rops 1.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: edce405e87d5a4199f1bf81eb2b308ffd59e980bfd8cca9e5af65d2766fe765d
+  data.tar.gz: 28579f4f236865908f1a0fdbac465225285c9961a2aaf13aa1513bd477a7481f
+SHA512:
+  metadata.gz: 70d5f614103f56e270c43014c81bc4801223a0fbae5977f4f658367b590c96ba0308c631c88f75c8f18c88882dfb350fee85b620f477afa1db524775f406d1c7
+  data.tar.gz: ed7bb0203a5dbe569019bef605e9a8ab805de1d8a0914f8d9162b4157c64b7a78489000ef13fbb1e112feced24a5a9a7f71244a1582e48ea4d18aa8a909703e4

data/Gemfile

@@ -0,0 +1,3 @@
+source 'https://rubygems.org'
+git_source(:github) { |repo| "https://github.com/#{repo}.git" }
+gemspec

data/Gemfile.lock

@@ -0,0 +1,43 @@
+PATH
+  remote: .
+  specs:
+    rops (1.0.1)
+      activesupport (~> 6.1.4)
+      dry-cli (~> 0.7.0)
+      git (~> 1.9.1)
+      hashdiff (~> 1.0.1)
+      net-ssh (~> 6.1.0)
+      ptools (~> 1.4.2)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    activesupport (6.1.4.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (>= 1.6, < 2)
+      minitest (>= 5.1)
+      tzinfo (~> 2.0)
+      zeitwerk (~> 2.3)
+    concurrent-ruby (1.1.9)
+    dry-cli (0.7.0)
+    git (1.9.1)
+      rchardet (~> 1.8)
+    hashdiff (1.0.1)
+    i18n (1.8.10)
+      concurrent-ruby (~> 1.0)
+    minitest (5.14.4)
+    net-ssh (6.1.0)
+    ptools (1.4.2)
+    rchardet (1.8.0)
+    tzinfo (2.0.4)
+      concurrent-ruby (~> 1.0)
+    zeitwerk (2.4.2)
+
+PLATFORMS
+  x86_64-linux
+
+DEPENDENCIES
+  rops!
+
+BUNDLED WITH
+   2.2.25

