gardener-attic / gardenctl Goto Github PK

Describe the bug
gardenctl show prometheus uses the wrong credentials for authenticating with the prometheus' ingress resource

To Reproduce
Steps to reproduce the behavior:

1. gardenctl target shoot shoot-name
2. gardenctl show prometheus
3. uses the basic auth credentials from the shoot's kubeconfig rather than the ingress credentials required to login to prometheus

Expected behavior
Expected gardenctl to show the prometheus' ingress credentials and automatically log into the prometheus UI

Gardenctl Version (please complete the following information):

• Commit de05fe5

Additional context
The prometheus' ingress credentials together with the ones for grafana and alertmanager are now available in the following secret in the shoot's controlplane: monitoring-ingress-credentials. So gardenctl show prometheus should retrieve them from there.

The garden cluster setup has changed over time and is most likely setup in one of the following three ways shown in the proposal. To unify access over gardenctl it is proposed to store the credentials for the garden cluster in separate secrets (as shown in SampleSecret) in the garden namespace of the virtual cluster. The secret should be annotated with a garden specific key to be able to be parsed by gardenctl. And can than be accessed in an uniform way, which is illustrated as the black arrows.

Sample Secret:

apiVersion: v1
kind: Secret
metadata:
  name: garden-secret
  namespace: garden
  labels:
      runtime: garden
  annotations:
    clusterName: garden-dev
type: Opaque
data:
  kubeconfig: b64(kubeconfig-to-cluster)

gardenctl has support for the different infrastructure CLIs, all but the latest addition, aliyun. Could this be added as well, please (it's so handy, when necessary)?

cc: @jia-jerry, Minchao Wang, and Emoin Lanyu

Describe the bug
gardencl does not support K8s v1.11.2

To Reproduce
$ ./gardenctl ls gardens
gardenClusters:

• name: cloud-garden-01

$ ./gardenctl ls shoots
Kubernetes cluster has version v1.11.2 which is not supported

$ ./gardenctl ls seeds
Kubernetes cluster has version v1.11.2 which is not supported

Attitude of gratitude (AoG)
Thank you in advance for your help

gardenctl target doesn't find best fit:

$ gardenctl ls shoots
projects:
- project: garden-core
  shoots:
  - vl-canary
  - vl-dev
  - vl-live
  - vl-staging
...
- project: garden-xyz
...

$ gardenctl target core
Shoot core not found

More problematic, it doesn't accept the actual project name (annotation at the namespace)

$ gardenctl target project core
No match for core

One has to write the full namespace name:

$ gardenctl target garden-core

$ gardenctl get target
target:
- kind: garden
  name: dev
- kind: project
  name: garden-core

It would be great, if the matcher would have found the "right" target right away, but certainly gardenctl should find the project by annotation (or without the garden- prefix, which would be less clean). See:

$ k get ns garden-core  -o yaml
apiVersion: v1
kind: Namespace
metadata:
  annotations:
    project.garden.sapcloud.io/description: Core project exclusively used by the core
      team
    project.garden.sapcloud.io/owner: [email protected]
    project.garden.sapcloud.io/purpose: Core project exclusively used by the core
      team to host its shoot clusters.
  labels:
    garden.sapcloud.io/role: project
    project.garden.sapcloud.io/name: core
  name: garden-core
spec:
  finalizers:
  - kubernetes
status:
  phase: Active

When trying to use gardenctl kubectl I ended up in the gromit cluster, which is a pretty dangerous thing to happen:

$ gardenctl get target
target:
- kind: garden
  name: prod
- kind: project
  name: garden-sap-et
- kind: shoot
  name: poc1

$ gardenctl kubectl get nodes
NAME                     STATUS    ROLES     AGE       VERSION
gromit-garden-master-0   Ready     master    139d      v1.7.6+coreos.0
gromit-garden-master-1   Ready     master    139d      v1.7.6+coreos.0
gromit-garden-master-2   Ready     master    139d      v1.7.6+coreos.0
gromit-garden-worker-0   Ready     node      139d      v1.7.3+coreos.0
gromit-garden-worker-1   Ready     node      139d      v1.7.3+coreos.0

Add a cmd to expose landscape information via a garden cluster.

