timebertt/rebootstrap-seed.sh

## rebootstrap-seed.sh
#!/usr/bin/env bash

set -o errexit
set -o nounset
set -o pipefail

if [ -z "${SEED_KUBECONFIG:-}" ] ; then
  >&2 echo "Please point the SEED_KUBECONFIG env var to the kubeconfig for the seed you want to fix"
  exit 1
fi

if [ -z "${1:-}" ] ; then
  >&2 echo "Please add the seed name of the seed you want to fix as the first argument"
  exit 1
fi

NAMESPACE=garden
SEED_NAME=$1

echo "> checking if ManagedSeed $SEED_NAME exists"
if ! kubectl -n $NAMESPACE get managedseed $SEED_NAME >/dev/null ; then
  exit 1
fi
echo "yes"

get_non_ready_seed_conditions() {
  kubectl get seed $SEED_NAME -ojson | jq '.status.conditions[] | select(.status != "True")'
}

echo "> checking if Seed $SEED_NAME is ready"
non_ready_conditions="$(get_non_ready_seed_conditions)"
if [ -z "$non_ready_conditions" ] ; then
  echo "Seed $SEED_NAME is ready, nothing to do"

  read -p "Do you still want to re-bootstrap the seed [yY/nN]? " -n 1 -r
  echo
  if ! [[ $REPLY =~ ^[Yy]$ ]]; then
    exit 0
  fi
else
  echo "$non_ready_conditions"
fi

echo "> getting parent gardenlet"
parent_seed="$(kubectl -n $NAMESPACE get shoot $SEED_NAME -ojson | jq -r '.spec.seedName')"
[ $? = 0 ] || exit 1
echo "parent gardenlet is $parent_seed"

echo "> deleting gardenlet-kubeconfig secret from Seed"
if kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden get secret gardenlet-kubeconfig &>/dev/null ; then
  kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden delete secret gardenlet-kubeconfig
else
  echo "already gone, continuing"
fi

bootstrap_token_id="$(echo -n "$SEED_NAME$NAMESPACE--$SEED_NAME" | sha256sum | head -c6)"
bootstrap_token_name="bootstrap-token-$bootstrap_token_id"
bootstrap_token_secret="$(tr -dc a-z0-9 </dev/urandom | head -c 16 || true)"
bootstrap_token_expiration="$(date -d '+2 hours' --utc "+%Y-%m-%dT%H:%M:%SZ")"

cleanup () {
  echo "> cleaning up created secret, role, rolebinding"
  kubectl -n kube-system delete secret,role,rolebinding -l developer-on-duty=$USER
}
trap cleanup EXIT SIGINT SIGTERM

echo "> creating new bootstrap token $bootstrap_token_name + role + rolebinding"
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
  namespace: kube-system
  labels:
    developer-on-duty: $USER
rules:
- apiGroups:
  - ""
  resources:
  - secrets
  resourceNames:
  - $bootstrap_token_name
  verbs:
  - get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
  namespace: kube-system
  labels:
    developer-on-duty: $USER
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
subjects:
- kind: User
  name: gardener.cloud:system:seed:$parent_seed
---
apiVersion: v1
kind: Secret
metadata:
  name: $bootstrap_token_name
  namespace: kube-system
  labels:
    developer-on-duty: $USER
type: bootstrap.kubernetes.io/token
stringData:
  description: "bootstrap token generated for $SEED_NAME"

  token-id: $bootstrap_token_id
  token-secret: $bootstrap_token_secret

  expiration: $bootstrap_token_expiration

  usage-bootstrap-authentication: "true"
  usage-bootstrap-signing: "true"
EOF

echo "> reconciling ManagedSeed $SEED_NAME"
kubectl -n $NAMESPACE annotate managedseed $SEED_NAME gardener.cloud/operation=reconcile

echo "> waiting until Seed $SEED_NAME is ready again"
for i in seq 1 10 ; do
  non_ready_conditions="$(get_non_ready_seed_conditions)"
  if [ -z "$non_ready_conditions" ] ; then
    echo "Seed $SEED_NAME got ready"
    break
  else
    echo "$non_ready_conditions"
  fi

  sleep 10
done
	#!/usr/bin/env bash

	set -o errexit
	set -o nounset
	set -o pipefail

	if [ -z "${SEED_KUBECONFIG:-}" ] ; then
	>&2 echo "Please point the SEED_KUBECONFIG env var to the kubeconfig for the seed you want to fix"
	exit 1
	fi

	if [ -z "${1:-}" ] ; then
	>&2 echo "Please add the seed name of the seed you want to fix as the first argument"
	exit 1
	fi

