RubyGems - kubernetes-deploy - Versions diffs - 0.26.7 → 0.27.0 - Mend

kubernetes-deploy 0.26.7 → 0.27.0

Files changed (38) hide show

checksums.yaml +4 -4
data/.rubocop.yml +4 -0
data/CHANGELOG.md +16 -0
data/CONTRIBUTING.md +1 -1
data/README.md +1 -0
data/exe/kubernetes-deploy +22 -6
data/exe/kubernetes-render +7 -6
data/exe/kubernetes-restart +3 -3
data/exe/kubernetes-run +1 -3
data/lib/kubernetes-deploy.rb +3 -27
data/lib/kubernetes-deploy/common.rb +24 -0
data/lib/kubernetes-deploy/deferred_summary_logging.rb +2 -0
data/lib/kubernetes-deploy/deploy_task.rb +58 -65
data/lib/kubernetes-deploy/duration_parser.rb +2 -0
data/lib/kubernetes-deploy/ejson_secret_provisioner.rb +7 -14
data/lib/kubernetes-deploy/errors.rb +0 -8
data/lib/kubernetes-deploy/formatted_logger.rb +1 -0
data/lib/kubernetes-deploy/kubeclient_builder.rb +2 -2
data/lib/kubernetes-deploy/kubectl.rb +1 -0
data/lib/kubernetes-deploy/kubernetes_resource.rb +3 -1
data/lib/kubernetes-deploy/kubernetes_resource/custom_resource_definition.rb +0 -2
data/lib/kubernetes-deploy/kubernetes_resource/deployment.rb +2 -0
data/lib/kubernetes-deploy/kubernetes_resource/pod_set_base.rb +2 -0
data/lib/kubernetes-deploy/kubernetes_resource/replica_set.rb +1 -0
data/lib/kubernetes-deploy/kubernetes_resource/service.rb +21 -8
data/lib/kubernetes-deploy/options_helper.rb +25 -12
data/lib/kubernetes-deploy/render_task.rb +4 -4
data/lib/kubernetes-deploy/resource_watcher.rb +4 -0
data/lib/kubernetes-deploy/restart_task.rb +17 -13
data/lib/kubernetes-deploy/runner_task.rb +9 -5
data/lib/kubernetes-deploy/task_config.rb +16 -0
data/lib/kubernetes-deploy/task_config_validator.rb +96 -0
data/lib/kubernetes-deploy/template_sets.rb +135 -0
data/lib/kubernetes-deploy/version.rb +1 -1
metadata +7 -7
data/lib/kubernetes-deploy/kubernetes_resource/memcached.rb +0 -43
data/lib/kubernetes-deploy/kubernetes_resource/redis.rb +0 -56
data/lib/kubernetes-deploy/template_discovery.rb +0 -15

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: e0b06a9aef9e685727b66e55ab51169559c2420ac758cd567fc5274118149d14
-  data.tar.gz: a50dd8b0579b2e87789a24b346efe7cbc7a440ecc1e8120d42b6734e7acee398
+  metadata.gz: 84961e6f603a285f3a16df6fa04f27201e80cf29476d6fc9a8a6ace4748ed64e
+  data.tar.gz: 484d466ef9e3cf80401edc34dd1a4ddefbd57013c1022b274d78f04456461739
 SHA512:
-  metadata.gz: 01fa4ba1c7eb02c788c5787d7d50e0909776537caae16542fa973adc20f91596cf55698345f3e59bc3fb299244c1753a53b7ac8e4990cdeb7f7f4b9a3e0d7f39
-  data.tar.gz: ee08ed90bed9a485987528914443d4e85209113575bdef800a93989668a9fd1728e6f6bb262dfdada2c0bd8c37a079d65545330bf9bd7dfc4d139fa5d3466a09
+  metadata.gz: 5a7f78c88ccc77549205df00fda10ef4843f721043182b01a5e00e1059a971de2cad12a2c820c4b79c81c1c6a4942baea69e14b4b443bb17f22dec002edfaedd
+  data.tar.gz: 9e6d96674cc341c65cff8fea18ab0cc18196580f4a5134c04a6c91ac6fdb4d1e9d9825520d6e0110432d3ff87c38623cb5fda8843157d73f039042ad6b360d94