• total number of shoots per garden cluster
• number of shoots per iaas in a garden cluster

Expose further landscape information (obligatory):

• number of nodes
• number of cpus etc.

Describe the bug
gardenctl ssh does not work when jq is not installed.

To Reproduce
Steps to reproduce the behavior:

1. Which target was set 'gardenctl get target'
2. Which command was entered [e.g. 'gardenctl show vpn-seed']

$ gardenctl ssh <ip>
Downloaded id_rsa key
exit status 127

3. What was the output of the command

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.

Gardenctl Version (please complete the following information):

$ gardenctl version
gardenctl:
	version     : 0.9.0
	build date  : 2019-03-22
	go version  : go1.12
	go compiler : gc
	platform    : darwin/amd64

Additional context
gardenctl should not rely on jq to be installed but should perform the logic with https://godoc.org/gopkg.in/yaml.v2 .

/cc @ialidzhikov

Is it possible to make versioned releases of gardenctl and have a binary distribution. After the recent shoot namespace adaptation everyone in my team had to manually compile the binary, we've been thinking about compiling it for 3 main platforms (macos, linux and windows) and making it available internally.

It would be more beneficial for everyone if thats done on upstream.

The namespaces in the Garden clusters which are used as projects have the following labels:

metadata:
  name: garden-my-project
  labels:
    garden.sapcloud.io/role: project
    project.garden.sapcloud.io/name: my-project

The gardenctl target project command expects to enter the name of the namespace, not the name of the project (gardenctl target project garden-my-project instead of gardenctl target project my-project).

Can we change that?

Recently in Kubernetes dashboard deprecated the /ui redirect: kubernetes/kubernetes#53766

gardenctl show dashboard still tries to open http://127.0.0.1:8002/ui which is not valid anymore.

URL should now be:

http://localhost:8002/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/

Describe the bug
Logs are combined from different clusters if they have the same name in different projects

To Reproduce
see our dev environment, cluster seed-az

Expected behavior
each directory should only contain logs for one single cluster

Screenshots
n/a

Gardenctl Version (please complete the following information):

Additional context

Using gardenctl logs operator shows less than kubectl logs <operator-pod-name>

Expected behaviour: same output independent of used command

Adapt gardenctl register and unregister cmd to add or remove user from clusterrolebinding list.
( Changed fromgarden-administrators clusterrolebinding to garden.sapcloud.io:system:administrators clusterrolebinding which is exposed via the virtual apiserver)

Story:

The control plane of a shoot cluster named 'test' was deleted in the seed cluster.

So I wanted to check what resources are left in the IaaS account,
For this I executed:

$ gardenctl target shoot test
....
$ gardenctl gcloud compute instances list
  error: secrets "gardener-sa" not found

The IaaS secret for the 'test' shoot cluster is still existing in the garden cluster, but it look like the gardenctl tries to get it from the seed cluster, where it is deleted.

Describe the bug
gardenctl should have a way to print its version

To Reproduce
Steps to reproduce the behavior:
gardenctl does not show any possible way to display its version.

Expected behavior
As gardenctl user I would like to know which version I'm using by just issuing a gardenctl command.

Example:
gardenctl version (This is how version display is implemented on kubectl and helm)

Gardenctl Version (please complete the following information):

Additional context

Gardener informs its stakeholders in its CNCF CII Badge, that static code checks are applied by using Checkmarx. This repository has findings, which have to be assessed by the component owner(s). As required all prio high findings were already been immediately assessed. Please find the timeline until when to assess the remaining prio medium findings in the Wiki (restricted access). At the time being you can ignore the prio low findings. Please find background information and a link to the Checkmarx project for your repository in the Wiki (restricted access). In the Wiki (restricted access) you will as well find information how to get a Checkmarx user which is required to be able to do your assessment in the Checkmarx Web UI.

Adapt target function to match projects which does not contain a "garden-" prefix.

According to #3, this should be the (ticked, i.e. already implemented way?) to get to the seed information of the shoots within a project (it should group them by seeds, but still groups them by project):

$ gardenctl get target
target:
- kind: garden
  name: dev
- kind: project
  name: garden-core

$ gardenctl ls shoots
projects:
- project: garden-core
  shoots:
  - vl-canary
  - vl-dev
  - vl-live
  - vl-staging
...

