Bug fixes
- Extend #886 to not only secrets but anything that doesn't match
failed to sync %s cache
#886 It seems an issue when too many pods are referencing the same secret/configmap kubernetes/kubernetes#74755, so instead of failing fast, it'll now let the resources attempt to succeed. - Add missing unit test for above feature.
Bug fixes
- Do not fail fast for CreateContainerConfigError when message include issues mounting the secret, to let the pods be recreated and possible succeed #885
Enhancements
- Improve DaemonSet rollout by ignoring
Evicted
Pods #883
Enhancements
- Improve DaemonSet rollout #881
Bug fixes
- Resolve errors for StatefulSet restart with
updateStrategy: OnDelete
#876 - Timeouts during the "predeploy priority resources" phase now raise
DeploymentTimeoutError
instead ofFatalDeploymentError
#874
Enhancements
- Support restart task for stateful sets that use the
OnDelete
strategy #840 - Make
krane render
produce output in a deterministic order #871
Other
- Remove buildkite #869
Enhancements
- Ensure deploy tasks fail without at least one non-empty resource #865
Other
- Remove Ruby 2.6 and K8s < 1.19 from the CI testing matrix. All fixtures have been updated to be compatible with K8s 1.22+.
- isolated_execution_state active_support require for Rails 7+
- Update kubeclient for better Ruby 3.1 compatibility.
- Psych 4 compatibility
- Fix for CVE-2021-41817. See ServicesDB action item here.
- Another Psych 4.0 compatibility fix #844
- Fix compatibility with Psych 4.0 #843
- Fix a bug in RestartTask where a NoMethodError is thrown if any of the target resources do not have annotations #841
- Restart tasks now support restarting StatefulSets and DaemonSets, in addition to Deployments #836
Enhancements
- Add a new option
--selector-as-filter
to commandkrane deploy
andkrane global-deploy
#831
Bug Fixes
- Don't gather prunable resources by calling uniq only on
kind
: usegroup
as well. Otherwise certain resources may not be added to the prune whitelist if the same kind exists across multiple groups #825 - Fix resource discovery failures when API paths are not located at the root of the API server (this occurs, for example, when using Rancher proxy) #827
Other
- Fix ERB deprecation of positional arguments #828
Other
- Don't package screenshots in the built gem to reduce size #817
Other
- Change
statsd-instrument
dependency constraint to< 4
#815
Enhancements
- ENV["KRANE_LOG_LINE_LIMIT"] allows the number of container logs printed for failures to be configurable from the 25 line default #803.
Other
- Remove the overly tight timeout on cluster resource discovery, which was causing too many timeouts in high latency environments #813
Enhancements
- Remove the need for a hard coded GVK overide list via improvements to cluster discovery #778
Bug Fixes
- Remove resources that are targeted by side-effect-inducing mutating admission webhooks from the serverside dry run batch #798
- Fix bug where the wrong dry-run flag is used for kubectl if client version is below 1.18 AND server version is 1.18+ #793.
Enhancements
- Attempt to batch run server-side apply in validation phase instead of dry-running each resource individually #781.
- Evaluate progress condition only after progress deadline seconds have passed since deploy invocation #765.
Other
- Dropped support for Ruby 2.5 due to EoL. #782.
- Only patch JSON when run as CLI, not as library #779.
- Add version exception for ServiceNetworkEndpointGroup (GKE resource) #768
- Kubernetes 1.14 and lower is no longer officially supported as of this version (#766)
- Add version exception for FrontendConfig (GKE resource) #761
Bug Fixes
- Fix the way environment variables are passed into the EJSON decryption invocation #759
Features
- (experimental) Override deploy method via annotation. This feature is considered alpha and should not be considered stable #753
Enhancements
- Increased the number of attempts on kubectl commands during Initializing deploy phase #749
- Increased attempts on kubectl apply command during deploy #751
- Whitelist context deadline error during kubctl dry run #754
- Allow specifying a kubeconfig per task in the internal API #746
Breaking Changes
- Remove kubernetes deploy annotation prefix #738
Bug Fixes
- Always set a deployment_id, even if the current_sha isn't set #730
- YAML string scalars with scientific/e-notation numeric format not properly quoted. #740
Bug Fixes
- Properly look up constant on Krane namespace. #720
Enhancements
- Allow to configure
image_tag
when using task runner. #719
Bug Fixes
- Retry dry-run validation when no error is returned. #705
- Stop deploys if ClusterResourceDiscovery's kubectl calls fail. #701
Other
- Dropped support for Ruby 2.4 since it will be EoL shortly. #693.
