Merge pull request #96 from gruntwork-io/yori-upgrade-cmd

Introduce `eks sync-core-components` subcommand

Author: yorinasub17

README.md

@@ -57,6 +57,7 @@ The following commands are available as part of `kubergrunt`:
     * [token](#token)
     * [oidc-thumbprint](#oidc-thumbprint)
     * [deploy](#deploy)
+    * [sync-core-components](#sync-core-components)
 1. [k8s](#k8s)
     * [wait-for-ingress](#wait-for-ingress)
     * [kubectl](#kubectl)
@@ -245,6 +246,25 @@ Currently `kubergrunt` does not implement any checks for these resources to be i
 plan to bake in checks into the deployment command to verify that all services have a disruption budget set, and warn
 the user of any services that do not have a check.
 
+#### sync-core-components
+
+This subcommand will sync the core components of an EKS cluster to match the deployed Kubernetes version by following
+the steps listed [in the official documentation](https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html).
+
+The core components managed by this command are:
+
+- kube-proxy
+- Amazon VPC CNI plug-in
+- CoreDNS
+
+By default, this command will rotate the images without waiting for the Pods to be redeployed. You can use the `--wait`
+option to force the command to wait until all the Pods have been replaced.
+
+Example:
+
+```bash
+kubergrunt eks sync-core-components --eks-cluster-arn EKS_CLUSTER_ARN
+```
 
 ### k8s
 

cmd/eks.go

@@ -56,6 +56,11 @@ var (
 		Value: 15 * time.Second,
 		Usage: "The amount of time to sleep between retries as duration (e.g 10m = 10 minutes) for retry loops during the command. The total amount of time this command will try is based on max-retries and sleep-between-retries. Defaults to 15 seconds.",
 	}
+	waitTimeoutFlag = cli.StringFlag{
+		Name:  "wait-timeout",
+		Value: "10m",
+		Usage: "The amount of time to wait for operations to complete, expressed as a duration (e.g., 10m = 10 minutes). Defaults to 10 minutes.",
+	}
 
 	// Token related flags
 	clusterIDFlag = cli.StringFlag{
@@ -123,6 +128,26 @@ func SetupEksCommand() cli.Command {
 					oidcIssuerUrlFlag,
 				},
 			},
+			cli.Command{
+				Name:  "sync-core-components",
+				Usage: "Update the core Kubernetes applications deployed on to the EKS cluster to match the Kubernetes version.",
+				Description: `Update the core Kubernetes applications deployed on to an EKS cluster to ensure that the versions match with the expected versions deployed for the configured Kubernetes version.
+
+There are three core applications on an EKS cluster:
+    - kube-proxy
+    - coredns
+    - VPC CNI Plugin
+
+Each of these are managed in Kubernetes as DaemonSet, Deployment, and DaemonSet respectively. This command will use kubectl under the hood to patch the manifests to deploy the expected version based on what the current Kubernetes version is of the cluster. As such, this command should be run every time the Kubernetes version is updated on the EKS cluster.
+
+The versions deployed are based on what is listed in the official guide provided by AWS: https://docs.aws.amazon.com/eks/latest/userguide/update-cluster.html`,
+				Action: syncClusterComponents,
+				Flags: []cli.Flag{
+					eksClusterArnFlag,
+					waitFlag,
+					waitTimeoutFlag,
+				},
+			},
 			cli.Command{
 				Name:  "deploy",
 				Usage: "Zero downtime roll out of cluster updates to worker nodes.",
@@ -284,3 +309,14 @@ func rollOutDeployment(cliContext *cli.Context) error {
 		waitSleepBetweenRetries,
 	)
 }
+
+// Command action for `kubergrunt eks sync-core-components`
+func syncClusterComponents(cliContext *cli.Context) error {
+	eksClusterArn, err := entrypoint.StringFlagRequiredE(cliContext, eksClusterArnFlag.Name)
+	if err != nil {
+		return err
+	}
+	shouldWait := cliContext.Bool(waitFlag.Name)
+	waitTimeout := cliContext.String(waitTimeoutFlag.Name)
+	return eks.SyncClusterComponents(eksClusterArn, shouldWait, waitTimeout)
+}

