Krane global deploy

lib/krane/cli/global_deploy_command.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Krane
+  module CLI
+    class GlobalDeployCommand
+      DEFAULT_DEPLOY_TIMEOUT = '300s'
+      OPTIONS = {
+        "filenames" => { type: :string, banner: '/tmp/my-resource.yml', aliases: :f, required: true,
+                         desc: "Path to file or directory that contains the configuration to apply" },
+        "global-timeout" => { type: :string, banner: "duration", default: DEFAULT_DEPLOY_TIMEOUT,
+                              desc: "Max duration to monitor workloads correctly deployed" },
+        "verify-result" => { type: :boolean, default: true,
+                             desc: "Verify workloads correctly deployed" },
+        "selector" => { type: :string, banner: "'label=value'", required: true,
+                        desc: "Select workloads by selector(s)" },
+      }
+
+      def self.from_options(context, options)
+        require 'krane/global_deploy_task'
+        require 'kubernetes-deploy/options_helper'
+        require 'kubernetes-deploy/label_selector'
+
+        selector = KubernetesDeploy::LabelSelector.parse(options[:selector])
+
+        KubernetesDeploy::OptionsHelper.with_processed_template_paths([options[:filenames]],
+          require_explicit_path: true) do |paths|
+          deploy = ::Krane::GlobalDeployTask.new(
+            context: context,
+            current_sha: ENV["REVISION"],
+            template_paths: paths,
+            max_watch_seconds: KubernetesDeploy::DurationParser.new(options["global-timeout"]).parse!.to_i,
+            selector: selector,
+          )
+
+          deploy.run!(
+            verify_result: options["verify-result"],
+            prune: false,
+          )
+        end
+      end
+    end
+  end
+end

lib/krane/cli/krane.rb

@@ -7,6 +7,7 @@
 require 'krane/cli/run_command'
 require 'krane/cli/render_command'
 require 'krane/cli/deploy_command'
+require 'krane/cli/global_deploy_command'
 
 module Krane
   module CLI
@@ -58,6 +59,14 @@ def deploy(namespace, context)
         end
       end
 
+      desc("global-deploy CONTEXT", "Ship global resources to a cluster")
+      expand_options(GlobalDeployCommand::OPTIONS)
+      def global_deploy(context)
+        rescue_and_exit do
+          GlobalDeployCommand.from_options(context, options)
+        end
+      end
+
       def self.exit_on_failure?
         true
       end

lib/krane/global_deploy_task.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+require 'kubernetes-deploy/deploy_task'
+require 'kubernetes-deploy/global_deploy_task_config_validator'
+
+module Krane
+  class GlobalDeployTask < KubernetesDeploy::DeployTask
+    def initialize(**args)
+      super(args.merge(allow_globals: true))
+    end
+
+    def run!(**args)
+      super(args.merge(task_config_validator: KubernetesDeploy::GlobalDeployTaskConfigValidator))
+    end
+  end
+end

lib/kubernetes-deploy/cluster_resource_discovery.rb

@@ -23,7 +23,8 @@ def global_resource_kinds
     private
 
     def fetch_globals
-      raw, _, st = kubectl.run("api-resources", "--namespaced=false", output: "wide", attempts: 5)
+      raw, _, st = kubectl.run("api-resources", "--namespaced=false", output: "wide",
+        attempts: 5, use_namespace: false)
       if st.success?
         rows = raw.split("\n")
         header = rows[0]
@@ -42,7 +43,8 @@ def fetch_globals
     end
 
     def fetch_crds
-      raw_json, _, st = kubectl.run("get", "CustomResourceDefinition", output: "json", attempts: 5)
+      raw_json, _, st = kubectl.run("get", "CustomResourceDefinition", output: "json",
+        attempts: 5, use_namespace: false)
       if st.success?
         JSON.parse(raw_json)["items"]
       else