data/.rubocop.yml CHANGED

@@ -11,3 +11,7 @@ Naming/FileName:
 Sorbet/ConstantsFromStrings:
   Enabled: false
+Layout/Tab:
+  Exclude:
+    - test/integration/kubernetes_deploy_test.rb

data/CHANGELOG.md CHANGED

@@ -1,5 +1,21 @@
 ## next
+## 0.27.0
+*Enhancements*
+- (alpha) Introduce a new `-f` flag for `kubernetes-deploy`. Allows passing in of multiple directories and/or filenames. Currently only usable by `kubernetes-deploy`, not `kubernetes-render`. [#514](https://github.com/Shopify/kubernetes-deploy/pull/514)
+- Initial implementation of shared task validation objects. [#533](https://github.com/Shopify/kubernetes-deploy/pull/533)
+- Restructure `require`s so that requiring a given task actually gives you the dependencies you need, and doesn't give what you don't need. [#487](https://github.com/Shopify/kubernetes-deploy/pull/487)
+- **[Breaking change]** Added ServiceAccount, PodTemplate, ReplicaSet, Role, and RoleBinding to the prune whitelist.
+  * To see what resources may be affected, run `kubectl get $RESOURCE -o jsonpath='{ range .items[*] }{.metadata.namespace}{ "\t" }{.metadata.name}{ "\t" }{.metadata.annotations}{ "\n" }{ end }' --all-namespaces | grep "last-applied"`
+  * To exclude a resource from kubernetes-deploy (and kubectl apply) management, remove the last-applied annotation `kubectl annotate $RESOURCE $SECRET_NAME kubectl.kubernetes.io/last-applied-configuration-`.
+*Bug Fixes*
+- StatefulSets with 0 replicas explicitly specified don't fail deploy. [#540](https://github.com/Shopify/kubernetes-deploy/pull/540)
+- Search all workloads if a Pod selector doesn't match any workloads when deploying a Service. [#541](https://github.com/Shopify/kubernetes-deploy/pull/541)
+*Other*
+- `EjsonSecretProvisioner#new` signature has changed. `EjsonSecretProvisioner` objects no longer have access to `kubectl`. Rather, the `ejson-keys` secret used for decryption is now passed in via the calling task. Note that we only consider the `new` and `run(!)` methods of tasks (render, deploy, etc) to have inviolable APIs, so we do not consider this change breaking. [#514](https://github.com/Shopify/kubernetes-deploy/pull/514)
 ## 0.26.7
 *Other*

data/CONTRIBUTING.md CHANGED

@@ -47,7 +47,7 @@ We handle Kubernetes secrets, so it is critical that changes do not cause the co
 **Project architecture**
-The main interface of this project is our four tasks: `DeployTask`, `RestartTask`, `RunnerTask`, and `RenderTask`. The code in these classes should be high-level abstractions, with implementation details encapsulated in other classes. The public interface of these tasks is a `run` method (and a `run!` equivalent), the body of which should read like a set of phases and steps.
+The main interface of this project is our four tasks: `DeployTask`, `RestartTask`, `RunnerTask`, and `RenderTask`. The code in these classes should be high-level abstractions, with implementation details encapsulated in other classes. The public interface of these tasks is a `run` method (and a `run!` equivalent), the body of which should read like a set of phases and steps. Note that non-task classes are considered internal and we reserve the right to change their API at any time.
 An important design principle of the tasks is that they should try to fail fast before touching the cluster if they will not succeed overall. Part of how we achieve this is by separating each task into phases, where the first phase simply gathers information and runs validations to determine what needs to be done and whether that will be able to succeed. In practice, this is the “Initializing <task>” phase for all tasks, plus the “Checking initial resource statuses” phase for DeployTask. Our users should be able to assume that these initial phases never modify their clusters.