- Ruby 2.7 support: fix deprecation warnings, add testing. #710
Enhancements
- Don't treat
containerCannotRun
termination reason as a fatal deploy failure, since it is usually transient. #694
Bug Fixes
- Help ruby correctly identify kubectl output encoding. #646
- Add an override for Job kind for version
batch/v2alpha1
#696
Other
--stdin
flag is deprecated. To read from STDIN, use-f -
(can be combined with other files/directories) #684.- Reduces the number of container logs printed for failures from 250 to 25 to reduce noise. #676
- Remove hardcoded cloudsql class. #680
Enhancements
- Detect and handle case when webhook prevents server-dry-run. #663
- Deploy CustomResources after most other resources in the priority deploy phase. #672
Bug Fixes
- Prints the correct argument name in error message. #660
- Fix mistakes in README.md #664, #659, & #668
- Restores the default value of the
--verbose-log-prefix
flag onkrane deploy
to false. #673
Other
- Relax dependency requirements. #657
Bug Fixes
- Fix a bug causing secret generation from ejson to fail when decryption succeeded but a warning was also emitted. #647
Enhancements
- Warm the ResourceCache before running resource.sync to improve sync performance. (#603)
We've renamed the gem and cli to Krane. See our migration guide to help navigate the breaking changes.
Enhancements
Important!
- This is the final release of KubernetesDeploy. Version 1.0.0 will be released
under the name
Krane
. We've added a migration guide to help make it easier to migrate. (#607)
Enhancements
-
(beta)
krane deploy
will now consider all namespaced resources eligible for pruning and does not respect thekrane.shopify.io/prunable
annotation. This adds 5 additional types: Endpoints, Event, LimitRange, ReplicationController, and Lease. (#616 -
(beta) Added the
--stdin
flag tokrane deploy|global-deploy|render
to read resources from stdin. (#630)
Bug Fixes
- Fix a scoping issue of ClusterResourceDiscovery where it was not visible to kubernetes-run, causing a crash. (#624)
Enhancements
- (alpha) Add a new krane global-deploy task for deploying global resources. Note that global pruning is turned on by default (#602 and #612)
- Add support for deploying resources that use
generateName
(#608) - ENV["REVISION"] is not transparently passed into krane. Instead, you must now use the
--current-sha
flag to set thecurrent_sha
ERB binding in your templates. Note that kubernetes-deploy, but not krane, can still use ENV["REVISION"] as a fallback if--current-sha
is not provided. (#613)
Bug Fixes
krane deploy
can accept multiple filenames with-f
flag (#606)- Ensure DaemonSet status has converged with pod statuses before reporting rollout success (#617)
Other
- Update references from using
kubernetes-deploy
tokrane
in preparation for 1.0 release (#585) - Refactor StatsD usage so we can depend on the latest version again. (#594)
Enhancements
- [Breaking change] Added PersistentVolumeClaim to the prune whitelist. (#573)
- To see what resources may be affected, run
kubectl get pvc -o jsonpath='{ range .items[*] }{.metadata.namespace}{ "\t" }{.metadata.name}{ "\t" }{.metadata.annotations}{ "\n" }{ end }' --all-namespaces | grep "last-applied"
- To exclude a resource from kubernetes-deploy (and kubectl apply) management, remove the last-applied annotation
kubectl annotate pvc $PVC_NAME kubectl.kubernetes.io/last-applied-configuration-
.