data/LICENSE

@@ -0,0 +1,20 @@
+Copyright (c) 2021 Record360, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be included
+in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
+IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
+CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
+TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,156 @@
+# rops 
+
+The Record360 Operations tool - checkout, build, deploy
+
+## Usage
+
+This tool implements the Record360 Best Practices for building and deploying projects.  It interfaces with Git (for source control), Docker/Podman (for container images), and Kubernetes (cluster deployments).
+
+### Installation
+
+Add `rops` to your Gemfile and then run `bundle install`.
+
+```ruby
+# Gemfile
+group :development do
+  gem 'rops', github: 'Record360/rops'
+end
+```
+
+### Configuration
+
+`rops` has several opinionated defaults, which can be overridden by command line options or a configuration file.
+
+#### Project Root Directory
+  By default, the current working directory when `rops` runs.  It can be overridden with the `--root=<DIR>` option.
+
+  The project root directory must contain:
+  * Git repository (`./`)
+  * Dockerfile (`./Dockerfile`)
+  * Kubernetes configuration files (`./platform/`)
+
+  `rops` will search for an optional configuration file in:
+  * `./.rops.yaml`
+  * `./platform/rops.yaml`
+  * `./config/rops.yaml`
+
+#### Docker Container Images
+  By default, a single image named from the the Project root directory and built from `./Dockerfile`.  May be overridden by setting the `images` array in the configuration file, e.g.:
+
+```yaml
+images:
+- name: 'first-image'
+  dockerfile: dockerfiles/first.Dockerfile
+- name: 'second-image'
+  dockerfile: dockerfiles/second.Dockerfile
+```
+
+#### Git Default Branch
+  The Git branch to build, by default `master`.  Overridden with the `default_branch` field in the configuration file.
+
+#### Docker Registry
+  The Docker registry to push container images.  By default, `docker.io/r360`, which is probably not what you want and should be overridden by setting the `registry` field in the configuration file.
+
+#### Kubernetes Context
+  The name of the Kubernetes context to deploy to (as listed in `~/.kube/config`).  Defaults to `staging` and overridden with the `default_context` field in the configuration file.
+
+  There are extra safety features when deploying to the production context, which defaults to `production` and may be overridden with the `production_context` field in the configuration file.
+
+  Kubernetes configuration is organized by Kubernetes context name, under the `./platform` directory.  For example, the Kubernetes configuration for the default contexts (`staging` and `production`) is stored under `./platform/staging` and `./platform/production` respectively.
+
+### Operations
+
+### Status
+
+Arguments: 
+* `context`: Kubernetes context (default `staging`, or the value of `staging_context`)
+
+Displays the statuses of all deployable Kubernetes objects, including image version and number of pods running/desired.  Objects which exist in the Kubernetes configuration directory but don't exist in the cluster are listed as `MISSING`, for example:
+
+```shell
+$ rops status
+Currently running (staging):
+  * MISSING   web-activity-purge (cronjob)
+  * gfc50028b web-archive-media-files (cronjob)
+  * gfc50028b web-company-report (cronjob)
+  * gfc50028b web-subscriptions (cronjob)
+  * gfc50028b web-sync-billing (cronjob)
+  * gfc50028b jobs [1/1] (deployment)
+  * gfc50028b web [1/1] (deployment)
+```
+
+### Build
+
+Arguments: 
+* `branch`: Git branch/commit (default `master`, or the value of `default_branch`)
+
+Builds the Docker image(s), optionally specifying a Git branch name.
+
+The image will be tagged with the shortened Git commit ID prefixed with a `g` (e.g. `g12345678` ).  If a non-default branch name is specified, it will be appended to the image tag (e.g. `g1234abcd-feature`). The build sets the full Git commit ID in the container image as the `GIT_VERSION` environment variable.
+
+The build sets the number of cores to use for building as the `JOBS` environment variable (usually passed to `bundle` or `make`).  By default, it uses one less than the total number of CPU cores, although you can override this by setting the `R360_BUILD_CORES` environment variable.
+
+
+```shell
+$ rops build feature
+Building image web:gfc50028b-feature using 7 cores ...
+...
+STEP 15/16: ARG GIT_VERSION
+--> 69cfcafa4c3
+STEP 16/16: ENV GIT_VERSION=$GIT_VERSION
+COMMIT web:gfc50028b-feature
+--> 8c5ea56990b
+Successfully tagged localhost/web:gfc50028b-feature
+8c5ea56990bfb1329b8180e4826fca7c5fb08d14d2097e9a05e29296c669cc86
+```
+
+### Push
+
+Arguments: 
+* `branch`: Git branch/commit (default `master`, or the value of `default_branch`)
+
+Builds the Docker image, if necessary (as in `rops build` above), then pushes the image to the Docker registry.
+
+```shell
+$ rops push feature
+Local image web:gfc50028b-some-branch already exists
+...
+Writing manifest to image destination
+Storing signatures
+```
+
+### Deploy
+
+Arguments: 
+* `branch`: Git branch/commit (default `master`, or the value of `default_branch`)
+* `context`: Kubernetes context (default `staging`, or the value of `default_context`)
+
+Deploys the Docker image to Kubernetes, building and pushing if necessary (like `rops push`).  Displays the currently running versions (like `rops status`), and any changes to the Kubernetes object configuration, and prompts for confirmation.  `branch` must be specified if deploying to the production context.
+
+The Kubernetes configuration is taken from the Git repository on the same branch/commit as the source code to build.  Only Kubernetes objects that reference one of the built `images` will be deployed to the cluster (e.g. `Pod`, `Deployment`, `CronJob`, `StatefulSet`, etc.).  Other Kubernetes object (e.g. `ConfigMaps`, `Secrets`, `Service`, `Ingress`, etc.) will not be automatically deployed, even if they're in the same YAML file as other objects.  They will need to be applied to the cluster manually.
+
+```shell
+$ rops deploy
+Currently running (staging):
+  * MISSING   web-activity-purge (cronjob)
+  * gfc50028b web-archive-media-files (cronjob)
+  * gfc50028b web-company-report (cronjob)
+  * gfc50028b web-subscriptions (cronjob)
+  * gfc50028b web-sync-billing (cronjob)
+  * gfc50028b jobs [1/1] (deployment)
+  * gfc50028b web [1/1] (deployment)
+
+Configuration changes:
+  web (deployment)
+    - spec.template.spec.containers[0].imagePullPolicy: "Always"
+
+Deploy g12345678 (master) to staging? (y/N): y
+
+deployment.apps/web configured
+deployment.apps/jobs configured
+cronjob.batch/web-archive-media-files configured
+cronjob.batch/web-company-report configured
+cronjob.batch/web-subscriptions configured
+cronjob.batch/web-sync-billing configured
+cronjob.batch/web-activity-purge created
+```

