tobsch-krane 1.0.0

data/lib/krane/deploy_task_config_validator.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+module Krane
+  class DeployTaskConfigValidator < TaskConfigValidator
+    def initialize(protected_namespaces, prune, *arguments)
+      super(*arguments)
+      @protected_namespaces = protected_namespaces
+      @allow_protected_ns = !protected_namespaces.empty?
+      @prune = prune
+      @validations += %i(validate_protected_namespaces)
+    end
+
+    private
+
+    def validate_protected_namespaces
+      if @protected_namespaces.include?(namespace)
+        if @allow_protected_ns && @prune
+          @errors << "Refusing to deploy to protected namespace '#{namespace}' with pruning enabled"
+        elsif @allow_protected_ns
+          logger.warn("You're deploying to protected namespace #{namespace}, which cannot be pruned.")
+          logger.warn("Existing resources can only be removed manually with kubectl. " \
+            "Removing templates from the set deployed will have no effect.")
+          logger.warn("***Please do not deploy to #{namespace} unless you really know what you are doing.***")
+        else
+          @errors << "Refusing to deploy to protected namespace '#{namespace}'"
+        end
+      end
+    end
+  end
+end

data/lib/krane/duration_parser.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+require 'active_support/duration'
+
+module Krane
+  # This class is a less strict extension of ActiveSupport::Duration::ISO8601Parser.
+  # In addition to full ISO8601 durations, it can parse unprefixed ISO8601 time components (e.g. '1H').
+  # It is also case-insensitive.
+  # For example, this class considers the values "1H", "1h" and "PT1H" to be valid and equivalent.
+  class DurationParser
+    class ParsingError < ArgumentError; end
+
+    def initialize(value)
+      @iso8601_str = value.to_s.strip.upcase
+    end
+
+    def parse!
+      ActiveSupport::Duration.parse("PT#{@iso8601_str}") # By default assume it is just a time component
+    rescue ActiveSupport::Duration::ISO8601Parser::ParsingError
+      begin
+        ActiveSupport::Duration.parse(@iso8601_str)
+      rescue ActiveSupport::Duration::ISO8601Parser::ParsingError => e
+        raise ParsingError, e.message
+      end
+    end
+  end
+end