lib/kubernetes-deploy/deploy_task.rb

@@ -122,15 +122,15 @@ def server_version
     # @param protected_namespaces [Array<String>] Array of protected Kubernetes namespaces (defaults
     #   to KubernetesDeploy::DeployTask::PROTECTED_NAMESPACES)
     # @param render_erb [Boolean] Enable ERB rendering
-    def initialize(namespace:, context:, current_sha:, logger: nil, kubectl_instance: nil, bindings: {},
+    def initialize(namespace: nil, context:, current_sha:, logger: nil, kubectl_instance: nil, bindings: {},
       max_watch_seconds: nil, selector: nil, template_paths: [], template_dir: nil, protected_namespaces: nil,
       render_erb: true, allow_globals: false)
       template_dir = File.expand_path(template_dir) if template_dir
       template_paths = (template_paths.map { |path| File.expand_path(path) } << template_dir).compact
 
       @logger = logger || KubernetesDeploy::FormattedLogger.build(namespace, context)
       @template_sets = TemplateSets.from_dirs_and_files(paths: template_paths, logger: @logger)
-      @task_config = KubernetesDeploy::TaskConfig.new(context, namespace, @logger)
+      @task_config = KubernetesDeploy::TaskConfig.new(context, namespace, @logger, allow_globals && namespace.blank?)
       @bindings = bindings
       @namespace = namespace
       @namespace_tags = []
@@ -161,14 +161,17 @@ def run(*args)
     # @param prune [Boolean] Enable deletion of resources that do not appear in the template dir
     #
     # @return [nil]
-    def run!(verify_result: true, allow_protected_ns: false, prune: true)
+    def run!(verify_result: true, allow_protected_ns: false, prune: true,
+      task_config_validator: DeployTaskConfigValidator)
       start = Time.now.utc
       @logger.reset
 
       @logger.phase_heading("Initializing deploy")
-      validate_configuration(allow_protected_ns: allow_protected_ns, prune: prune)
+      validator = validate_configuration(allow_protected_ns: allow_protected_ns, prune: prune,
+        task_config_validator: task_config_validator)
+
       resources = discover_resources
-      validate_resources(resources)
+      validate_resources(resources, validator)
 
       @logger.phase_heading("Checking initial resource statuses")
       check_initial_status(resources)
@@ -280,7 +283,9 @@ def predeploy_priority_resources(resource_list)
     end
     measure_method(:predeploy_priority_resources, 'priority_resources.duration')
 
-    def validate_resources(resources)
+    def validate_resources(resources, validator)
+      validator.validate_resources(resources, @allow_globals)
+
       KubernetesDeploy::Concurrency.split_across_threads(resources) do |r|
         r.validate_definition(kubectl, selector: @selector)
       end
@@ -298,28 +303,9 @@ def validate_resources(resources)
         end
         raise FatalDeploymentError, "Template validation failed"
       end
-      validate_globals(resources)
     end
     measure_method(:validate_resources)
 
-    def validate_globals(resources)
-      return unless (global = resources.select(&:global?).presence)
-      global_names = global.map do |resource|
-        "#{resource.name} (#{resource.type}) in #{File.basename(resource.file_path)}"
-      end
-      global_names = FormattedLogger.indent_four(global_names.join("\n"))
-
-      if @allow_globals
-        msg = "The ability for this task to deploy global resources will be removed in the next version,"\
-              " which will affect the following resources:"
-        msg += "\n#{global_names}"
-        @logger.summary.add_paragraph(ColorizedString.new(msg).yellow)
-      else
-        @logger.summary.add_paragraph(ColorizedString.new("Global resources:\n#{global_names}").yellow)
-        raise FatalDeploymentError, "This command is namespaced and cannot be used to deploy global resources."
-      end
-    end
-
     def check_initial_status(resources)
       cache = ResourceCache.new(@task_config)
       KubernetesDeploy::Concurrency.split_across_threads(resources) { |r| r.sync(cache) }
@@ -375,8 +361,8 @@ def record_warnings(warning:, filename:)
       @logger.summary.add_paragraph(ColorizedString.new(warn_msg).yellow)
     end
 
