timebertt · September 27, 2021 14:42 · himanshu-kun · Oct 8, 2021
diff --git a/rebootstrap-seed.sh b/rebootstrap-seed.sh
 #!/usr/bin/env bash

 set -o errexit
 set -o nounset
 set -o pipefail

 if [ -z "${SEED_KUBECONFIG:-}" ] ; then
  >&2 echo "Please point the SEED_KUBECONFIG env var to the kubeconfig for the seed you want to fix"
  exit 1
 fi

 if [ -z "${1:-}" ] ; then
  >&2 echo "Please add the seed name of the seed you want to fix as the first argument"
  exit 1
 fi

 NAMESPACE=garden
 SEED_NAME=$1

 echo "> checking if ManagedSeed $SEED_NAME exists"
 if ! kubectl -n $NAMESPACE get managedseed $SEED_NAME >/dev/null ; then
  exit 1
 fi
 echo "yes"

 get_non_ready_seed_conditions() {
  kubectl get seed $SEED_NAME -ojson | jq '.status.conditions[] | select(.status != "True")'
 }

 echo "> checking if Seed $SEED_NAME is ready"
 non_ready_conditions="$(get_non_ready_seed_conditions)"
 if [ -z "$non_ready_conditions" ] ; then
  echo "Seed $SEED_NAME is ready, nothing to do"

  read -p "Do you still want to re-bootstrap the seed [yY/nN]? " -n 1 -r
  echo
  if ! [[ $REPLY =~ ^[Yy]$ ]]; then
    exit 0
  fi
 else
  echo "$non_ready_conditions"
 fi

 echo "> getting parent gardenlet"
 parent_seed="$(kubectl -n $NAMESPACE get shoot $SEED_NAME -ojson | jq -r '.spec.seedName')"
 [ $? = 0 ] || exit 1
 echo "parent gardenlet is $parent_seed"

 echo "> deleting gardenlet-kubeconfig secret from Seed"
 if kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden get secret gardenlet-kubeconfig &>/dev/null ; then
  kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden delete secret gardenlet-kubeconfig
 else
  echo "already gone, continuing"
 fi

 bootstrap_token_id="$(echo -n "$SEED_NAME$NAMESPACE--$SEED_NAME" | sha256sum | head -c6)"
 bootstrap_token_name="bootstrap-token-$bootstrap_token_id"
 bootstrap_token_secret="$(tr -dc a-z0-9 </dev/urandom | head -c 16 || true)"
 bootstrap_token_expiration="$(date -d '+2 hours' --utc "+%Y-%m-%dT%H:%M:%SZ")"

 cleanup () {
  echo "> cleaning up created secret, role, rolebinding"
  kubectl -n kube-system delete secret,role,rolebinding -l developer-on-duty=$USER
 }
 trap cleanup EXIT SIGINT SIGTERM

 echo "> creating new bootstrap token $bootstrap_token_name + role + rolebinding"
 cat <<EOF | kubectl apply -f -
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
  namespace: kube-system
  labels:
    developer-on-duty: $USER
 rules:
 - apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - $bootstrap_token_name
  verbs:
  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
  namespace: kube-system
  labels:
    developer-on-duty: $USER
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
 subjects:
 - kind: User
  name: gardener.cloud:system:seed:$parent_seed
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: $bootstrap_token_name
  namespace: kube-system
  labels:
    developer-on-duty: $USER
 type: bootstrap.kubernetes.io/token
 stringData:
  description: "bootstrap token generated for $SEED_NAME"

  token-id: $bootstrap_token_id
  token-secret: $bootstrap_token_secret

  expiration: $bootstrap_token_expiration

  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
 EOF

 echo "> reconciling ManagedSeed $SEED_NAME"
 kubectl -n $NAMESPACE annotate managedseed $SEED_NAME gardener.cloud/operation=reconcile

 echo "> waiting until Seed $SEED_NAME is ready again"
 for i in seq 1 10 ; do
  non_ready_conditions="$(get_non_ready_seed_conditions)"
  if [ -z "$non_ready_conditions" ] ; then
    echo "Seed $SEED_NAME got ready"
    break
  else
    echo "$non_ready_conditions"
  fi

  sleep 10
 done
	#!/usr/bin/env bash

	set -o errexit
	set -o nounset
	set -o pipefail

	if [ -z "${SEED_KUBECONFIG:-}" ] ; then
	>&2 echo "Please point the SEED_KUBECONFIG env var to the kubeconfig for the seed you want to fix"
	exit 1
	fi

	if [ -z "${1:-}" ] ; then
	>&2 echo "Please add the seed name of the seed you want to fix as the first argument"
	exit 1
	fi