data/lib/krane/ejson_secret_provisioner.rb

@@ -0,0 +1,154 @@
+# frozen_string_literal: true
+require 'json'
+require 'base64'
+require 'open3'
+require 'krane/kubectl'
+
+module Krane
+  class EjsonSecretError < FatalDeploymentError
+    def initialize(msg)
+      super("Generation of Kubernetes secrets from ejson failed: #{msg}")
+    end
+  end
+
+  class EjsonSecretProvisioner
+    EJSON_SECRET_ANNOTATION = "kubernetes-deploy.shopify.io/ejson-secret"
+    EJSON_SECRET_KEY = "kubernetes_secrets"
+    EJSON_SECRETS_FILE = "secrets.ejson"
+    EJSON_KEYS_SECRET = "ejson-keys"
+    delegate :namespace, :context, :logger, to: :@task_config
+
+    def initialize(task_config:, ejson_keys_secret:, ejson_file:, statsd_tags:, selector: nil)
+      @ejson_keys_secret = ejson_keys_secret
+      @ejson_file = ejson_file
+      @statsd_tags = statsd_tags
+      @selector = selector
+      @task_config = task_config
+      @kubectl = Kubectl.new(
+        task_config: @task_config,
+        log_failure_by_default: false,
+        output_is_sensitive_default: true # output may contain ejson secrets
+      )
+    end
+
+    def resources
+      @resources ||= build_secrets
+    end
+
+    private
+
+    def build_secrets
+      unless @ejson_keys_secret
+        raise EjsonSecretError, "Secret #{EJSON_KEYS_SECRET} not provided, cannot decrypt secrets"
+      end
+      return [] unless File.exist?(@ejson_file)
+      with_decrypted_ejson do |decrypted|
+        secrets = decrypted[EJSON_SECRET_KEY]
+        unless secrets.present?
+          logger.warn("#{EJSON_SECRETS_FILE} does not have key #{EJSON_SECRET_KEY}."\
+            "No secrets will be created.")
+          return []
+        end
+
+        secrets.map do |secret_name, secret_spec|
+          validate_secret_spec(secret_name, secret_spec)
+          resource = generate_secret_resource(secret_name, secret_spec["_type"], secret_spec["data"])
+          resource.validate_definition(@kubectl)
+          if resource.validation_failed?
+            raise EjsonSecretError, "Resulting resource Secret/#{secret_name} failed validation"
+          end
+          resource
+        end
+      end
+    end
+
+    def encrypted_ejson
+      @encrypted_ejson ||= load_ejson_from_file
+    end
+
+    def public_key
+      encrypted_ejson["_public_key"]
+    end
+
+    def private_key
+      @private_key ||= fetch_private_key_from_secret
+    end
+
+    def validate_secret_spec(secret_name, spec)
+      errors = []
+      errors << "secret type unspecified" if spec["_type"].blank?
+      errors << "no data provided" if spec["data"].blank?
+
+      unless errors.empty?
+        raise EjsonSecretError, "Ejson incomplete for secret #{secret_name}: #{errors.join(', ')}"
+      end
+    end
+
+    def generate_secret_resource(secret_name, secret_type, data)
+      unless data.is_a?(Hash) && data.values.all? { |v| v.is_a?(String) } # Secret data is map[string]string
+        raise EjsonSecretError, "Data for secret #{secret_name} was invalid. Only key-value pairs are permitted."
+      end
+      encoded_data = data.each_with_object({}) do |(key, value), encoded|
+        # Leading underscores in ejson keys are used to skip encryption of the associated value
+        # To support this ejson feature, we need to exclude these leading underscores from the secret's keys
+        secret_key = key.sub(/\A_/, '')
+        encoded[secret_key] = Base64.strict_encode64(value)
+      end
+
+      labels = { "name" => secret_name }
+      labels.reverse_merge!(@selector.to_h) if @selector
+
+      secret = {
+        'kind' => 'Secret',
+        'apiVersion' => 'v1',
+        'type' => secret_type,
+        'metadata' => {
+          "name" => secret_name,
+          "labels" => labels,
+          "namespace" => namespace,
+          "annotations" => { EJSON_SECRET_ANNOTATION => "true" },
+        },
+        "data" => encoded_data,
+      }
+
+      Krane::Secret.build(
+        namespace: namespace, context: context, logger: logger, definition: secret, statsd_tags: @statsd_tags,
+      )
+    end
+
+    def load_ejson_from_file
+      return {} unless File.exist?(@ejson_file)
+      JSON.parse(File.read(@ejson_file))
+    end
+
+    def with_decrypted_ejson
+      return unless File.exist?(@ejson_file)
+
+      Dir.mktmpdir("ejson_keydir") do |key_dir|
+        File.write(File.join(key_dir, public_key), private_key)
+        decrypted = decrypt_ejson(key_dir)
+        yield decrypted
+      end
+    end
+
+    def decrypt_ejson(key_dir)
+      # ejson seems to dump both errors and output to STDOUT
+      out_err, st = Open3.capture2e("EJSON_KEYDIR=#{key_dir} ejson decrypt #{@ejson_file}")
+      raise EjsonSecretError, out_err unless st.success?
+      JSON.parse(out_err)
+    rescue JSON::ParserError
+      raise EjsonSecretError, "Failed to parse decrypted ejson"
+    end
+
+    def fetch_private_key_from_secret
+      encoded_private_key = @ejson_keys_secret["data"][public_key]
+      unless encoded_private_key
+        raise EjsonSecretError, "Private key for #{public_key} not found in #{EJSON_KEYS_SECRET} secret"
+      end
+
+      Base64.decode64(encoded_private_key)
+    rescue Kubectl::ResourceNotFoundError
+      raise EjsonSecretError, "Secret/#{EJSON_KEYS_SECRET} is required to decrypt EJSON and could not be found"
+    end
+  end
+end

data/lib/krane/errors.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Krane
+  class FatalDeploymentError < StandardError; end
+  class FatalKubeAPIError < FatalDeploymentError; end
+  class KubectlError < StandardError; end
+  class TaskConfigurationError < FatalDeploymentError; end
+
+  class InvalidTemplateError < FatalDeploymentError
+    attr_reader :content
+    attr_accessor :filename
+    def initialize(err, filename: nil, content: nil)
+      @filename = filename
+      @content = content
+      super(err)
+    end
+  end
+
+  class DeploymentTimeoutError < FatalDeploymentError; end
+
+  class EjsonPrunableError < FatalDeploymentError
+    def initialize
+      super("Found #{KubernetesResource::LAST_APPLIED_ANNOTATION} annotation on " \
+          "#{EjsonSecretProvisioner::EJSON_KEYS_SECRET} secret. " \
+          "krane will not continue since it is extremely unlikely that this secret should be pruned.")
+    end
+  end
+end