data/bin/rops

@@ -0,0 +1,243 @@
+#!/usr/bin/env ruby
+$: << __dir__+'/../lib'
+
+require 'bundler/setup'
+require 'dry/cli'
+require 'active_support'
+require 'active_support/core_ext'
+require 'active_support/concern'
+require 'hashdiff'
+
+require 'core_ext'
+require 'deployer'
+
+module Record360
+  module Operations
+    extend Dry::CLI::Registry
+
+    module Common
+      extend ActiveSupport::Concern
+      included do
+        attr_reader :deployer, :context
+        delegate [:branch, :image_tag, :images, :production_context] => :deployer
+
+        option :root, desc: "Root directory", default: Dir.pwd
+      end
+
+      def initialize(deployer = nil)
+        @deployer = deployer
+        super()
+      end
+
+      def call(root: nil, branch: nil, context: nil, **)
+        @root = root  if root
+        @deployer ||= Deployer.new(@root)
+        deployer.branch = branch  if branch
+        @context = context || deployer.default_context
+      end
+
+    protected
+
+      def print_statuses(context, spec_statuses = nil)
+        spec_statuses ||= deployer.specs_running(context)
+        return  if spec_statuses.blank?
+
+        puts "Currently running (#{context}):"
+        spec_statuses.each do |spec, status|
+          msg = String.new("  * ")
+          msg << (status&.dig(:version) || "MISSING  ")
+          msg << " #{spec.dig('metadata', 'name')}"
+          if (replicas = status&.dig(:status, :replicas))
+            msg << " [#{status[:status][:availableReplicas] || 0}/#{replicas}]"
+          end
+          msg << " (#{spec['kind'].downcase})"
+          puts msg
+        end
+      end
+
+      def print_spec_diffs(diffs)
+        puts "Configuration changes:"
+        diffs.each do |spec, diff|
+          puts "  #{spec.dig('metadata', 'name')} (#{spec['kind'].downcase})"
+          diff.each do |op, key, old_val, new_val|
+            msg = String.new("    ")
+            if op.in? %w(- +)
+              msg += "#{op} #{key}: #{old_val.to_json}"
+            elsif op
+              msg += "  #{key}: #{old_val.to_json} -> #{new_val.to_json}"
+            else
+              msg += "  #{spec.to_json}"
+            end
+            puts msg
+          end
+        end
+      end
+
+      def spec_diffs(spec_statuses)
+        spec_statuses.map do |new_spec, status|
+          if status
+            # remove runtime info from old spec
+            old_spec = status[:spec].deep_dup
+            old_spec.deep_each do |key, val, obj|
+              if (key == 'metadata') && val.is_a?(Hash)
+                val.except! *%w(annotations creationTimestamp resourceVersion selfLink uid generation managedFields)
+                obj.delete(key)  if val.blank?
+              end
+            end
+            diff = filter_diff( Hashdiff.diff(old_spec, new_spec, use_lcs: false) ).presence
+          else
+            diff = [ [] ]
+          end
+          [ new_spec, diff ]
+        end.to_h.compact
+      end
+
+      FILTER_DIFF = {
+        'metadata.namespace' => 'default',
+        'spec.suspend' => false,
+        'spec.progressDeadlineSeconds' => 600,
+        /spec\.template\.spec\.dnsPolicy$/ => 'ClusterFirst',
+        /spec\.template\.spec\.schedulerName$/ => 'default-scheduler',
+        /spec\.template\.spec\.securityContext$/ => {},
+        /spec\.template\.spec\.terminationGracePeriodSeconds$/ => 30,
+        /spec\.template\.spec\.restartPolicy$/ => 'Always',
+        /spec\.template\.spec\.containers\[\d+\]\.imagePullPolicy$/ => 'IfNotPresent',
+        /spec\.template\.spec\.containers\[\d+\]\.terminationMessagePath$/ => '/dev/termination-log',
+        /spec\.template\.spec\.containers\[\d+\]\.terminationMessagePolicy$/ => 'File',
+        /spec\.template\.spec\.containers\[\d+\]\.readinessProbe\.httpGet\.scheme$/ => 'HTTP',
+        /spec\.template\.spec\.containers\[\d+\]\.readinessProbe\.timeoutSeconds$/ => 1,
+        /spec\.template\.spec\.containers\[\d+\]\.readinessProbe\.successThreshold$/ => 1,
+        /spec\.template\.spec\.containers\[\d+\]\.readinessProbe\.failureThreshold$/ => 3,
+        /spec\.template\.spec\.containers\[\d+\]\.resources$/ => {},
+        /spec\.template\.spec\.containers\[\d+\]\.env\[\d+\]\.valueFrom\.fieldRef\.apiVersion$/ => 'v1',
