
+module Krane
   class RunnerTaskConfigValidator < TaskConfigValidator
     def initialize(template, args, *arguments)
       super(*arguments)

data/lib/{kubernetes-deploy → krane}/statsd.rb RENAMED

@@ -2,41 +2,27 @@
 require 'statsd-instrument'
 require 'logger'
-module KubernetesDeploy
+module Krane
   class StatsD
-    extend ::StatsD
     PREFIX = "KubernetesDeploy"
     def self.duration(start_time)
       (Time.now.utc - start_time).round(1)
     end
-    def self.build
-      if ENV['STATSD_DEV'].present?
-        self.backend = ::StatsD::Instrument::Backends::LoggerBackend.new(Logger.new($stderr))
-      elsif ENV['STATSD_ADDR'].present?
-        statsd_impl = ENV['STATSD_IMPLEMENTATION'].present? ? ENV['STATSD_IMPLEMENTATION'] : "datadog"
-        self.backend = ::StatsD::Instrument::Backends::UDPBackend.new(ENV['STATSD_ADDR'], statsd_impl)
-      else
-        self.backend = ::StatsD::Instrument::Backends::NullBackend.new
+    def self.client
+      @client ||= begin
+        sink = if ::StatsD::Instrument::Environment.current.env.fetch('STATSD_ENV', nil) == 'development'
+          ::StatsD::Instrument::LogSink.new(Logger.new($stderr))
+        elsif (addr = ::StatsD::Instrument::Environment.current.env.fetch('STATSD_ADDR', nil))
+          ::StatsD::Instrument::UDPSink.for_addr(addr)
+        else
+          ::StatsD::Instrument::NullSink.new
+        end
+        ::StatsD::Instrument::Client.new(prefix: PREFIX, sink: sink, default_sample_rate: 1.0)
       end
     end
-    # It is not sufficient to set the prefix field on the KubernetesDeploy::StatsD singleton itself, since its value
-    # is overridden in the underlying calls to the ::StatsD library, hence the need to pass it in as a custom prefix
-    # via the metric_options hash. This is done since KubernetesDeploy may be included as a library and should not
-    # change the global StatsD configuration of the importing application.
-    def self.increment(key, value = 1, **metric_options)
-      metric_options[:prefix] = PREFIX
-      super
-    end
-    def self.distribution(key, value = nil, **metric_options, &block)
-      metric_options[:prefix] = PREFIX
-      super
-    end
     module MeasureMethods
       def measure_method(method_name, metric = nil)
         unless method_defined?(method_name) || private_method_defined?(method_name)
@@ -64,9 +50,9 @@ module KubernetesDeploy
               dynamic_tags << "error:#{error}" if dynamic_tags.is_a?(Array)
             end
-            StatsD.distribution(
+            Krane::StatsD.client.distribution(
               metric,
-              KubernetesDeploy::StatsD.duration(start_time),
+              Krane::StatsD.duration(start_time),
               tags: dynamic_tags
             )
           end

data/lib/krane/task_config.rb ADDED

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+require 'krane/cluster_resource_discovery'
+module Krane
+  class TaskConfig
+    attr_reader :context, :namespace, :logger
+    def initialize(context, namespace, logger = nil)
+      @context = context
+      @namespace = namespace
+      @logger = logger || FormattedLogger.build(@namespace, @context)
+    end
+    def global_kinds
+      @global_kinds ||= begin
+        cluster_resource_discoverer = ClusterResourceDiscovery.new(task_config: self)
+        cluster_resource_discoverer.fetch_resources(namespaced: false).map { |g| g["kind"] }
+      end
+    end
+  end
+end

data/lib/{kubernetes-deploy → krane}/task_config_validator.rb RENAMED

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-module KubernetesDeploy
+module Krane
   class TaskConfigValidator
     DEFAULT_VALIDATIONS = %i(
       validate_kubeconfig

data/lib/{kubernetes-deploy → krane}/template_sets.rb RENAMED