data/lib/krane/formatted_logger.rb

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+require 'logger'
+require 'colorized_string'
+require 'krane/deferred_summary_logging'
+
+module Krane
+  class FormattedLogger < Logger
+    include DeferredSummaryLogging
+
+    def self.indent_four(str)
+      "    " + str.to_s.gsub("\n", "\n    ")
+    end
+
+    def self.build(namespace = nil, context = nil, stream = $stderr, verbose_prefix: false)
+      l = new(stream)
+      l.level = level_from_env
+
+      middle = if verbose_prefix
+        if namespace.blank?
+          raise ArgumentError, 'Must pass a namespace if logging verbosely'
+        end
+        if context.blank?
+          raise ArgumentError, 'Must pass a context if logging verbosely'
+        end
+
+        "[#{context}][#{namespace}]"
+      end
+
+      l.formatter = proc do |severity, datetime, _progname, msg|
+        colorized_line = ColorizedString.new("[#{severity}][#{datetime}]#{middle}\t#{msg}\n")
+
+        case severity
+        when "FATAL"
+          ColorizedString.new("[#{severity}][#{datetime}]#{middle}\t").red + "#{msg}\n"
+        when "ERROR"
+          colorized_line.red
+        when "WARN"
+          colorized_line.yellow
+        else
+          colorized_line
+        end
+      end
+      l
+    end
+
+    def self.level_from_env
+      return ::Logger::DEBUG if ENV["DEBUG"]
+
+      if ENV["LEVEL"]
+        ::Logger.const_get(ENV["LEVEL"].upcase)
+      else
+        ::Logger::INFO
+      end
+    end
+    private_class_method :level_from_env
+  end
+end