+        /spec\.template\.spec\.containers\[\d+\]\.ports\[\d+\]\.protocol$/ => 'TCP',
+        /spec\.template\.spec\.volumes\[\d+\]\.secret\.defaultMode/ => 420,
+      }.freeze
+
+      def filter_diff(diff)
+        diff.reject do |op, path, old_val, new_val|
+          case op
+            when '-'
+              FILTER_DIFF.any? do |key, default|
+                ((key.is_a?(String) && (key == path)) || (key.is_a?(Regexp) && key.match(path))) && (default == old_val)
+              end
+
+            when '~'
+              if path.match(/spec\.template\.spec\.containers\[\d+\]\.image$/)
+                true
+
+              elsif path.match(/spec\.template\.spec\.containers\[\d+\]\.resources\.requests\.cpu$/)
+                # normalize miliCPUs to fractional CPUs, filter if equal
+                old_val.end_with?('m') && ((old_val.delete_suffix('m').to_f / 1000.0) == new_val)
+
+              elsif path.match(/spec\.template\.spec\.containers\[\d+\]\.resources\.requests\.memory$/)
+                # normalize Mi to fractional Gi, filter if equal
+                old_val.end_with?('Mi') && ("#{(old_val.delete_suffix('Mi').to_f / 1024.0)}Gi" == new_val)
+              end
+          end
+        end
+      end
+    end
+
+    class CurrentStatus < Dry::CLI::Command
+      desc "Display status of all running specs"
+      argument :context, desc: "Kubernetes context"
+      include Common
+
+      def call(**)
+        super
+        print_statuses(context)
+      end
+    end
+
+    class BuildImage < Dry::CLI::Command
+      desc "Build the docker image" #" (COMMIT=#{DEFAULT_COMMIT})"
+      argument :branch, desc: "Branch (or commit) to build" #, default: DEFAULT_COMMIT
+      include Common
+
+      def call(**)
+        super
+        images.each do |image|
+          if image.local_exists?
+            puts "Local image #{image.local_image} already exists"
+          else
+            puts "Building image #{image.local_image} using #{Image.build_cores} cores ..."
+            image.build! or exit(-1)
+          end
+        end
+      end
+    end
+
+    class PushImage < Dry::CLI::Command
+      desc "Build and push the docker image to the repository"
+      argument :branch, desc: "Branch (or commit) to build"
+      include Common
+
+      def call(**)
+        super
+        images.each do |image|
+          if image.remote_exists?
+            puts "Remote image #{image.remote_image} already exists"
+            next
+          end
+
+          unless image.local_exists?
+            puts "Building image #{image.local_image} using #{Image.build_cores} cores ..."
+            image.build! or exit(-1)
+          end
+          image.push! or exit(-1)
+        end
+      end
+    end
+
+    class DeployImage < Dry::CLI::Command
+      desc "Deploy the docker image to the cluster"
+      argument :branch,  desc: "Branch (or commit) to build"
+      argument :context, desc: "Kubernetes context"
+      include Common
+
+      def call(**)
+        super
+        if context == production_context
+          if branch.blank?
+            puts "Must specify commit for production deployment"
+            exit(-1)
+          end
+          images.each do |image|
+            unless image.remote_exists?
+              puts "Remote image #{image.remote_image} doesn't exists.  Run `push` first"
+              exit(-1)
+            end
+          end
+        else
+          PushImage.new(deployer).call(context: context)
+        end
+
+        spec_statuses = deployer.specs_running(context)  or exit(-1)
+        print_statuses(context, spec_statuses)
+        puts
+
+        if (diffs = spec_diffs(spec_statuses)).present?
+          print_spec_diffs(diffs)
+          puts
+        end
+
+        if $stdout.tty?
+          print "Deploy #{branch} (#{image_tag}) to #{context}? (y/N): "
+          exit(-1)  unless $stdin.gets&.chomp == 'y'
+        else
+          puts "Deploying #{branch} (#{image_tag}) to #{context}"
+        end
+
+        deployer.deploy!(context)
+      end
+    end
+
+    register 'status', CurrentStatus
+    register 'build',  BuildImage
+    register 'push',   PushImage
+    register 'deploy', DeployImage
+  end
+end
+
+Dry::CLI.new(Record360::Operations).call