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
-require 'kubernetes-deploy/delayed_exceptions'
-require 'kubernetes-deploy/ejson_secret_provisioner'
+require 'krane/delayed_exceptions'
+require 'krane/ejson_secret_provisioner'
-module KubernetesDeploy
+module Krane
   class TemplateSets
     include DelayedExceptions
     VALID_TEMPLATES = %w(.yml.erb .yml .yaml .yaml.erb)
@@ -24,7 +24,7 @@ module KubernetesDeploy
             bindings: bindings,
           )
         end
-        with_delayed_exceptions(@files, KubernetesDeploy::InvalidTemplateError) do |filename|
+        with_delayed_exceptions(@files, Krane::InvalidTemplateError) do |filename|
           next if filename.end_with?(EjsonSecretProvisioner::EJSON_SECRETS_FILE)
           templates(filename: filename, raw: raw) { |r_def| yield r_def, filename }
         end
@@ -110,7 +110,7 @@ module KubernetesDeploy
     end
     def with_resource_definitions_and_filename(render_erb: false, current_sha: nil, bindings: nil, raw: false)
-      with_delayed_exceptions(@template_sets, KubernetesDeploy::InvalidTemplateError) do |template_set|
+      with_delayed_exceptions(@template_sets, Krane::InvalidTemplateError) do |template_set|
         template_set.with_resource_definitions_and_filename(
           render_erb: render_erb,
           current_sha: current_sha,

data/lib/krane/version.rb ADDED

@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+module Krane
+  VERSION = "1.0.0.pre.2"
+end

data/lib/kubernetes-deploy/deploy_task.rb CHANGED

@@ -1,617 +1,15 @@
 # frozen_string_literal: true
-require 'yaml'
-require 'shellwords'
-require 'tempfile'
-require 'fileutils'
-require 'kubernetes-deploy/common'
-require 'kubernetes-deploy/concurrency'
-require 'kubernetes-deploy/resource_cache'
-require 'kubernetes-deploy/kubernetes_resource'
-%w(
-  custom_resource
-  cloudsql
-  config_map
-  deployment
-  ingress
-  persistent_volume_claim
-  pod
-  network_policy
-  service
-  pod_template
-  pod_disruption_budget
-  replica_set
-  service_account
-  daemon_set
-  resource_quota
-  stateful_set
-  cron_job
-  job
-  custom_resource_definition
-  horizontal_pod_autoscaler
-  secret
-).each do |subresource|
-  require "kubernetes-deploy/kubernetes_resource/#{subresource}"
-end
-require 'kubernetes-deploy/resource_watcher'
-require 'kubernetes-deploy/kubectl'
-require 'kubernetes-deploy/kubeclient_builder'
-require 'kubernetes-deploy/ejson_secret_provisioner'
-require 'kubernetes-deploy/renderer'
-require 'kubernetes-deploy/cluster_resource_discovery'
-require 'kubernetes-deploy/template_sets'
+require 'krane/deprecated_deploy_task'
+require 'kubernetes-deploy/rescue_krane_exceptions'
 module KubernetesDeploy
-  class DeployTask
-    extend KubernetesDeploy::StatsD::MeasureMethods
-    PROTECTED_NAMESPACES = %w(
-      default
-      kube-system
-      kube-public
-    )
-    # Things removed from default prune whitelist at https://github.com/kubernetes/kubernetes/blob/0dff56b4d88ec7551084bf89028dbeebf569620e/pkg/kubectl/cmd/apply.go#L411:
-    # core/v1/Namespace -- not namespaced
-    # core/v1/PersistentVolume -- not namespaced
-    # core/v1/Endpoints -- managed by services
-    # core/v1/PersistentVolumeClaim -- would delete data
-    # core/v1/ReplicationController -- superseded by deployments/replicasets
-    def predeploy_sequence
-      before_crs = %w(
-        ResourceQuota
-        NetworkPolicy
-      )
-      after_crs = %w(
-        ConfigMap
-        PersistentVolumeClaim
-        ServiceAccount
-        Role
-        RoleBinding
-        Secret
-        Pod
-      )
-      before_crs + cluster_resource_discoverer.crds.select(&:predeployed?).map(&:kind) + after_crs
-    end
-    def prune_whitelist
-      wl = %w(
-        core/v1/ConfigMap