- To see what resources may be affected, run
- Deploying global resources directly from
KubernetesDeploy::DeployTask
is disabled by default. You can useallow_globals: true
to enable the old behavior. This will be disabled in the Krane version of the task, and a separate purpose-built task will be provided. #567 - Deployments to daemonsets now better tolerate autoscaling: nodes that appear mid-deploy aren't required for convergence. #580
Enhancements
- The KubernetesDeploy::RenderTask now supports a template_paths argument. (#555)
- We no longer hide errors from apply if all sensitive resources have passed server-dry-run validation. (#570)
Bug Fixes
- Handle improper duration values more elegantly with better messaging
Other
- We now require Ruby 2.4.x since Ruby 2.3 is past EoL.
- Lock statsd-instrument to 2.3.X due to breaking changes in 2.5.0
Enhancements
- Officially support Kubernetes 1.15 (#546)
- Make sure that we only declare a Service of type LoadBalancer as deployed after its IP address is published. #547
- Add more validations to
RunnerTask
. #554 - Validate secrets with
--server-dry-run
on supported clusters. #553 Bug Fixes - Fix a bug in rendering where we failed to add a yaml doc separator (
---
) to an implicit document if there are multiple documents in the file. (#551)
Other
- Kubernetes 1.10 is no longer officially supported as of this version (#546)
- We've added a new Krane cli. This code is in alpha. We are providing no warranty at this time and reserve the right to make major breaking changes including removing it entirely at any time. (#256)
- Deprecate
kubernetes-deploy.shopify.io
annotations in favour ofkrane.shopify.io
(#539)
Enhancements
- (alpha) Introduce a new
-f
flag forkubernetes-deploy
. Allows passing in of multiple directories and/or filenames. Currently only usable bykubernetes-deploy
, notkubernetes-render
. #514 - Initial implementation of shared task validation objects. #533
- Restructure
require
s so that requiring a given task actually gives you the dependencies you need, and doesn't give what you don't need. #487 - [Breaking change] Added ServiceAccount, PodTemplate, ReplicaSet, Role, and RoleBinding to the prune whitelist.
- To see what resources may be affected, run
kubectl get $RESOURCE -o jsonpath='{ range .items[*] }{.metadata.namespace}{ "\t" }{.metadata.name}{ "\t" }{.metadata.annotations}{ "\n" }{ end }' --all-namespaces | grep "last-applied"
- To exclude a resource from kubernetes-deploy (and kubectl apply) management, remove the last-applied annotation
kubectl annotate $RESOURCE $SECRET_NAME kubectl.kubernetes.io/last-applied-configuration-
.
- To see what resources may be affected, run
Bug Fixes
- StatefulSets with 0 replicas explicitly specified don't fail deploy. #540
- Search all workloads if a Pod selector doesn't match any workloads when deploying a Service. #541
Other
EjsonSecretProvisioner#new
signature has changed.EjsonSecretProvisioner
objects no longer have access tokubectl
. Rather, theejson-keys
secret used for decryption is now passed in via the calling task. Note that we only consider thenew
andrun(!)
methods of tasks (render, deploy, etc) to have inviolable APIs, so we do not consider this change breaking. #514
Other
- Bump
googleauth
dependency. (#512)
Bug Fixes
- Re-enable support for YAML aliases when using YAML.safe_load #510
Bug Fixes
- Support 'volumeBindingMode: WaitForFirstConsumer' condition in StorageClass. #479
- Fix: Undefined method "merge" on LabelSelector. #488
Enhancements
- Officially support Kubernetes 1.14. #461
- Allow customising which custom resources are deployed in the pre-deploy phase. #505
Other
- Removes special treatment of GCP authentication by upgrading to
kubeclient
4.3. #465
Bug fixes
- Adds several additional safeguards against the content of Secret resources being logged. #474
Enhancements
- Improves scalability by removing a check that caused recoverable registry problems to fail deploys. #477
Other
- Relaxes our dependency on the OJ gem. #471
Bug fixes
- Fixes a bug introduced in 0.26.0 where listing multiple files in the $KUBECONFIG environment variable would throw an error (#468)
- Fixes a bug introduced in 0.26.2 where kubernetes-render started adding YAML headers to empty render results (#467)
Enhancements
- kubernetes-render outputs results of rendering yml.erb files without passing them through a yaml parser. (#454)
Bug fixes
- Remove use of deprecated feature preventing use with Kubernetes 1.14 (#460)
Bug fixes
- Fixes a bug where
config/deploy/$ENVIRONMENT
would be used unconditionally if theENVIRONMENT
environment variable is set, ignoring any--template-dir
argument passed.