data/lib/core_ext.rb

@@ -0,0 +1,210 @@
+require 'tempfile'
+
+module CoreExtensions
+
+# STRING ##########################################################################################
+
+module String
+  # https://en.wikipedia.org/wiki/Whitespace_character#Unicode
+  SPACE_CHAR_CLASS = '\p{Space}\u180e\u200b\u200c\u200d\u2060\ufeff'.freeze
+  LSTRIP_SPACE_REGEX = %r{\A[#{SPACE_CHAR_CLASS}]+}.freeze
+  RSTRIP_SPACE_REGEX = %r{[#{SPACE_CHAR_CLASS}]+\z}.freeze
+
+  def lstrip
+    (encoding == Encoding::UTF_8) ? sub(LSTRIP_SPACE_REGEX, '') : super
+  end
+
+  def rstrip
+    (encoding == Encoding::UTF_8) ? sub(RSTRIP_SPACE_REGEX, '') : super
+  end
+
+  def strip
+    if encoding == Encoding::UTF_8
+      dup.tap do |str|
+        str.sub!(LSTRIP_SPACE_REGEX, '')
+        str.sub!(RSTRIP_SPACE_REGEX, '')
+      end
+    else
+      super
+    end
+  end
+
+  def possessive
+    str = self + "'"
+    str += 's' unless %r{(s|se|z|ze|ce|x|xe)$}i.match(self)
+    str
+  end
+
+  def force_utf8
+    if (encoding == Encoding::UTF_8) && valid_encoding?
+      self
+    else
+      encode('utf-8', invalid: :replace, undef: :replace)
+    end
+  end
+
+  def to_hex
+    self.b.unpack('H*').first
+  end
+end
+
+# ARRAY ###########################################################################################
+
+module Array
+  def except!(*vals)
+    vals.each { |v|  delete(v) }
+    self
+  end
+
+  def except(*vals)
+    dup.except!(*vals)
+  end
+
+  def group_index_by(&blk)
+    index = {}
+    group_by(&blk).each do |name, group|
+      if group.length == 1
+        index[group[0]] = name
+        next
+      end
+
+      idx_digits = Math.log10(group.length).floor + 1
+      group.each.with_index do |obj, idx|
+        index[obj] = [ name, "%0#{idx_digits}d" % (idx+1) ]
+      end
+    end
+    index
+  end
+
+  def deep_reject(&blk)
+    dup.deep_reject!(&blk)
+  end
+
+  def deep_reject!(&blk)
+    idx = 0
+    while idx < length do
+      val = self[idx]
+      val.deep_reject!(&blk)  if val.respond_to?(:deep_reject!)
+      if blk.call(idx, val)
+        delete_at(idx)
+      else
+        idx += 1
+      end
+    end
+    self
+  end
+
+  def deep_each(&blk)
+    idx = 0
+    while idx < length do
+      val = self[idx]
+      if blk.arity == 3
+        blk.call(idx, val, self)
+        val = self[idx]
+      else
+        blk.call(idx, val)
+      end
+      val.deep_each(&blk)  if val.respond_to?(:deep_each)
+      idx += 1
+    end
+    self
+  end
+
+  def force_utf8
+    map { |el|  el.respond_to?(:force_utf8) ? el.force_utf8 : el }
+  end
+end
+
+# HASH ############################################################################################
+
+module Hash
+  def deep_reject(&blk)
+    dup.deep_reject!(&blk)
+  end
+
+  def deep_reject!(&blk)
+    each do |key, val|
+      val.deep_reject!(&blk)  if val.respond_to?(:deep_reject!)
+      delete(key)  if blk.call(key, val)
+    end
+    self
+  end
+
+  def deep_each(&blk)
+    keys.each do |key|
+      val = self[key]
+      if blk.arity == 3
+        blk.call(key, val, self)
+        val = self[key]
+      else
+        blk.call(key, val)
+      end
+      val.deep_each(&blk)  if val.respond_to?(:deep_each)
+    end
+    self
+  end
+
+  def deep_map(&blk)
+    keys.each do |key|
+      val = self[key]
+      (blk.arity == 3) ? blk.call(key, val, self) : blk.call(key, val)
+      val.deep_each(&blk)  if val.respond_to?(:deep_each)
+    end
+    self
+  end
+
+  def force_utf8
+    map do |key, val|
+      [
+        key.respond_to?(:force_utf8) ? key.force_utf8 : key,
+        val.respond_to?(:force_utf8) ? val.force_utf8 : val,
+      ]
+    end.to_h
+  end
+
+  def safe_dig(*path)
+    dig(*path)
+  rescue TypeError => ex
+    return nil  if ex.message.include?('does not have #dig method')
+    raise
+  end
+end
+
+# BOOLEAN #########################################################################################
+
+module String
+  def to_bool(default = nil)
+    return true  if %w(true  1 yes on  t).include?(self.downcase.strip)
+    return false if %w(false 0  no off f).include?(self.downcase.strip)
+    default
+  end
+end
+  module Numeric
+  def to_bool(_default = nil) !zero? end
+end
+  module NilClass
+  def to_bool(default = nil)  default  end
+end
+  module TrueClass
+  def to_bool(_default = nil)  self  end
+end
+  module FalseClass
+  def to_bool(_default = nil)  self  end
+end
+
+# TEMPFILE ########################################################################################
+
+require 'active_support/number_helper/number_to_human_size_converter'
+module Tempfile
+  def inspect
+    "#{path} (#{ActiveSupport::NumberHelper.number_to_human_size(size)})"
+  end
+end
+
+end
+
+###################################################################################################
+
+CoreExtensions.constants.each do |mod|
+  Kernel.const_get(mod).prepend(CoreExtensions.const_get(mod))
+end