-    def validate_configuration(allow_protected_ns:, prune:)
-      task_config_validator = DeployTaskConfigValidator.new(@protected_namespaces, allow_protected_ns, prune,
+    def validate_configuration(allow_protected_ns:, prune:, task_config_validator:)
+      task_config_validator = task_config_validator.new(@protected_namespaces, allow_protected_ns, prune,
         @task_config, kubectl, kubeclient_builder)
       errors = []
       errors += task_config_validator.errors
@@ -391,6 +377,7 @@ def validate_configuration(allow_protected_ns:, prune:)
       @logger.info("Using resource selector #{@selector}") if @selector
       @namespace_tags |= tags_from_namespace_labels
       @logger.info("All required parameters and files are present")
+      task_config_validator
     end
     measure_method(:validate_configuration)
 
@@ -474,7 +461,8 @@ def apply_all(resources, prune)
         end
 
         output_is_sensitive = resources.any?(&:sensitive_template_content?)
-        out, err, st = kubectl.run(*command, log_failure: false, output_is_sensitive: output_is_sensitive)
+        out, err, st = kubectl.run(*command, log_failure: false, output_is_sensitive: output_is_sensitive,
+        use_namespace: !@task_config.global_mode)
 
         if st.success?
           log_pruning(out) if prune
@@ -555,13 +543,7 @@ def find_bad_files_from_kubectl_output(line)
     end
 
     def namespace_definition
-      @namespace_definition ||= begin
-        definition, _err, st = kubectl.run("get", "namespace", @namespace, use_namespace: false,
-          log_failure: true, raise_if_not_found: true, attempts: 3, output: 'json')
-        st.success? ? JSON.parse(definition, symbolize_names: true) : nil
-      end
-    rescue Kubectl::ResourceNotFoundError
-      nil
+      @task_config.namespace_definition
     end
 
     # make sure to never prune the ejson-keys secret

lib/kubernetes-deploy/deploy_task_config_validator.rb

@@ -9,6 +9,24 @@ def initialize(protected_namespaces, allow_protected_ns, prune, *arguments)
       @validations += %i(validate_protected_namespaces)
     end
 
+    def validate_resources(resources, allow_globals)
+      return unless (global = resources.select(&:global?).presence)
+      global_names = global.map do |resource|
+        "#{resource.name} (#{resource.type}) in #{File.basename(resource.file_path)}"
+      end
+      global_names = FormattedLogger.indent_four(global_names.join("\n"))
+
+      if allow_globals
+        msg = "The ability for this task to deploy global resources will be removed in the next version,"\
+              " which will affect the following resources:"
+        msg += "\n#{global_names}"
+        logger.summary.add_paragraph(ColorizedString.new(msg).yellow)
+      else
+        logger.summary.add_paragraph(ColorizedString.new("Global resources:\n#{global_names}").yellow)
+        raise FatalDeploymentError, "This command is namespaced and cannot be used to deploy global resources."
+      end
+    end
+
     private
 
     def validate_protected_namespaces

lib/kubernetes-deploy/global_deploy_task_config_validator.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+module KubernetesDeploy
+  class GlobalDeployTaskConfigValidator < TaskConfigValidator
+    def initialize(protected_namespaces, allow_protected_ns, prune, *arguments)
+      super(*arguments, skip: [:validate_namespace_exists])
+      @protected_namespaces = protected_namespaces
+      @allow_protected_ns = allow_protected_ns
+      @prune = prune
+    end
+
+    def validate_resources(resources, _)
+      return unless (namespaced = resources.reject(&:global?).presence)
+      namespaced_names = namespaced.map do |resource|
+        "#{resource.name} (#{resource.type}) in #{File.basename(resource.file_path)}"
+      end
+      namespaced_names = KubernetesDeploy::FormattedLogger.indent_four(namespaced_names.join("\n"))
+
+      logger.summary.add_paragraph(ColorizedString.new("Namespaced resources:\n#{namespaced_names}").yellow)
+      raise KubernetesDeploy::FatalDeploymentError, "Deploying namespaced resource is not allowed from this command."
+    end
+  end
+end

lib/kubernetes-deploy/kubernetes_resource.rb

@@ -317,7 +317,7 @@ def debug_message(cause = nil, info_hash = {})
     def fetch_events(kubectl)
       return {} unless exists?
       out, _err, st = kubectl.run("get", "events", "--output=go-template=#{Event.go_template_for(type, name)}",
-        log_failure: false)
+        log_failure: false, use_namespace: !global?)
       return {} unless st.success?
 