Enhancements
- Add support for NetworkPolicies (#422)
- Setting the REVISION environment variable is now optional (#429)
- Defaults KUBECONFIG to
~/.kube/config
(#429) - Uses
TASK_ID
environment variable as thedeployment_id
when rendering resource templates for better Shipit integration. (#430) - Arguments to
--bindings
will now be deep merged. (#419) kubernetes-deploy
andkubernetes-render
now support reading templates from STDIN. (#415)- Support for specifying a
--selector
, a label with which all deployed resources are expected to have, and by which prunable resources will be filtered. This permits sharing a namespace with resources managed by third-parties, including other kubernetes-deploy deployments. (#439) - Lists of resources printed during deployments will now be sorted alphabetically. (#441)
- Bare / unmanaged pods run as pre-deployment tasks will now stream logs if there is only one of them. (#436)
Features
- [Breaking change] Support for deploying Secrets from templates (#424). Non-ejson secrets are now fully supported and therefore subject to pruning like any other resource. As a result:
- If you previously manually
kubectl apply
'd secrets that are not passed to kubernetes-deploy, your first deploy using this version is going to delete them. - If you previously passed secrets manifests to kubernetes-deploy and they are no longer in the set you pass to the first deploy using this version, it will delete them.
- To identify potentially affected secrets in your cluster, run:
kubectl get secrets -o jsonpath='{ range .items[*] }{.metadata.namespace}{ "\t" }{.metadata.name}{ "\t" }{.metadata.annotations}{ "\n" }{ end }' --context=$YOUR_CONTEXT_HERE --all-namespaces | grep -v "kubernetes-deploy.shopify.io/ejson-secret" | grep "last-applied" | cut -f 1,2
. To exclude a secret from kubernetes-deploy (and kubectl apply) management, remove the last-applied annotationkubectl annotate secret $SECRET_NAME kubectl.kubernetes.io/last-applied-configuration-
. - The secret
ejson-keys
will never be pruned by kubernetes-deploy. Instead, it will fail the deploy at the validation stage (unless--no-prune
is set). (#447)
- If you previously manually
This version contains an error for handling the --template-dir
argument. If the ENVIRONMENT
environment variable is set, the template directory will be forcefully set to config/deploy/$ENVIRONMENT
. This has been fixed in version 0.26.1
Features
- Support timeout overrides on deployments (#414)
Bug fixes
- Attempting to deploy from a directory that only contains
secrets.ejson
will no longer fail deploy (#416) - Remove the risk of sending decrypted EJSON secrets to output(#431)
Other
- Update kubeclient gem to 4.2.2. Note this replaces the
KubeclientBuilder::GoogleFriendlyConfig
class withKubeclientBuilder::KubeConfig
(#418). This resolves #396 and should allow us to support more authentication methods (e.g.exec
for EKS). - Invalid context when using
kubernetes-run
gives more descriptive error(#423) - When resources are not found, instead of being
Unknown
, they are now labelled asNot Found
(#427)
Features
- Add support for specifying pass/fail conditions of Custom Resources (#376).