	NAMESPACE=garden
	SEED_NAME=$1

	echo "> checking if ManagedSeed $SEED_NAME exists"
	if ! kubectl -n $NAMESPACE get managedseed $SEED_NAME >/dev/null ; then
	exit 1
	fi
	echo "yes"

	get_non_ready_seed_conditions() {
	kubectl get seed $SEED_NAME -ojson \| jq '.status.conditions[] \| select(.status != "True")'
	}

	echo "> checking if Seed $SEED_NAME is ready"
	non_ready_conditions="$(get_non_ready_seed_conditions)"
	if [ -z "$non_ready_conditions" ] ; then
	echo "Seed $SEED_NAME is ready, nothing to do"

	read -p "Do you still want to re-bootstrap the seed [yY/nN]? " -n 1 -r
	echo
	if ! [[ $REPLY =~ ^[Yy]$ ]]; then
	exit 0
	fi
	else
	echo "$non_ready_conditions"
	fi

	echo "> getting parent gardenlet"
	parent_seed="$(kubectl -n $NAMESPACE get shoot $SEED_NAME -ojson \| jq -r '.spec.seedName')"
	[ $? = 0 ] \|\| exit 1
	echo "parent gardenlet is $parent_seed"

	echo "> deleting gardenlet-kubeconfig secret from Seed"
	if kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden get secret gardenlet-kubeconfig &>/dev/null ; then
	kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden delete secret gardenlet-kubeconfig
	else
	echo "already gone, continuing"
	fi

	bootstrap_token_id="$(echo -n "$SEED_NAME$NAMESPACE--$SEED_NAME" \| sha256sum \| head -c6)"
	bootstrap_token_name="bootstrap-token-$bootstrap_token_id"
	bootstrap_token_secret="$(tr -dc a-z0-9 </dev/urandom \| head -c 16 \|\| true)"
	bootstrap_token_expiration="$(date -d '+2 hours' --utc "+%Y-%m-%dT%H:%M:%SZ")"

	cleanup () {
	echo "> cleaning up created secret, role, rolebinding"
	kubectl -n kube-system delete secret,role,rolebinding -l developer-on-duty=$USER
	}
	trap cleanup EXIT SIGINT SIGTERM

	echo "> creating new bootstrap token $bootstrap_token_name + role + rolebinding"
	cat <<EOF \| kubectl apply -f -
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	rules:
	- apiGroups:
	- ""
	resources:
	- secrets
	resourceNames:
	- $bootstrap_token_name
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	subjects:
	- kind: User
	name: gardener.cloud:system:seed:$parent_seed
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: $bootstrap_token_name
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	type: bootstrap.kubernetes.io/token
	stringData:
	description: "bootstrap token generated for $SEED_NAME"

	token-id: $bootstrap_token_id
	token-secret: $bootstrap_token_secret

	expiration: $bootstrap_token_expiration

	usage-bootstrap-authentication: "true"
	usage-bootstrap-signing: "true"
	EOF

	echo "> reconciling ManagedSeed $SEED_NAME"
	kubectl -n $NAMESPACE annotate managedseed $SEED_NAME gardener.cloud/operation=reconcile

	echo "> waiting until Seed $SEED_NAME is ready again"
	for i in seq 1 10 ; do
	non_ready_conditions="$(get_non_ready_seed_conditions)"
	if [ -z "$non_ready_conditions" ] ; then
	echo "Seed $SEED_NAME got ready"
	break
	else
	echo "$non_ready_conditions"
	fi

	sleep 10
	done