	NAMESPACE=garden
	SEED_NAME=$1

	echo "> checking if ManagedSeed $SEED_NAME exists"
	if ! kubectl -n $NAMESPACE get managedseed $SEED_NAME >/dev/null ; then
	exit 1
	fi
	echo "yes"

	get_non_ready_seed_conditions() {
	kubectl get seed $SEED_NAME -ojson \| jq '.status.conditions[] \| select(.status != "True")'
	}

	echo "> checking if Seed $SEED_NAME is ready"
	non_ready_conditions="$(get_non_ready_seed_conditions)"
	if [ -z "$non_ready_conditions" ] ; then
	echo "Seed $SEED_NAME is ready, nothing to do"

	read -p "Do you still want to re-bootstrap the seed [yY/nN]? " -n 1 -r
	echo
	if ! [[ $REPLY =~ ^[Yy]$ ]]; then
	exit 0
	fi
	else
	echo "$non_ready_conditions"
	fi

	echo "> getting parent gardenlet"
	parent_seed="$(kubectl -n $NAMESPACE get shoot $SEED_NAME -ojson \| jq -r '.spec.seedName')"
	[ $? = 0 ] \|\| exit 1
	echo "parent gardenlet is $parent_seed"

	echo "> deleting gardenlet-kubeconfig secret from Seed"
	if kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden get secret gardenlet-kubeconfig &>/dev/null ; then
	kubectl --kubeconfig="$SEED_KUBECONFIG" -n garden delete secret gardenlet-kubeconfig
	else
	echo "already gone, continuing"
	fi

	bootstrap_token_id="$(echo -n "$SEED_NAME$NAMESPACE--$SEED_NAME" \| sha256sum \| head -c6)"
	bootstrap_token_name="bootstrap-token-$bootstrap_token_id"
	bootstrap_token_secret="$(tr -dc a-z0-9 </dev/urandom \| head -c 16 \|\| true)"
	bootstrap_token_expiration="$(date -d '+2 hours' --utc "+%Y-%m-%dT%H:%M:%SZ")"

	cleanup () {
	echo "> cleaning up created secret, role, rolebinding"
	kubectl -n kube-system delete secret,role,rolebinding -l developer-on-duty=$USER
	}
	trap cleanup EXIT SIGINT SIGTERM

	echo "> creating new bootstrap token $bootstrap_token_name + role + rolebinding"
	cat <<EOF \| kubectl apply -f -
	apiVersion: rbac.authorization.k8s.io/v1
	kind: Role
	metadata:
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	rules:
	- apiGroups:
	- ""
	resources:
	- secrets
	resourceNames:
	- $bootstrap_token_name
	verbs:
	- get
	---
	apiVersion: rbac.authorization.k8s.io/v1
	kind: RoleBinding
	metadata:
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	roleRef:
	apiGroup: rbac.authorization.k8s.io
	kind: Role
	name: gardener.cloud:seed-bootstrap-token-manager:$SEED_NAME
	subjects:
	- kind: User
	name: gardener.cloud:system:seed:$parent_seed
	---
	apiVersion: v1
	kind: Secret
	metadata:
	name: $bootstrap_token_name
	namespace: kube-system
	labels:
	developer-on-duty: $USER
	type: bootstrap.kubernetes.io/token
	stringData:
	description: "bootstrap token generated for $SEED_NAME"

	token-id: $bootstrap_token_id
	token-secret: $bootstrap_token_secret

	expiration: $bootstrap_token_expiration

	usage-bootstrap-authentication: "true"
	usage-bootstrap-signing: "true"
	EOF

	echo "> reconciling ManagedSeed $SEED_NAME"
	kubectl -n $NAMESPACE annotate managedseed $SEED_NAME gardener.cloud/operation=reconcile

	echo "> waiting until Seed $SEED_NAME is ready again"
	for i in seq 1 10 ; do
	non_ready_conditions="$(get_non_ready_seed_conditions)"
	if [ -z "$non_ready_conditions" ] ; then
	echo "Seed $SEED_NAME got ready"
	break
	else
	echo "$non_ready_conditions"
	fi

	sleep 10
	done