-        core/v1/Pod
-        core/v1/Service
-        core/v1/ResourceQuota
-        core/v1/Secret
-        core/v1/ServiceAccount
-        core/v1/PodTemplate
-        batch/v1/Job
-        extensions/v1beta1/ReplicaSet
-        extensions/v1beta1/DaemonSet
-        extensions/v1beta1/Deployment
-        extensions/v1beta1/Ingress
-        networking.k8s.io/v1/NetworkPolicy
-        apps/v1beta1/StatefulSet
-        autoscaling/v1/HorizontalPodAutoscaler
-        policy/v1beta1/PodDisruptionBudget
-        batch/v1beta1/CronJob
-        rbac.authorization.k8s.io/v1/Role
-        rbac.authorization.k8s.io/v1/RoleBinding
-      )
-      wl + cluster_resource_discoverer.crds.select(&:prunable?).map(&:group_version_kind)
-    end
-    def server_version
-      kubectl.server_version
-    end
-    def initialize(namespace:, context:, current_sha:, logger: nil, kubectl_instance: nil, bindings: {},
-      max_watch_seconds: nil, selector: nil, template_paths: [], template_dir: nil, protected_namespaces: nil,
-      render_erb: true)
-      template_dir = File.expand_path(template_dir) if template_dir
-      template_paths = (template_paths.map { |path| File.expand_path(path) } << template_dir).compact
-      @logger = logger || KubernetesDeploy::FormattedLogger.build(namespace, context)
-      @template_sets = TemplateSets.from_dirs_and_files(paths: template_paths, logger: @logger)
-      @task_config = KubernetesDeploy::TaskConfig.new(context, namespace, @logger)
-      @bindings = bindings
-      @namespace = namespace
-      @namespace_tags = []
-      @context = context
-      @current_sha = current_sha
-      @kubectl = kubectl_instance
-      @max_watch_seconds = max_watch_seconds
-      @selector = selector
-      @protected_namespaces = protected_namespaces || PROTECTED_NAMESPACES
-      @render_erb = render_erb
-    end
+  class DeployTask < ::Krane::DeprecatedDeployTask
+    include RescueKraneExceptions
     def run(*args)
-      run!(*args)
-      true
-    rescue FatalDeploymentError
+      super(*args)
+    rescue KubernetesDeploy::FatalDeploymentError
       false
     end
-    def run!(verify_result: true, allow_protected_ns: false, prune: true)
-      start = Time.now.utc
-      @logger.reset
-      @logger.phase_heading("Initializing deploy")
-      validate_configuration(allow_protected_ns: allow_protected_ns, prune: prune)
-      resources = discover_resources
-      validate_resources(resources)
-      @logger.phase_heading("Checking initial resource statuses")
-      check_initial_status(resources)
-      if deploy_has_priority_resources?(resources)
-        @logger.phase_heading("Predeploying priority resources")
-        predeploy_priority_resources(resources)
-      end
-      @logger.phase_heading("Deploying all resources")
-      if @protected_namespaces.include?(@namespace) && prune
-        raise FatalDeploymentError, "Refusing to deploy to protected namespace '#{@namespace}' with pruning enabled"
-      end
-      if verify_result
-        deploy_all_resources(resources, prune: prune, verify: true)
-        failed_resources = resources.reject(&:deploy_succeeded?)
-        success = failed_resources.empty?
-        if !success && failed_resources.all?(&:deploy_timed_out?)
-          raise DeploymentTimeoutError
-        end
-        raise FatalDeploymentError unless success
-      else
-        deploy_all_resources(resources, prune: prune, verify: false)
-        @logger.summary.add_action("deployed #{resources.length} #{'resource'.pluralize(resources.length)}")
-        warning = <<~MSG
-          Deploy result verification is disabled for this deploy.
-          This means the desired changes were communicated to Kubernetes, but the deploy did not make sure they actually succeeded.