data/README.md CHANGED

@@ -109,6 +109,7 @@ official compatibility chart below.
 Refer to `kubernetes-deploy --help` for the authoritative set of options.
 - `--template-dir=DIR`: Used to set the deploy directory. Set `$ENVIRONMENT` instead to use `config/deploy/$ENVIRONMENT`. This flag also supports reading from STDIN. You can do this by using `--template-dir=-`. Example: `cat templates_from_stdin/*.yml | kubernetes-deploy ns ctx --template-dir=-`.
+- (alpha feature) `-f [PATHS]`: Accepts a comma-separated list of directories and/or filenames to specify the set of directories/files that will be deployed (use `-` to read from STDIN). Can be invoked multiple times. Cannot be combined with `--template-dir`. Example: `cat templates_from_stdin/*.yml | kubernetes-deploy ns ctx -f -,path/to/dir,path/to/file.yml`
 - `--bindings=BINDINGS`: Makes additional variables available to your ERB templates. For example, `kubernetes-deploy my-app cluster1 --bindings=color=blue,size=large` will expose `color` and `size`.
 - `--no-prune`: Skips pruning of resources that are no longer in your Kubernetes template set. Not recommended, as it allows your namespace to accumulate cruft that is not reflected in your deploy directory.
 - `--max-watch-seconds=seconds`: Raise a timeout error if it takes longer than _seconds_ for any

data/exe/kubernetes-deploy CHANGED

@@ -1,11 +1,16 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
-require 'kubernetes-deploy'
+require 'kubernetes-deploy/deploy_task'
+require 'kubernetes-deploy/options_helper'
+require 'kubernetes-deploy/bindings_parser'
+require 'kubernetes-deploy/label_selector'
 require 'optparse'
 skip_wait = false
-template_dir = nil
+template_dir = nil # deprecated
+template_paths = []
 allow_protected_ns = false
 prune = true
 bindings = {}
@@ -22,9 +27,13 @@ ARGV.options do |opts|
   prot_ns = KubernetesDeploy::DeployTask::PROTECTED_NAMESPACES.join(', ')
   opts.on("--allow-protected-ns", "Enable deploys to #{prot_ns}; requires --no-prune") { allow_protected_ns = true }
   opts.on("--no-prune", "Disable deletion of resources that do not appear in the template dir") { prune = false }
-  opts.on("--template-dir=DIR", "Set the template dir (default: config/deploy/$ENVIRONMENT).") do |d|
-    template_dir = d
+  opts.on("--template-dir=DIR", "Set the template dir (default: config/deploy/$ENVIRONMENT).") do |dir|
+    template_dir = dir
+  end
+  opts.on("-f [PATHS]", Array, "comma separated list of template directories and/or filenames") do |paths|
+    template_paths += paths
   end
   opts.on("--verbose-log-prefix", "Add [context][namespace] to the log prefix") { verbose_log_prefix = true }
   opts.on("--max-watch-seconds=seconds",
     "Timeout error is raised if it takes longer than the specified number of seconds") do |t|
@@ -51,13 +60,20 @@ namespace = ARGV[0]
 context = ARGV[1]
 logger = KubernetesDeploy::FormattedLogger.build(namespace, context, verbose_prefix: verbose_log_prefix)
+# Deprecation path: this can be removed when --template-dir is fully replaced by -f
+if template_dir && !template_paths.empty?
+  logger.error("Error: --template-dir and -f flags cannot be combined")
+  exit(1)
+end
+template_paths = [template_dir] if template_paths.empty? && template_dir
 begin
-  KubernetesDeploy::OptionsHelper.with_validated_template_dir(template_dir) do |dir|
+  KubernetesDeploy::OptionsHelper.with_processed_template_paths(template_paths) do |paths|
     runner = KubernetesDeploy::DeployTask.new(
       namespace: namespace,
       context: context,
       current_sha: ENV["REVISION"],
-      template_dir: dir,
+      template_paths: paths,
       bindings: bindings,
       logger: logger,
       max_watch_seconds: max_watch_seconds,