data/lib/deployer.rb

@@ -0,0 +1,189 @@
+require 'yaml'
+require 'open3'
+require 'ptools'
+require 'git_ext'
+require 'image'
+
+class Deployer
+  CONFIG_LOCATIONS = %w(.rops.yaml platform/rops.yaml config/rops.yaml).freeze
+  CONFIG_DEFAULTS = {
+    'repository' => nil,
+    'default_branch' => 'master',
+    'registry' => 'docker.io/r360',
+    'default_context' => 'staging',
+    'production_context' => 'production',
+    'images' => []
+  }.freeze
+
+  attr_reader :root, :repository, :registry, :ssh_host, :images
+  attr_reader :default_branch, :default_context, :production_context
+  attr_reader :branch, :commit, :image_tag
+
+  def self.docker
+    @docker_path ||= File.which('docker') || File.which('podman')
+  end
+
+  def self.podman?
+    docker.include?('podman')
+  end
+
+  def initialize(root = nil)
+    @images = []
+    @specs = {}
+
+    @root = root || Dir.pwd
+    load_config
+    self.branch = default_branch
+  end
+
+  def branch=(branch)
+    return  unless branch
+    @branch = branch.dup
+    @branch.delete_prefix!('g')  if @branch.match(/^g\h{8}$/)
+    @commit = git.object(@branch).sha
+
+    short_id = @commit[0, 8]
+    @image_tag = "g#{short_id}"
+    if branch.present? && (branch != default_branch) && !branch.start_with?(short_id)
+      @image_tag += "-#{branch}"
+    end
+    images.each do |image|
+      image.commit = commit
+      image.tag = image_tag
+    end
+  end
+
+  def specs_running(context = nil)
+    context ||= default_context
+    context = context.to_s
+    specs = deploy_specs(context)
+
+    cmd = String.new "--output=json"
+    if (namespace = specs.first.dig('metadata', 'namespace'))
+      cmd += " --namespace #{namespace}"
+    end
+    cmd += " get"
+    specs.each do |spec|
+      cmd += " #{spec['kind'].downcase}/#{spec.dig('metadata', 'name')}"
+    end
+
+    statuses, stderr, success = kubectl(context, cmd)
+    unless success || stderr.match(/not found/)
+      puts stderr  if stderr.present?
+      return nil
+    end
+
+    spec_status = specs.map { |spec|  [ spec, nil ] }.to_h
+    statuses = JSON.parse(statuses)
+    statuses = statuses['items']  if statuses.key?('items')
+    Array.wrap(statuses).each do |item|
+      containers = Array(item.dig('spec', 'template', 'spec', 'containers')) +
+                   Array(item.dig('spec', 'jobTemplate', 'spec', 'template', 'spec', 'containers'))
+      version = containers.first['image'].split(':').last               # FIXME: support multiple containers
+      status = item.delete('status').with_indifferent_access
+
+      spec = specs.detect do |s|
+        (item['kind'] == s['kind']) &&
+        (item.dig('metadata', 'name') == s.dig('metadata', 'name')) &&
+        (item.dig('metadata', 'namespace') == (s.dig('metadata', 'namespace') || 'default'))
+      end
+      spec_status[spec] = { spec: item, version: version, status: status }
+    end
+    spec_status
+  end
+
+  def deploy!(context)
+    context ||= default_context
+    context = context.to_s
+    specs = deploy_specs(context).presence  or raise "No kubernetes specs to deploy"
+    stdout, stderr, _success = kubectl(context, 'apply -f -', YAML.dump_stream(*specs))