-        MSG
-        @logger.summary.add_paragraph(ColorizedString.new(warning).yellow)
-      end
-      StatsD.event("Deployment of #{@namespace} succeeded",
-        "Successfully deployed all #{@namespace} resources to #{@context}",
-        alert_type: "success", tags: statsd_tags << "status:success")
-      StatsD.distribution('all_resources.duration', StatsD.duration(start), tags: statsd_tags << "status:success")
-      @logger.print_summary(:success)
-    rescue DeploymentTimeoutError
-      @logger.print_summary(:timed_out)
-      StatsD.event("Deployment of #{@namespace} timed out",
-        "One or more #{@namespace} resources failed to deploy to #{@context} in time",
-        alert_type: "error", tags: statsd_tags << "status:timeout")
-      StatsD.distribution('all_resources.duration', StatsD.duration(start), tags: statsd_tags << "status:timeout")
-      raise
-    rescue FatalDeploymentError => error
-      @logger.summary.add_action(error.message) if error.message != error.class.to_s
-      @logger.print_summary(:failure)
-      StatsD.event("Deployment of #{@namespace} failed",
-        "One or more #{@namespace} resources failed to deploy to #{@context}",
-        alert_type: "error", tags: statsd_tags << "status:failed")
-      StatsD.distribution('all_resources.duration', StatsD.duration(start), tags: statsd_tags << "status:failed")
-      raise
-    end
-    private
-    def kubeclient_builder
-      @kubeclient_builder ||= KubeclientBuilder.new
-    end
-    def cluster_resource_discoverer
-      @cluster_resource_discoverer ||= ClusterResourceDiscovery.new(
-        namespace: @namespace,
-        context: @context,
-        logger: @logger,
-        namespace_tags: @namespace_tags
-      )
-    end
-    def ejson_provisioners
-      @ejson_provisoners ||= @template_sets.ejson_secrets_files.map do |ejson_secret_file|
-        EjsonSecretProvisioner.new(
-          namespace: @namespace,
-          context: @context,
-          ejson_keys_secret: ejson_keys_secret,
-          ejson_file: ejson_secret_file,
-          logger: @logger,
-          statsd_tags: @namespace_tags,
-          selector: @selector,
-        )
-      end
-    end
-    def deploy_has_priority_resources?(resources)
-      resources.any? { |r| predeploy_sequence.include?(r.type) }
-    end
-    def predeploy_priority_resources(resource_list)
-      bare_pods = resource_list.select { |resource| resource.is_a?(Pod) }
-      if bare_pods.count == 1
-        bare_pods.first.stream_logs = true
-      end
-      predeploy_sequence.each do |resource_type|
-        matching_resources = resource_list.select { |r| r.type == resource_type }
-        next if matching_resources.empty?
-        deploy_resources(matching_resources, verify: true, record_summary: false)
-        failed_resources = matching_resources.reject(&:deploy_succeeded?)
-        fail_count = failed_resources.length
-        if fail_count > 0
-          KubernetesDeploy::Concurrency.split_across_threads(failed_resources) do |r|
-            r.sync_debug_info(kubectl)
-          end
-          failed_resources.each { |r| @logger.summary.add_paragraph(r.debug_message) }
-          raise FatalDeploymentError, "Failed to deploy #{fail_count} priority #{'resource'.pluralize(fail_count)}"
-        end
-        @logger.blank_line
-      end
-    end
-    measure_method(:predeploy_priority_resources, 'priority_resources.duration')
-    def validate_resources(resources)
-      KubernetesDeploy::Concurrency.split_across_threads(resources) do |r|
-        r.validate_definition(kubectl, selector: @selector)
-      end
-      resources.select(&:has_warnings?).each do |resource|
-        record_warnings(warning: resource.validation_warning_msg, filename: File.basename(resource.file_path))
-      end
-      failed_resources = resources.select(&:validation_failed?)
-      return unless failed_resources.present?
-      failed_resources.each do |r|
-        content = File.read(r.file_path) if File.file?(r.file_path) && !r.sensitive_template_content?