data/exe/kubernetes-render CHANGED

@@ -1,11 +1,13 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
-require 'kubernetes-deploy'
 require 'kubernetes-deploy/render_task'
+require 'kubernetes-deploy/options_helper'
+require 'kubernetes-deploy/bindings_parser'
 require 'optparse'
-template_dir = nil
+template_dir = []
 bindings = {}
 ARGV.options do |opts|
@@ -13,7 +15,7 @@ ARGV.options do |opts|
   opts.on("--bindings=BINDINGS", "Expose additional variables to ERB templates " \
     "(format: k1=v1,k2=v2, JSON string or file (JSON or YAML) path prefixed by '@')") { |b| parser.add(b) }
   opts.on("--template-dir=DIR", "Set the template dir (default: config/deploy/$ENVIRONMENT).") do |d|
-    template_dir = d
+    template_dir = [d]
   end
   opts.parse!
   bindings = parser.parse
@@ -23,11 +25,10 @@ templates = ARGV
 logger = KubernetesDeploy::FormattedLogger.build(verbose_prefix: false)
 begin
-  KubernetesDeploy::OptionsHelper.with_validated_template_dir(template_dir) do |dir|
+  KubernetesDeploy::OptionsHelper.with_processed_template_paths(template_dir) do |dir|
     runner = KubernetesDeploy::RenderTask.new(
-      logger: logger,
       current_sha: ENV["REVISION"],
-      template_dir: dir,
+      template_dir: dir.first,
       bindings: bindings,
     )

data/exe/kubernetes-restart CHANGED

@@ -3,8 +3,9 @@
 require 'optparse'
-require 'kubernetes-deploy'
 require 'kubernetes-deploy/restart_task'
+require 'kubernetes-deploy/options_helper'
+require 'kubernetes-deploy/label_selector'
 raw_deployments = nil
 max_watch_seconds = nil
@@ -20,9 +21,8 @@ end
 namespace = ARGV[0]
 context = ARGV[1]
-logger = KubernetesDeploy::FormattedLogger.build(namespace, context)
-restart = KubernetesDeploy::RestartTask.new(namespace: namespace, context: context, logger: logger,
+restart = KubernetesDeploy::RestartTask.new(namespace: namespace, context: context,
    max_watch_seconds: max_watch_seconds)
 begin
   restart.perform!(raw_deployments, selector: selector)

data/exe/kubernetes-run CHANGED

@@ -1,8 +1,8 @@
 #!/usr/bin/env ruby
 # frozen_string_literal: true
-require 'kubernetes-deploy'
 require 'kubernetes-deploy/runner_task'
+require 'kubernetes-deploy/options_helper'
 require 'optparse'
 template = "task-runner-template"
@@ -25,12 +25,10 @@ end
 namespace = ARGV[0]
 context = ARGV[1]
-logger = KubernetesDeploy::FormattedLogger.build(namespace, context)
 runner = KubernetesDeploy::RunnerTask.new(
   namespace: namespace,
   context: context,
-  logger: logger,
   max_watch_seconds: max_watch_seconds
 )

data/lib/kubernetes-deploy.rb CHANGED

@@ -1,30 +1,6 @@
 # frozen_string_literal: true
-require 'active_support/core_ext/object/blank'
-require 'active_support/core_ext/hash/reverse_merge'
-require 'active_support/core_ext/hash/slice'
-require 'active_support/core_ext/numeric/time'
-require 'active_support/core_ext/string/inflections'
-require 'active_support/core_ext/string/strip'
-require 'active_support/core_ext/hash/keys'
-require 'active_support/core_ext/array/conversions'
-require 'active_support/duration'
-require 'colorized_string'
-require 'kubernetes-deploy/version'
-require 'kubernetes-deploy/oj'
-require 'kubernetes-deploy/errors'
-require 'kubernetes-deploy/formatted_logger'
-require 'kubernetes-deploy/options_helper'
-require 'kubernetes-deploy/statsd'
 require 'kubernetes-deploy/deploy_task'
-require 'kubernetes-deploy/concurrency'
-require 'kubernetes-deploy/bindings_parser'
-require 'kubernetes-deploy/duration_parser'
-require 'kubernetes-deploy/resource_cache'
-require 'kubernetes-deploy/label_selector'
-module KubernetesDeploy
-  MIN_KUBE_VERSION = '1.10.0'
-  StatsD.build
-end
+require 'kubernetes-deploy/render_task'
+require 'kubernetes-deploy/restart_task'
+require 'kubernetes-deploy/runner_task'