eks/errors.go

@@ -124,3 +124,23 @@ type NoPeerCertificatesError struct {
 func (err NoPeerCertificatesError) Error() string {
 	return fmt.Sprintf("Could not find any peer certificates for URL %s", err.URL)
 }
+
+// UnsupportedEKSVersion is returned when the Kubernetes version of the EKS cluster is not supported.
+type UnsupportedEKSVersion struct {
+	version string
+}
+
+func (err UnsupportedEKSVersion) Error() string {
+	return fmt.Sprintf("%s is not a supported version for kubergrunt eks upgrade. Please contact [email protected] for more info.", err.version)
+}
+
+// CoreComponentUnexpectedConfigurationErr error is returned when the EKS core components are in an unexpected
+// configuration, such as a different number of containers.
+type CoreComponentUnexpectedConfigurationErr struct {
+	component string
+	reason    string
+}
+
+func (err CoreComponentUnexpectedConfigurationErr) Error() string {
+	return fmt.Sprintf("Core component %s is in unexpected configuration: %s", err.component, err.reason)
+}

eks/fixture/aws-k8s-cni.yaml

@@ -0,0 +1,150 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: aws-node
+rules:
+  - apiGroups:
+      - crd.k8s.amazonaws.com
+    resources:
+      - "*"
+    verbs:
+      - "*"
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs: ["list", "watch", "get"]
+  - apiGroups: ["extensions"]
+    resources:
+      - daemonsets
+    verbs: ["list", "watch"]
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: aws-node
+  namespace: kube-system
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: aws-node
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: aws-node
+subjects:
+  - kind: ServiceAccount
+    name: aws-node
+    namespace: kube-system
+
+---
+kind: DaemonSet
+apiVersion: apps/v1
+metadata:
+  name: aws-node
+  namespace: kube-system
+  labels:
+    k8s-app: aws-node
+spec:
+  updateStrategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: "10%"
+  selector:
+    matchLabels:
+      k8s-app: aws-node
+  template:
+    metadata:
+      labels:
+        k8s-app: aws-node
+    spec:
+      priorityClassName: system-node-critical
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: "beta.kubernetes.io/os"
+                    operator: In
+                    values:
+                      - linux
+                  - key: "beta.kubernetes.io/arch"
+                    operator: In
+                    values:
+                      - amd64
+                  - key: eks.amazonaws.com/compute-type
+                    operator: NotIn
+                    values:
+                      - fargate
+      serviceAccountName: aws-node
+      hostNetwork: true
+      tolerations:
+        - operator: Exists
+      containers:
+        - image: 602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon-k8s-cni:v1.5.7
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 61678
+              name: metrics
+          name: aws-node
+          env:
+            - name: AWS_VPC_K8S_CNI_LOGLEVEL
+              value: DEBUG
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          resources:
+            requests:
+              cpu: 10m
+          securityContext:
+            privileged: true
+          volumeMounts:
+            - mountPath: /host/opt/cni/bin
+              name: cni-bin-dir
+            - mountPath: /host/etc/cni/net.d
+              name: cni-net-dir
+            - mountPath: /host/var/log
+              name: log-dir
+            - mountPath: /var/run/docker.sock
+              name: dockersock
+            - mountPath: /var/run/dockershim.sock
+              name: dockershim
+      volumes:
+        - name: cni-bin-dir
+          hostPath:
+            path: /opt/cni/bin
+        - name: cni-net-dir
+          hostPath:
+            path: /etc/cni/net.d
+        - name: log-dir
+          hostPath:
+            path: /var/log
+        - name: dockersock
+          hostPath:
+            path: /var/run/docker.sock
+        - name: dockershim
+          hostPath:
+            path: /var/run/dockershim.sock
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: eniconfigs.crd.k8s.amazonaws.com
+spec:
+  scope: Cluster
+  group: crd.k8s.amazonaws.com
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+  names:
+    plural: eniconfigs
+    singular: eniconfig
+    kind: ENIConfig