-        record_invalid_template(err: r.validation_error_msg, filename: File.basename(r.file_path), content: content)
-      end
-      raise FatalDeploymentError, "Template validation failed"
-    end
-    measure_method(:validate_resources)
-    def check_initial_status(resources)
-      cache = ResourceCache.new(@namespace, @context, @logger)
-      KubernetesDeploy::Concurrency.split_across_threads(resources) { |r| r.sync(cache) }
-      resources.each { |r| @logger.info(r.pretty_status) }
-    end
-    measure_method(:check_initial_status, "initial_status.duration")
-    def secrets_from_ejson
-      ejson_provisioners.flat_map(&:resources)
-    end
-    def discover_resources
-      @logger.info("Discovering resources:")
-      resources = []
-      crds_by_kind = cluster_resource_discoverer.crds.group_by(&:kind)
-      @template_sets.with_resource_definitions(render_erb: @render_erb,
-          current_sha: @current_sha, bindings: @bindings) do |r_def|
-        crd = crds_by_kind[r_def["kind"]]&.first
-        r = KubernetesResource.build(namespace: @namespace, context: @context, logger: @logger, definition: r_def,
-          statsd_tags: @namespace_tags, crd: crd)
-        resources << r
-        @logger.info("  - #{r.id}")
-      end
-      secrets_from_ejson.each do |secret|
-        resources << secret
-        @logger.info("  - #{secret.id} (from ejson)")
-      end
-      if (global = resources.select(&:global?).presence)
-        @logger.warn("Detected non-namespaced #{'resource'.pluralize(global.count)} which will never be pruned:")
-        global.each { |r| @logger.warn("  - #{r.id}") }
-      end
-      resources.sort
-    rescue InvalidTemplateError => e
-      record_invalid_template(err: e.message, filename: e.filename, content: e.content)
-      raise FatalDeploymentError, "Failed to render and parse template"
-    end
-    measure_method(:discover_resources)
-    def record_invalid_template(err:, filename:, content: nil)
-      debug_msg = ColorizedString.new("Invalid template: #{filename}\n").red
-      debug_msg += "> Error message:\n#{FormattedLogger.indent_four(err)}"
-      if content
-        debug_msg += if content =~ /kind:\s*Secret/
-          "\n> Template content: Suppressed because it may contain a Secret"
-        else
-          "\n> Template content:\n#{FormattedLogger.indent_four(content)}"
-        end
-      end
-      @logger.summary.add_paragraph(debug_msg)
-    end
-    def record_warnings(warning:, filename:)
-      warn_msg = "Template warning: #{filename}\n"
-      warn_msg += "> Warning message:\n#{FormattedLogger.indent_four(warning)}"
-      @logger.summary.add_paragraph(ColorizedString.new(warn_msg).yellow)
-    end
-    def validate_configuration(allow_protected_ns:, prune:)
-      errors = []
-      errors += kubeclient_builder.validate_config_files
-      errors += @template_sets.validate
-      if @namespace.blank?
-        errors << "Namespace must be specified"
-      elsif @protected_namespaces.include?(@namespace)
-        if allow_protected_ns && prune
-          errors << "Refusing to deploy to protected namespace '#{@namespace}' with pruning enabled"
-        elsif allow_protected_ns
-          @logger.warn("You're deploying to protected namespace #{@namespace}, which cannot be pruned.")
-          @logger.warn("Existing resources can only be removed manually with kubectl. " \
-            "Removing templates from the set deployed will have no effect.")
-          @logger.warn("***Please do not deploy to #{@namespace} unless you really know what you are doing.***")
-        else
-          errors << "Refusing to deploy to protected namespace '#{@namespace}'"
-        end
-      end
-      if @context.blank?
-        errors << "Context must be specified"
-      end
-      unless errors.empty?
-        @logger.summary.add_paragraph(errors.map { |err| "- #{err}" }.join("\n"))
-        raise FatalDeploymentError, "Configuration invalid"
-      end
-      confirm_context_exists
-      confirm_namespace_exists
-      confirm_ejson_keys_not_prunable if prune
-      @logger.info("Using resource selector #{@selector}") if @selector
-      @namespace_tags |= tags_from_namespace_labels
-      @logger.info("All required parameters and files are present")
-    end
-    measure_method(:validate_configuration)
-    def deploy_resources(resources, prune: false, verify:, record_summary: true)
-      return if resources.empty?
-      deploy_started_at = Time.now.utc
-      if resources.length > 1
-        @logger.info("Deploying resources:")
-        resources.each do |r|
-          @logger.info("- #{r.id} (#{r.pretty_timeout_type})")
-        end
-      else
-        resource = resources.first
-        @logger.info("Deploying #{resource.id} (#{resource.pretty_timeout_type})")
-      end
-      # Apply can be done in one large batch, the rest have to be done individually
-      applyables, individuals = resources.partition { |r| r.deploy_method == :apply }
-      # Prunable resources should also applied so that they can  be pruned
-      pruneable_types = prune_whitelist.map { |t| t.split("/").last }
-      applyables += individuals.select { |r| pruneable_types.include?(r.type) }
-      individuals.each do |r|
-        r.deploy_started_at = Time.now.utc
-        case r.deploy_method
-        when :replace
-          _, _, replace_st = kubectl.run("replace", "-f", r.file_path, log_failure: false)
-        when :replace_force
-          _, _, replace_st = kubectl.run("replace", "--force", "--cascade", "-f", r.file_path,
-            log_failure: false)
-        else
-          # Fail Fast! This is a programmer mistake.