data/lib/kubernetes-deploy/common.rb ADDED

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+require 'active_support/core_ext/object/blank'
+require 'active_support/core_ext/hash/reverse_merge'
+require 'active_support/core_ext/hash/slice'
+require 'active_support/core_ext/numeric/time'
+require 'active_support/core_ext/string/inflections'
+require 'active_support/core_ext/string/strip'
+require 'active_support/core_ext/hash/keys'
+require 'active_support/core_ext/array/conversions'
+require 'colorized_string'
+require 'kubernetes-deploy/version'
+require 'kubernetes-deploy/oj'
+require 'kubernetes-deploy/errors'
+require 'kubernetes-deploy/formatted_logger'
+require 'kubernetes-deploy/statsd'
+require 'kubernetes-deploy/task_config'
+require 'kubernetes-deploy/task_config_validator'
+module KubernetesDeploy
+  MIN_KUBE_VERSION = '1.10.0'
+  StatsD.build
+end

data/lib/kubernetes-deploy/deferred_summary_logging.rb CHANGED

@@ -1,4 +1,6 @@
 # frozen_string_literal: true
+require 'colorized_string'
 module KubernetesDeploy
   # Adds the methods kubernetes-deploy requires to your logger class.
   # These methods include helpers for logging consistent headings, as well as facilities for