       event_collector = Hash.new { |hash, key| hash[key] = [] }
@@ -500,7 +500,7 @@ def validate_spec_with_kubectl(kubectl)
     def validate_with_dry_run_option(kubectl, dry_run_option)
       command = ["apply", "-f", file_path, dry_run_option, "--output=name"]
       kubectl.run(*command, log_failure: false, output_is_sensitive: sensitive_template_content?,
-                               retry_whitelist: [:client_timeout], attempts: 3)
+                               retry_whitelist: [:client_timeout], attempts: 3, use_namespace: !global?)
     end
 
     def labels

lib/kubernetes-deploy/resource_cache.rb

@@ -4,7 +4,7 @@
 
 module KubernetesDeploy
   class ResourceCache
-    delegate :namespace, :context, :logger, to: :@task_config
+    delegate :namespace, :context, :logger, :global_mode, to: :@task_config
 
     def initialize(task_config)
       @task_config = task_config
@@ -53,7 +53,7 @@ def fetch_by_kind(kind)
       resource_class = KubernetesResource.class_for_kind(kind)
       output_is_sensitive = resource_class.nil? ? false : resource_class::SENSITIVE_TEMPLATE_CONTENT
       raw_json, _, st = @kubectl.run("get", kind, "--chunk-size=0", attempts: 5, output: "json",
-         output_is_sensitive: output_is_sensitive)
+         output_is_sensitive: output_is_sensitive, use_namespace: !global_mode)
       raise KubectlError unless st.success?
 
       instances = {}

lib/kubernetes-deploy/task_config.rb

@@ -1,12 +1,14 @@
 # frozen_string_literal: true
 module KubernetesDeploy
   class TaskConfig
-    attr_reader :context, :namespace
+    attr_reader :context, :namespace, :global_mode
+    attr_accessor :namespace_definition
 
-    def initialize(context, namespace, logger = nil)
+    def initialize(context, namespace, logger = nil, global_mode = false)
       @context = context
       @namespace = namespace
       @logger = logger
+      @global_mode = global_mode
     end
 
     def logger

lib/kubernetes-deploy/task_config_validator.rb

@@ -11,12 +11,12 @@ class TaskConfigValidator
 
     delegate :context, :namespace, :logger, to: :@task_config
 
-    def initialize(task_config, kubectl, kubeclient_builder, only: nil)
+    def initialize(task_config, kubectl, kubeclient_builder, only: nil, skip: [])
       @task_config = task_config
       @kubectl = kubectl
       @kubeclient_builder = kubeclient_builder
       @errors = nil
-      @validations = only || DEFAULT_VALIDATIONS
+      @validations = (only || DEFAULT_VALIDATIONS) - skip
     end
 
     def valid?
@@ -70,10 +70,12 @@ def validate_namespace_exists
         return @errors << "Namespace can not be blank"
       end
 
-      _, err, st = @kubectl.run("get", "namespace", "-o", "name", namespace,
-        use_namespace: false, log_failure: false)
+      definition, err, st = @kubectl.run("get", "namespace", namespace,
+        use_namespace: false, log_failure: false, attempts: 3, output: 'json')
 
-      unless st.success?
+      if st.success?
+        @task_config.namespace_definition = JSON.parse(definition, symbolize_names: true)
+      else
         @errors << if err.match("Error from server [(]NotFound[)]: namespace")
           "Could not find Namespace: #{namespace} in Context: #{context}"
         else