-          raise ArgumentError, "Unexpected deploy method! (#{r.deploy_method.inspect})"
-        end
-        next if replace_st.success?
-        # it doesn't exist so we can't replace it
-        _, err, create_st = kubectl.run("create", "-f", r.file_path, log_failure: false)
-        next if create_st.success?
-        raise FatalDeploymentError, <<~MSG
-          Failed to replace or create resource: #{r.id}
-          #{err}
-        MSG
-      end
-      apply_all(applyables, prune)
-      if verify
-        watcher = ResourceWatcher.new(resources: resources, logger: @logger, deploy_started_at: deploy_started_at,
-          timeout: @max_watch_seconds, namespace: @namespace, context: @context, sha: @current_sha)
-        watcher.run(record_summary: record_summary)
-      end
-    end
-    def deploy_all_resources(resources, prune: false, verify:, record_summary: true)
-      deploy_resources(resources, prune: prune, verify: verify, record_summary: record_summary)
-    end
-    measure_method(:deploy_all_resources, 'normal_resources.duration')
-    def apply_all(resources, prune)
-      return unless resources.present?
-      command = %w(apply)
-      Dir.mktmpdir do |tmp_dir|
-        resources.each do |r|
-          FileUtils.symlink(r.file_path, tmp_dir)
-          r.deploy_started_at = Time.now.utc
-        end
-        command.push("-f", tmp_dir)
-        if prune
-          command.push("--prune")
-          if @selector
-            command.push("--selector", @selector.to_s)
-          else
-            command.push("--all")
-          end
-          prune_whitelist.each { |type| command.push("--prune-whitelist=#{type}") }
-        end
-        output_is_sensitive = resources.any?(&:sensitive_template_content?)
-        out, err, st = kubectl.run(*command, log_failure: false, output_is_sensitive: output_is_sensitive)
-        if st.success?
-          log_pruning(out) if prune
-        else
-          record_apply_failure(err, resources: resources)
-          raise FatalDeploymentError, "Command failed: #{Shellwords.join(command)}"
-        end
-      end
-    end
-    measure_method(:apply_all)
-    def log_pruning(kubectl_output)
-      pruned = kubectl_output.scan(/^(.*) pruned$/)
-      return unless pruned.present?
-      @logger.info("The following resources were pruned: #{pruned.join(', ')}")
-      @logger.summary.add_action("pruned #{pruned.length} #{'resource'.pluralize(pruned.length)}")
-    end
-    def record_apply_failure(err, resources: [])
-      warn_msg = "WARNING: Any resources not mentioned in the error(s) below were likely created/updated. " \
-        "You may wish to roll back this deploy."
-      @logger.summary.add_paragraph(ColorizedString.new(warn_msg).yellow)
-      unidentified_errors = []
-      filenames_with_sensitive_content = resources
-        .select(&:sensitive_template_content?)
-        .map { |r| File.basename(r.file_path) }
-      server_dry_run_validated_resource = resources
-        .select(&:server_dry_run_validated?)
-        .map { |r| File.basename(r.file_path) }
-      err.each_line do |line|
-        bad_files = find_bad_files_from_kubectl_output(line)
-        unless bad_files.present?
-          unidentified_errors << line
-          next
-        end
-        bad_files.each do |f|
-          err_msg = f[:err]
-          if filenames_with_sensitive_content.include?(f[:filename])
-            # Hide the error and template contents in case it has sensitive information
-            # we display full error messages as we assume there's no sensitive info leak after server-dry-run
-            err_msg = "SUPPRESSED FOR SECURITY" unless server_dry_run_validated_resource.include?(f[:filename])
-            record_invalid_template(err: err_msg, filename: f[:filename], content: nil)
-          else
-            record_invalid_template(err: err_msg, filename: f[:filename], content: f[:content])
-          end
-        end
-      end
-      return unless unidentified_errors.any?
-      if (filenames_with_sensitive_content - server_dry_run_validated_resource).present?
-        warn_msg = "WARNING: There was an error applying some or all resources. The raw output may be sensitive and " \
-          "so cannot be displayed."