data/lib/kubernetes-deploy/deploy_task.rb CHANGED

@@ -1,9 +1,12 @@
 # frozen_string_literal: true
-require 'open3'
 require 'yaml'
 require 'shellwords'
 require 'tempfile'
 require 'fileutils'
+require 'kubernetes-deploy/common'
+require 'kubernetes-deploy/concurrency'
+require 'kubernetes-deploy/resource_cache'
 require 'kubernetes-deploy/kubernetes_resource'
 %w(
   custom_resource
@@ -13,9 +16,7 @@ require 'kubernetes-deploy/kubernetes_resource'
   ingress
   persistent_volume_claim
   pod
-  redis
   network_policy
-  memcached
   service
   pod_template
   pod_disruption_budget
@@ -41,7 +42,7 @@ require 'kubernetes-deploy/kubeclient_builder'
 require 'kubernetes-deploy/ejson_secret_provisioner'
 require 'kubernetes-deploy/renderer'
 require 'kubernetes-deploy/cluster_resource_discovery'
-require 'kubernetes-deploy/template_discovery'
+require 'kubernetes-deploy/template_sets'
 module KubernetesDeploy
   class DeployTask
@@ -58,7 +59,6 @@ module KubernetesDeploy
     # core/v1/Endpoints -- managed by services
     # core/v1/PersistentVolumeClaim -- would delete data
     # core/v1/ReplicationController -- superseded by deployments/replicasets
-    # extensions/v1beta1/ReplicaSet -- managed by deployments
     def predeploy_sequence
       before_crs = %w(
@@ -85,7 +85,10 @@ module KubernetesDeploy
         core/v1/Service
         core/v1/ResourceQuota
         core/v1/Secret
+        core/v1/ServiceAccount
+        core/v1/PodTemplate
         batch/v1/Job
+        extensions/v1beta1/ReplicaSet
         extensions/v1beta1/DaemonSet
         extensions/v1beta1/Deployment
         extensions/v1beta1/Ingress
@@ -94,6 +97,8 @@ module KubernetesDeploy
         autoscaling/v1/HorizontalPodAutoscaler
         policy/v1beta1/PodDisruptionBudget
         batch/v1beta1/CronJob
+        rbac.authorization.k8s.io/v1/Role
+        rbac.authorization.k8s.io/v1/RoleBinding
       )
       wl + cluster_resource_discoverer.crds.select(&:prunable?).map(&:group_version_kind)
     end
@@ -102,22 +107,21 @@ module KubernetesDeploy
       kubectl.server_version
     end
-    def initialize(namespace:, context:, current_sha:, template_dir:, logger:, kubectl_instance: nil, bindings: {},
-      max_watch_seconds: nil, selector: nil)
+    def initialize(namespace:, context:, current_sha:, logger: nil, kubectl_instance: nil, bindings: {},
+      max_watch_seconds: nil, selector: nil, template_paths: [], template_dir: nil)
+      template_dir = File.expand_path(template_dir) if template_dir
+      template_paths = (template_paths.map { |path| File.expand_path(path) } << template_dir).compact
+      @logger = logger || KubernetesDeploy::FormattedLogger.build(namespace, context)
+      @template_sets = TemplateSets.from_dirs_and_files(paths: template_paths, logger: @logger)
+      @task_config = KubernetesDeploy::TaskConfig.new(context, namespace, @logger)
+      @bindings = bindings
       @namespace = namespace
       @namespace_tags = []
       @context = context
       @current_sha = current_sha
-      @template_dir = File.expand_path(template_dir)
-      @logger = logger
       @kubectl = kubectl_instance
       @max_watch_seconds = max_watch_seconds
-      @renderer = KubernetesDeploy::Renderer.new(
-        current_sha: @current_sha,
-        template_dir: @template_dir,
-        logger: @logger,
-        bindings: bindings,
-      )
       @selector = selector
     end
@@ -204,15 +208,18 @@ module KubernetesDeploy
       )
     end
-    def ejson_provisioner
-      @ejson_provisioner ||= EjsonSecretProvisioner.new(
-        namespace: @namespace,
-        context: @context,
-        template_dir: @template_dir,
-        logger: @logger,
-        statsd_tags: @namespace_tags,
-        selector: @selector,
-      )
+    def ejson_provisioners
+      @ejson_provisoners ||= @template_sets.ejson_secrets_files.map do |ejson_secret_file|
+        EjsonSecretProvisioner.new(
+          namespace: @namespace,
+          context: @context,
+          ejson_keys_secret: ejson_keys_secret,
+          ejson_file: ejson_secret_file,
+          logger: @logger,
+          statsd_tags: @namespace_tags,
+          selector: @selector,
+        )
+      end
     end
     def deploy_has_priority_resources?(resources)
@@ -267,54 +274,37 @@ module KubernetesDeploy
     measure_method(:check_initial_status, "initial_status.duration")
     def secrets_from_ejson
-      ejson_provisioner.resources
+      ejson_provisioners.flat_map(&:resources)
     end
     def discover_resources
+      @logger.info("Discovering resources:")
       resources = []
-      crds = cluster_resource_discoverer.crds.group_by(&:kind)
-      @logger.info("Discovering templates:")
-      TemplateDiscovery.new(@template_dir).templates.each do |filename|
-        split_templates(filename) do |r_def|