- Add support for custom timeouts for Custom Resources(#376)
Enhancements
- Officially support Kubernetes 1.13 (#409)
Bug fixes
- Fixed bug that caused
NameError: wrong constant name
if custom resources had kind with a lowercase first letter. (#413)
Other
- Kubernetes 1.9 is no longer officially supported as of this version
Features
- New command:
kubernetes-render
is a tool for rendering ERB templates to raw Kubernetes YAML. It's useful for seeing whatkubernetes-deploy
does before actually invokingkubectl
on the rendered YAML. It's also useful for outputting YAML that can be passed to other tools, for validation or introspection purposes. (#375) - [Breaking change] This release completes the conversion of
kubernetes-deploy
StatsD metrics todistribution
s, which was done forkubernetes-restart
andkubernetes-run
in v0.22.0. - Several new distribution metrics are available to give insight into the timing of each step of the deploy process:
KubernetesDeploy.validate_configuration.duration
,KubernetesDeploy.discover_resources.duration
,KubernetesDeploy.validate_resources.duration
,KubernetesDeploy.initial_status.duration
,KubernetesDeploy.create_ejson_secrets.duration
,KubernetesDeploy.apply_all.duration
,KubernetesDeploy.sync.duration
- [Breaking change]
KubernetesDeploy.resource.duration
no longer includessha
orresource
tags. (#392)
Enhancements
- Roles are now predeployed before RoleBindings (#380)
- Several performance enhancements for deploys to namespaces with hundreds of resources.
- KubernetesDeploy no longer modifies the global StatsD configuration when used as a gem (#384)
Bug fixes
- Handle out-of-order arrival of entries from different streams when processing logs (#401)
Features
- [Breaking change]
kubernetes-restart
now produces StatsDdistribution
instead ofmetric
. Dashboards that used these metrics will need to be updated. (#374) kubernetes-run
now produces StatsDdistribution
to aid in tracking usage (#374)
Enhancements
- Predeploy RoleBinding before unmanaged pods (#354)
Bug Fixes
- Fixed bug in
kubernetes-restart
that caused "Pod spec does not contain a template container called 'task-runner'" error message to not be printed (#371)
Other
- Kubernetes 1.8 is no longer officially supported as of this version
Enhancements
- Improved failure detection for job resources. (#355)
- Unmanaged pods are now immediately identified as failed if they are evicted, preempted or deleted out of band. This is especially important to
kubernetes-run
. (#353)
Other
- Relaxed our
googleauth
dependency. (#333)
Features
- [Breaking change]
kubernetes-run
now streams container logs and waits for the pod to succeed or fail by default. You can disable this using--skip-wait
, or you can use--max-watch-seconds=seconds
to set a time limit on the watch. (#337)
Other
- Kubernetes 1.7 is no longer officially supported as of this version
Enhancements
- All resources marked as prunable will now be added to the prune whitelist (#326)
- Improve deploy status detection by ensuring we examine the correct generation (#325)
Enhancements
- Add Job resource class (#295)
- Add CustomResourceDefinition resource class (#306)
- Officially support Kubernetes 1.10 (#308)
- SyncMediator will only batch fetch resources when there is a sufficiently large enough set of resources being tracked (#316)
- Allow CRs to be pruned based on
kubernetes-deploy.shopify.io/prunable
annotation on the custom resource definitions (312) - Add HorizontalPodAutoscaler resource class (#305)
Bug Fixes
- Prevent crash when STATSD_IMPLEMENTATION isn't set. (#3242)
Enhancements
- Don't consider pod preempting a failure (#317)
Enhancements
- Evictions are recoverable so prevent them from triggering fast failure detection (#293).
- Use YAML.safe_load over YAML.load_file (#295).
Bug Fixes
- Default rollout strategy is compatible required-rollout annotation (#289).
Enhancements
- Emit data dog events when deploys succeed, time out or fail (#292).