-        @logger.summary.add_paragraph(ColorizedString.new(warn_msg).yellow)
-      else
-        heading = ColorizedString.new('Unidentified error(s):').red
-        msg = FormattedLogger.indent_four(unidentified_errors.join)
-        @logger.summary.add_paragraph("#{heading}\n#{msg}")
-      end
-    end
-    # Inspect the file referenced in the kubectl stderr
-    # to make it easier for developer to understand what's going on
-    def find_bad_files_from_kubectl_output(line)
-      # stderr often contains one or more lines like the following, from which we can extract the file path(s):
-      # Error from server (TypeOfError): error when creating "/path/to/service-gqq5oh.yml": Service "web" is invalid:
-      line.scan(%r{"(/\S+\.ya?ml\S*)"}).each_with_object([]) do |matches, bad_files|
-        matches.each do |path|
-          content = File.read(path) if File.file?(path)
-          bad_files << { filename: File.basename(path), err: line, content: content }
-        end
-      end
-    end
-    def confirm_context_exists
-      out, err, st = kubectl.run("config", "get-contexts", "-o", "name",
-        use_namespace: false, use_context: false, log_failure: false)
-      available_contexts = out.split("\n")
-      if !st.success?
-        raise FatalDeploymentError, err
-      elsif !available_contexts.include?(@context)
-        raise FatalDeploymentError, "Context #{@context} is not available. Valid contexts: #{available_contexts}"
-      end
-      confirm_cluster_reachable
-      @logger.info("Context #{@context} found")
-    end
-    def confirm_cluster_reachable
-      success = false
-      with_retries(2) do
-        begin
-          success = kubectl.version_info
-        rescue KubectlError
-          success = false
-        end
-      end
-      raise FatalDeploymentError, "Failed to reach server for #{@context}" unless success
-      TaskConfigValidator.new(@task_config, kubectl, kubeclient_builder, only: [:validate_server_version]).valid?
-    end
-    def confirm_namespace_exists
-      raise FatalDeploymentError, "Namespace #{@namespace} not found" unless namespace_definition.present?
-      @logger.info("Namespace #{@namespace} found")
-    end
-    def namespace_definition
-      @namespace_definition ||= begin
-        definition, _err, st = kubectl.run("get", "namespace", @namespace, use_namespace: false,
-          log_failure: true, raise_if_not_found: true, attempts: 3, output: 'json')
-        st.success? ? JSON.parse(definition, symbolize_names: true) : nil
-      end
-    rescue Kubectl::ResourceNotFoundError
-      nil
-    end
-    # make sure to never prune the ejson-keys secret
-    def confirm_ejson_keys_not_prunable
-      return unless ejson_keys_secret.dig("metadata", "annotations", KubernetesResource::LAST_APPLIED_ANNOTATION)
-      @logger.error("Deploy cannot proceed because protected resource " \
-        "Secret/#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} would be pruned.")
-      raise EjsonPrunableError
-    rescue Kubectl::ResourceNotFoundError => e
-      @logger.debug("Secret/#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} does not exist: #{e}")
-    end
-    def tags_from_namespace_labels
-      return [] if namespace_definition.blank?
-      namespace_labels = namespace_definition.fetch(:metadata, {}).fetch(:labels, {})
-      namespace_labels.map { |key, value| "#{key}:#{value}" }
-    end
-    def kubectl
-      @kubectl ||= Kubectl.new(namespace: @namespace, context: @context, logger: @logger, log_failure_by_default: true)
-    end
-    def ejson_keys_secret
-      @ejson_keys_secret ||= begin
-        out, err, st = kubectl.run("get", "secret", EjsonSecretProvisioner::EJSON_KEYS_SECRET, output: "json",
-          raise_if_not_found: true, attempts: 3, output_is_sensitive: true, log_failure: true)
-        unless st.success?
-          raise EjsonSecretError, "Error retrieving Secret/#{EjsonSecretProvisioner::EJSON_KEYS_SECRET}: #{err}"
-        end
-        JSON.parse(out)
-      end
-    end
-    def statsd_tags
-      %W(namespace:#{@namespace} sha:#{@current_sha} context:#{@context}) | @namespace_tags
-    end
-    def with_retries(limit)
-      retried = 0
-      while retried <= limit
-        success = yield
-        break if success
-        retried += 1
-      end
-    end
   end
 end