-          crd = crds[r_def["kind"]]&.first
-          r = KubernetesResource.build(namespace: @namespace, context: @context, logger: @logger, definition: r_def,
-            statsd_tags: @namespace_tags, crd: crd)
-          resources << r
-          @logger.info("  - #{r.id}")
-        end
+      crds_by_kind = cluster_resource_discoverer.crds.group_by(&:kind)
+      @template_sets.with_resource_definitions(render_erb: true,
+          current_sha: @current_sha, bindings: @bindings) do |r_def|
+        crd = crds_by_kind[r_def["kind"]]&.first
+        r = KubernetesResource.build(namespace: @namespace, context: @context, logger: @logger, definition: r_def,
+          statsd_tags: @namespace_tags, crd: crd)
+        resources << r
+        @logger.info("  - #{r.id}")
       end
       secrets_from_ejson.each do |secret|
         resources << secret
         @logger.info("  - #{secret.id} (from ejson)")
       end
       if (global = resources.select(&:global?).presence)
         @logger.warn("Detected non-namespaced #{'resource'.pluralize(global.count)} which will never be pruned:")
         global.each { |r| @logger.warn("  - #{r.id}") }
       end
       resources.sort
-    end
-    measure_method(:discover_resources)
-    def split_templates(filename)
-      file_content = File.read(File.join(@template_dir, filename))
-      rendered_content = @renderer.render_template(filename, file_content)
-      YAML.load_stream(rendered_content, "<rendered> #{filename}") do |doc|
-        next if doc.blank?
-        unless doc.is_a?(Hash)
-          raise InvalidTemplateError.new("Template is not a valid Kubernetes manifest",
-            filename: filename, content: doc)
-        end
-        yield doc
-      end
     rescue InvalidTemplateError => e
-      e.filename ||= filename
       record_invalid_template(err: e.message, filename: e.filename, content: e.content)
       raise FatalDeploymentError, "Failed to render and parse template"
-    rescue Psych::SyntaxError => e
-      record_invalid_template(err: e.message, filename: filename, content: rendered_content)
-      raise FatalDeploymentError, "Failed to render and parse template"
     end
+    measure_method(:discover_resources)
     def record_invalid_template(err:, filename:, content: nil)
       debug_msg = ColorizedString.new("Invalid template: #{filename}\n").red
@@ -332,12 +322,7 @@ module KubernetesDeploy
     def validate_configuration(allow_protected_ns:, prune:)
       errors = []
       errors += kubeclient_builder.validate_config_files
-      if !File.directory?(@template_dir)
-        errors << "Template directory `#{@template_dir}` doesn't exist"
-      elsif Dir.entries(@template_dir).none? { |file| file =~ /(\.ya?ml(\.erb)?)$|(secrets\.ejson)$/ }
-        errors << "`#{@template_dir}` doesn't contain valid templates (secrets.ejson or postfix .yml, .yml.erb)"
-      end
+      errors += @template_sets.validate
       if @namespace.blank?
         errors << "Namespace must be specified"
@@ -546,9 +531,7 @@ module KubernetesDeploy
         end
       end
       raise FatalDeploymentError, "Failed to reach server for #{@context}" unless success
-      if kubectl.server_version < Gem::Version.new(MIN_KUBE_VERSION)
-        @logger.warn(KubernetesDeploy::Errors.server_version_warning(server_version))
-      end
+      TaskConfigValidator.new(@task_config, kubectl, kubeclient_builder, only: [:validate_server_version]).valid?
     end
     def confirm_namespace_exists
@@ -568,8 +551,7 @@ module KubernetesDeploy
     # make sure to never prune the ejson-keys secret
     def confirm_ejson_keys_not_prunable
-      secret = ejson_provisioner.ejson_keys_secret
-      return unless secret.dig("metadata", "annotations", KubernetesResource::LAST_APPLIED_ANNOTATION)
+      return unless ejson_keys_secret.dig("metadata", "annotations", KubernetesResource::LAST_APPLIED_ANNOTATION)
       @logger.error("Deploy cannot proceed because protected resource " \
         "Secret/#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} would be pruned.")
@@ -588,6 +570,17 @@ module KubernetesDeploy
       @kubectl ||= Kubectl.new(namespace: @namespace, context: @context, logger: @logger, log_failure_by_default: true)
     end
+    def ejson_keys_secret
+      @ejson_keys_secret ||= begin
+        out, err, st = kubectl.run("get", "secret", EjsonSecretProvisioner::EJSON_KEYS_SECRET, output: "json",
+          raise_if_not_found: true, attempts: 3, output_is_sensitive: true, log_failure: true)
+        unless st.success?
+          raise EjsonSecretError, "Error retrieving Secret/#{EjsonSecretProvisioner::EJSON_KEYS_SECRET}: #{err}"
+        end
+        JSON.parse(out)
+      end
+    end
     def statsd_tags
       %W(namespace:#{@namespace} sha:#{@current_sha} context:#{@context}) | @namespace_tags
     end