Bug Fixes
- Display a nice error instead of crashing when a YAML document is missing 'Kind' (#280)
- Prevent DaemonSet from succeeding before rollout finishes (#288)
Enhancements
- Merge multiple
--bindings
arguments, to allow a composite bindings map (multiple arguments or files)
Features
- Automatically add all Kubernetes namespace labels to StatsD tags (#278)
Bug Fixes
- Prevent calling sleep with a negative value (#273)
- Prevent no-op redeploys of bad code from hanging forever (#262)
Enhancements
- Improve output for rendering errors (#253)
Features
- Added
--max-watch-seconds=seconds
to kubernetes-restart and kubernetes-deploy. When set a timeout error is raised if it takes longer than seconds for any resource to deploy. - Adds YAML and JSON file reference support to the kubernetes-deploy
--bindings
argument (#269)
Enhancements
- Prune resource quotas (#264)
Bug Fixes
- Update gemspec to reflect need for ActiveSupport >= 5.0(#270)
Enhancements
- Change the way the resource watcher fetches resources to make it more efficient for large deploys. Deploys with hundreds of resources are expected to see a measurable performance improvement from this change. (#251)
Features
- kubernetes-restart and kubernetes-deploy use exit code 70 when a deploy fails due to one or more resources failing to deploy in time. (#244)
Bug Fixes
- Handle deploying thousands of resources at a time, previously kubernetes-deploy would fail with
Argument list too long - kubectl (Errno::E2BIG)
. (#257)
Enhancements
- Add the
--cascade
flag when we force replace a resource. (#250)
Important: This release changes the officially supported Kubernetes versions to v1.7 through v1.9. Other versions may continue to work, but we are no longer running our test suite against them.
Features
- Support partials to reduce duplication in yaml files (#207)
Bug Fixes
- Handle podless deamon sets properly (#242)
Enhancements
- Print warnings if kubernetes server version is not supported (#237).
- Possible via env var to disable fetching logs and/or events on deployment failure (#239).
- The
kubernetes-deploy.shopify.io/required-rollout
annotation now takes a percent (e.g. 90%) (#240).
Enhancements
- Fetch debug events and logs for failed resources in parallel (#238)
Bug Fixes
- None
Enhancements
- Support for cronjob resource (#206).
- Make it possible to override the tool's hard timeout for one specific resource via the
kubernetes-deploy.shopify.io/timeout-override
annotation (#232). - Make it possible to modify how many replicas need to be updated and available before a deployment is considered
successful via the
kubernetes-deploy.shopify.io/required-rollout
annotation (#208).
Bug Fixes
- Make deployments whose pods crash because of CreateContainerConfigError fail fast in 1.8+ too (they would previously time out).
- Fix crashes when deploying ExternalName services or services without selectors (#211)
- Predeploy ServiceAccount resources (#221)
Enhancements
- Make it possible to pass bindings (via the --bindings flag) for which the value contains commas or is a JSON encoded hash (#219)
- Support KUBECONFIG referencing multiple files (#222)
Bug Fixes
- Fix incorrect timeouts occasionally observed on deployments using progressDeadlineSeconds in Kubernetes <1.7.7
Enhancements
- Renamed
KubernetesDeploy::Runner
(which powersexe/kubernetes-deploy
) toKubernetesDeploy::DeployTask
. This increases consistency between our primary class names and avoids confusion withKubernetesDeploy::RunnerTask
(which powersexe/kubernetes-run
). - Improved output related to timeouts. For deployments, both failure and timeout output now mentions the referenced replica set.
- Small improvements to the reliability of the success polling.
- EjsonSecretProvisioner no longer logs kubectl command output (which may contain secret data) when debug-level logging is enabled.
Features
- Added support for StatefulSets for kubernetes 1.7+ using RollingUpdate
Bug Fixes
- Explicitly require the minimum rest-client version required by kubeclient (#202)
Enhancements
Bug Fixes
- Fix an issue deploying Shopify's internal custom resources.
Bug Fixes
- Stop appending newlines to the base64-encoded values of secrets created from ejson. These extra newlines were preventing the ejson->k8s secret feature from working with v1.8 (Shopify#196).
Enhancement
- Log reason if deploy times out due to
progressDeadlineSeconds
being exceeded
Bug Fixes
- Retry discovering namespace and kubernetes context
- Expose real error during namespace discovery
Bug Fixes
- Force deployment to use its own hard timeout instead of relying on the replica set