+    puts stdout  if stdout.present?
+    puts stderr  if stderr.present?
+  end
+
+  def deploy_specs(context = nil)
+    dspecs = []
+    specs(context).deep_dup.each do |spec|
+      containers =
+        Array(spec.dig('spec', 'template', 'spec', 'containers')) +                       # deployments/statefulsets
+        Array(spec.dig('spec', 'jobTemplate', 'spec', 'template', 'spec', 'containers'))  # cronjobs
+
+      containers.each do |container|
+        image = images.detect { |image|  image.remote_repo == container['image'] }
+        if image
+          container['image'] = image.remote_image
+          dspecs << spec  unless dspecs.include?(spec)
+        elsif !container['image'].include?(':')
+          raise "Unknown image #{container['image']}"
+        end
+      end
+    end
+    dspecs
+  end
+
+  def specs(context = nil)
+    context ||= default_context
+    context = context.to_s
+    @specs[context] ||= begin
+      paths = git.ls_tree(commit, "platform/#{context}/")['blob'].keys
+      raise "No specs found for context #{context}"  unless paths.present?
+      paths.map { |path| YAML.load_stream( git.show(commit, path) ) }.flatten.compact
+    end
+  end
+
+  def kubectl(context, cmd, data = nil)
+    cmd = "kubectl --context #{context} #{cmd}"
+
+    if ssh_host.blank?
+      stdout, stderr, cmd_status = Open3.capture3(cmd)
+      [ stdout, stderr, cmd_status.success? ]
+    else
+      require 'net/ssh'
+      exit_code = -1
+      stdout = String.new
+      stderr = String.new
+
+      ssh = Net::SSH.start(ssh_host)
+      ssh.open_channel do |channel|
+        channel.exec(cmd) do |_ch, success|
+          success or raise "FAILED: couldn't execute command on #{ssh_host}: #{cmd.inspect}"
+          channel.on_data { |_ch, in_data|  stdout << in_data }
+          channel.on_extended_data { |_ch, _type, in_data|  stderr << in_data }
+          channel.on_request('exit-status') { |_ch, in_data|  exit_code = in_data.read_long }
+          channel.send_data(data)  if data
+          channel.eof!
+        end
+      end
+      ssh.loop
+      [ stdout, stderr, exit_code.zero? ]
+    end
+  end
+
+private
+
+  def git
+    @git ||= Git.open(repository, log: nil)
+  end
+
+  def load_config
+    conf_path = find_config(root)
+    conf = conf_path ? YAML.load_file(conf_path) : {}
+    conf = conf.reverse_merge(CONFIG_DEFAULTS)
+
+    @repository, @registry, @default_branch, @default_context, @production_context, @ssh_host, images =
+      conf.values_at('repository', 'registry', 'default_branch', 'default_context', 'production_context', 'ssh', 'images').map(&:presence)
+    @repository ||= root
+
+    images ||= [{ 'name' => File.basename(File.absolute_path(repository)) }]
+    @images = images.map do |image|
+      name = image['name']
+      dockerfile = image['dockerfile'].presence || 'Dockerfile'
+      Image.new(name: name, repository: repository, dockerfile: dockerfile, registry: registry, commit: nil, tag: nil)
+    end
+  end
+
+  def find_config(dir_or_path)
+    return dir_or_path  unless File.directory?(dir_or_path)
+    CONFIG_LOCATIONS.map { |location|  File.join(dir_or_path, location) }.detect { |path|  File.exist?(path) }
+  end
+end