data/lib/krane/global_deploy_task.rb

@@ -0,0 +1,210 @@
+# frozen_string_literal: true
+require 'tempfile'
+
+require 'krane/common'
+require 'krane/concurrency'
+require 'krane/resource_cache'
+require 'krane/kubectl'
+require 'krane/kubeclient_builder'
+require 'krane/cluster_resource_discovery'
+require 'krane/template_sets'
+require 'krane/resource_deployer'
+require 'krane/kubernetes_resource'
+require 'krane/global_deploy_task_config_validator'
+require 'krane/concerns/template_reporting'
+
+%w(
+  custom_resource
+  custom_resource_definition
+).each do |subresource|
+  require "krane/kubernetes_resource/#{subresource}"
+end
+
+module Krane
+  # Ship global resources to a context
+  class GlobalDeployTask
+    extend Krane::StatsD::MeasureMethods
+    include TemplateReporting
+    delegate :context, :logger, :global_kinds, to: :@task_config
+
+    # Initializes the deploy task
+    #
+    # @param context [String] Kubernetes context (*required*)
+    # @param global_timeout [Integer] Timeout in seconds
+    # @param selector [Hash] Selector(s) parsed by Krane::LabelSelector (*required*)
+    # @param filenames [Array<String>] An array of filenames and/or directories containing templates (*required*)
+    def initialize(context:, global_timeout: nil, selector: nil, filenames: [], logger: nil)
+      template_paths = filenames.map { |path| File.expand_path(path) }
+
+      @task_config = TaskConfig.new(context, nil, logger)
+      @template_sets = TemplateSets.from_dirs_and_files(paths: template_paths,
+        logger: @task_config.logger, render_erb: false)
+      @global_timeout = global_timeout
+      @selector = selector
+    end
+
+    # Runs the task, returning a boolean representing success or failure
+    #
+    # @return [Boolean]
+    def run(*args)
+      run!(*args)
+      true
+    rescue FatalDeploymentError
+      false
+    end
+
+    # Runs the task, raising exceptions in case of issues
+    #
+    # @param verify_result [Boolean] Wait for completion and verify success
+    # @param prune [Boolean] Enable deletion of resources that match the provided
+    #  selector and do not appear in the template dir
+    #
+    # @return [nil]
+    def run!(verify_result: true, prune: true)
+      start = Time.now.utc
+      logger.reset
+
+      logger.phase_heading("Initializing deploy")
+      validate_configuration
+      resources = discover_resources
+      validate_resources(resources)
+
+      logger.phase_heading("Checking initial resource statuses")
+      check_initial_status(resources)
+
+      logger.phase_heading("Deploying all resources")
+      deploy!(resources, verify_result, prune)
+
+      StatsD.client.event("Deployment succeeded",
+        "Successfully deployed all resources to #{context}",
+        alert_type: "success", tags: statsd_tags + %w(status:success))
+      StatsD.client.distribution('all_resources.duration', StatsD.duration(start),
+        tags: statsd_tags << "status:success")
+      logger.print_summary(:success)
+    rescue Krane::DeploymentTimeoutError
+      logger.print_summary(:timed_out)
+      StatsD.client.event("Deployment timed out",
+        "One or more resources failed to deploy to #{context} in time",
+        alert_type: "error", tags: statsd_tags + %w(status:timeout))
+      StatsD.client.distribution('all_resources.duration', StatsD.duration(start),
+        tags: statsd_tags << "status:timeout")
+      raise
+    rescue Krane::FatalDeploymentError => error
+      logger.summary.add_action(error.message) if error.message != error.class.to_s
+      logger.print_summary(:failure)
+      StatsD.client.event("Deployment failed",
+        "One or more resources failed to deploy to #{context}",
+        alert_type: "error", tags: statsd_tags + %w(status:failed))
+      StatsD.client.distribution('all_resources.duration', StatsD.duration(start),
+        tags: statsd_tags << "status:failed")
+      raise
+    end
+
+    private
+
+    def deploy!(resources, verify_result, prune)
+      resource_deployer = ResourceDeployer.new(task_config: @task_config,
+        prune_whitelist: prune_whitelist, global_timeout: @global_timeout,
+        selector: @selector, statsd_tags: statsd_tags)
+      resource_deployer.deploy!(resources, verify_result, prune)
+    end
+
+    def validate_configuration
+      task_config_validator = GlobalDeployTaskConfigValidator.new(@task_config,
+        kubectl, kubeclient_builder)
+      errors = []
+      errors += task_config_validator.errors
+      errors += @template_sets.validate
+      errors << "Selector is required" unless @selector.to_h.present?
+      unless errors.empty?
+        add_para_from_list(logger: logger, action: "Configuration invalid", enum: errors)
+        raise TaskConfigurationError
+      end
+
+      logger.info("Using resource selector #{@selector}")
+      logger.info("All required parameters and files are present")
+    end
+    measure_method(:validate_configuration)
+
+    def validate_resources(resources)
+      validate_globals(resources)
+
+      Concurrency.split_across_threads(resources) do |r|
+        r.validate_definition(@kubectl, selector: @selector)
+      end
+
+      resources.select(&:has_warnings?).each do |resource|
+        record_warnings(logger: logger, warning: resource.validation_warning_msg,
+          filename: File.basename(resource.file_path))
+      end
+
+      failed_resources = resources.select(&:validation_failed?)
+      if failed_resources.present?
+        failed_resources.each do |r|
+          content = File.read(r.file_path) if File.file?(r.file_path) && !r.sensitive_template_content?
+          record_invalid_template(logger: logger, err: r.validation_error_msg,
+            filename: File.basename(r.file_path), content: content)
+        end
+        raise FatalDeploymentError, "Template validation failed"
+      end
+    end
+    measure_method(:validate_resources)
+
+    def validate_globals(resources)
+      return unless (namespaced = resources.reject(&:global?).presence)
+      namespaced_names = namespaced.map do |resource|
+        "#{resource.name} (#{resource.type}) in #{File.basename(resource.file_path)}"
+      end
+      namespaced_names = FormattedLogger.indent_four(namespaced_names.join("\n"))
+
+      logger.summary.add_paragraph(ColorizedString.new("Namespaced resources:\n#{namespaced_names}").yellow)
+      raise FatalDeploymentError, "This command cannot deploy namespaced resources. Use DeployTask instead."
+    end
+
+    def discover_resources
+      logger.info("Discovering resources:")
+      resources = []
+      crds_by_kind = cluster_resource_discoverer.crds.map { |crd| [crd.name, crd] }.to_h
+      @template_sets.with_resource_definitions do |r_def|
+        crd = crds_by_kind[r_def["kind"]]&.first
+        r = KubernetesResource.build(context: context, logger: logger, definition: r_def,
+          crd: crd, global_names: global_kinds, statsd_tags: statsd_tags)
+        resources << r
+        logger.info("  - #{r.id}")
+      end
+
+      resources.sort
+    rescue InvalidTemplateError => e
+      record_invalid_template(logger: logger, err: e.message, filename: e.filename, content: e.content)
+      raise FatalDeploymentError, "Failed to parse template"
+    end
+    measure_method(:discover_resources)
+
+    def cluster_resource_discoverer
+      @cluster_resource_discoverer ||= ClusterResourceDiscovery.new(task_config: @task_config)
+    end
+
+    def statsd_tags
+      %W(context:#{context})
+    end
+
+    def kubectl
+      @kubectl ||= Kubectl.new(task_config: @task_config, log_failure_by_default: true)
+    end
+
+    def kubeclient_builder
+      @kubeclient_builder ||= KubeclientBuilder.new
+    end
+
+    def prune_whitelist
+      cluster_resource_discoverer.prunable_resources(namespaced: false)
+    end
+
+    def check_initial_status(resources)
+      cache = ResourceCache.new(@task_config)
+      Concurrency.split_across_threads(resources) { |r| r.sync(cache) }
+      resources.each { |r| logger.info(r.pretty_status) }
+    end
+    measure_method(:check_initial_status, "initial_status.duration")
+  end
+end