data/lib/git_ext.rb

@@ -0,0 +1,23 @@
+require 'git'
+
+module Git
+  class Base
+    def ls_tree(*args)
+      self.lib.ls_tree(*args)
+    end
+  end
+
+  class Lib
+    # monkey-patched to add 'files' argument
+    def ls_tree(sha, files = nil)
+      data = {'blob' => {}, 'tree' => {}}
+      command_lines('ls-tree', [sha, files].compact).each do |line|
+        (info, filenm) = line.split("\t")
+        (mode, type, sha) = info.split
+        data[type][filenm] = {:mode => mode, :sha => sha}
+      end
+      data
+    end
+  end
+end
+

data/lib/image.rb

@@ -0,0 +1,77 @@
+class Image
+  def self.build_cores
+    @build_cores ||= ENV.fetch('R360_BUILD_CORES', [ 1, Concurrent::Utility::ProcessorCounter.new.processor_count - 1 ].max).to_i
+  end
+
+  attr_reader :name, :repository, :dockerfile, :commit, :tag, :registry
+  attr_writer :commit
+
+  def initialize(name:, repository:, dockerfile:, commit:, tag:, registry:)
+    @name = name.downcase
+    @repository = repository
+    @dockerfile = dockerfile
+    @commit = commit
+    @tag = tag
+    @registry = registry
+  end
+
+  def tag=(tag)
+    @tag = tag
+    @remote_exists = nil
+  end
+
+  def build!
+    return  if local_exists?
+
+    Dir.mktmpdir("#{name}-build") do |dir|
+      system("git -C #{repository} archive #{commit} | tar -x -C #{dir}") and
+      system("#{Deployer.docker} build -f #{dockerfile} -t #{local_image} --build-arg JOBS=#{Image.build_cores} --build-arg GIT_VERSION=#{commit} #{dir}")
+    end
+  end
+
+  def push!
+    return  if remote_exists?
+
+    if Deployer.podman?
+      system("#{Deployer.docker} push #{local_image} #{remote_image}")
+    else
+      system("#{Deployer.docker} tag  #{local_image} #{remote_image}") and
+      system("#{Deployer.docker} push #{remote_image}") and
+      system("#{Deployer.docker} rmi  #{remote_image}")
+    end
+  end
+
+  def local_repo
+    name
+  end
+
+  def remote_repo
+    "#{registry}/#{name}"
+  end
+
+  def local_image
+    "#{local_repo}:#{tag}"
+  end
+
+  def local_exists?
+    system("#{Deployer.docker} image exists #{local_image}")
+  end
+
+  def remote_image
+    "#{remote_repo}:#{tag}"
+  end
+
+  def remote_exists?
+    if @remote_exists.nil?
+      # this fails to parse the manifest of some images (built with Podman?), and gives warnings on others
+      _stdout, stderr, status = Open3.capture3("DOCKER_CLI_EXPERIMENTAL=enabled #{Deployer.docker} manifest inspect #{remote_image}")
+      if status.success? || stderr.include?('error parsing manifest blob')
+        @remote_exists = true
+      else
+        puts stderr  if stderr.present? && !stderr.include?('manifest unknown')
+        @remote_exists = false
+      end
+    end
+    @remote_exists
+  end
+end

metadata

@@ -0,0 +1,137 @@
+--- !ruby/object:Gem::Specification
+name: rops
+version: !ruby/object:Gem::Version
+  version: 1.0.1
+platform: ruby
+authors:
+- Steve Sloan
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2021-09-27 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: dry-cli
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.7.0
+- !ruby/object:Gem::Dependency
+  name: activesupport
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.4
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.4
+- !ruby/object:Gem::Dependency
+  name: git
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.9.1
+- !ruby/object:Gem::Dependency
+  name: ptools
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.4.2
+- !ruby/object:Gem::Dependency
+  name: hashdiff
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 1.0.1
+- !ruby/object:Gem::Dependency
+  name: net-ssh
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 6.1.0
+description: A tool to checkout, build, and deploy projects using Git, Docker, and
+  Kubernetes
+email: steve@record360.com
+executables:
+- rops
+extensions: []
+extra_rdoc_files: []
+files:
+- Gemfile
+- Gemfile.lock
+- LICENSE
+- README.md
+- bin/rops
+- lib/core_ext.rb
+- lib/deployer.rb
+- lib/git_ext.rb
+- lib/image.rb
+homepage: https://github.com/Record360/rops
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Record360 Operations tool
+test_files: []