I just noticed that gardenctl does not directly support the cluster autoscaler control plane component (e.g. to dig up logs). Could this be added, please?

Once it gets decided how to continue from here (plugin and gex discussion -> therefore this issue is icebox'ed ), let's include into the changes also an increased focus on:

• Lint checks
• More unit tests (and code coverage) as current code coverage is at 3,8 % at the time of this writing
• Integration tests (if possible)

When dropping a project, the response is surprising/wrong ("A seed is targetted", even though it never was and the resulting target is only a Garden cluster):

$ gardenctl get target
target:
- kind: garden
  name: dev
- kind: project
  name: garden-core

$ gardenctl drop project
A seed is targeted

$ gardenctl get target
target:
- kind: garden
  name: dev

Extend the gardenctl show cmd to open a kibana dashboard for the targeted cluster when called with kibana argument.

Describe the bug
Gardenctl doesnt work on gardens deployed on 1.11 kubernetes clusters.

To Reproduce
Steps to reproduce the behavior:

1. Upgrade a garden kubernetes cluster to 1.11.
2. gardenctl ls seeds
3. gardenctl reports Kubernetes cluster has version v1.11.1 which is not supported

Expected behavior
gardenctl to operate on garden cluster.

Screenshots

$ gardenctl ls seeds
Kubernetes cluster has version v1.11.1 which is not supported

Gardenctl Version (please complete the following information):

• commit acb0f72

As of k8s 1.8 kubectl supports plugins.

As an end-user I would like to do:

$ kubectl --context=some-context --namespace=some-ns garden show prometheus
# or simply
$ kubectl garden show prometheus
# with gardencli using the current context I use and namespace.

This will allow for a quick debugging without the need to switch context, namespaces and etc every single time.

After I have targeted a garden->project->shoot, the show command only works for the Gardener itself, but not for the control plane components in the seed or the vpn-shoot or dashboard:

For orientation:

$ g get target
target:
- kind: garden
  name: dev
- kind: project
  name: garden-core
- kind: shoot
  name: d040949-os

OK:

$ g show operator
NAME                                  READY     STATUS    RESTARTS   AGE       IP               NODE
gardener-apiserver-6fff75758c-tf44k   1/1       Running   0          6d        10.241.133.219   garden-dev-worker-3

NAME                                           READY     STATUS    RESTARTS   AGE       IP              NODE
gardener-controller-manager-6549dc4b99-qqspw   1/1       Running   0          2d        10.241.131.16   garden-dev-worker-1

$ g show ui
NAME                                  READY     STATUS    RESTARTS   AGE       IP               NODE
gardener-dashboard-77d88dcb58-dklwx   1/1       Running   0          8d        10.241.130.243   garden-dev-worker-0

URL-1: https://dashboard.ingress.garden.dev.k8s.ondemand.com

URL-2: https://dashboard.garden.dev.k8s.ondemand.com

Not OK:

$ g show api
Error from server (NotFound): namespaces "shoot-core-d040949-os" not found

$ g show vpn-seed
Error from server (NotFound): namespaces "shoot-core-d040949-os" not found

$ g show vpn-shoot
Get https://api.d040949-os.core.shoot.dev.k8s-hana.ondemand.com/api/v1/namespaces/kube-system/pods: http2: server sent GOAWAY and closed the connection; LastStreamID=1, ErrCode=NO_ERROR, debug=""

$ g show dashboard
Get https://api.d040949-os.core.shoot.dev.k8s-hana.ondemand.com/api/v1/namespaces/kube-system/pods: net/http: TLS handshake timeout

Also, I was expecting to access the shoot with gardenctl kubectl ... after I have targetted it, but I only see the Garden cluster resources.

when trying to register / unregister I see the error message
No email specified and no github url configured in garden config

It is not clear from the error message how the config should look like

Gardener informs its stakeholders in its CNCF CII Badge, that static code checks are applied by using Checkmarx. This repository has findings, which have to be assessed by the component owner(s). As required all prio high findings were already been immediately assessed. Please find the timeline until when to assess the remaining prio medium findings in the Wiki (restricted access). At the time being you can ignore the prio low findings. Please find background information and a link to the Checkmarx project for your repository in the Wiki (restricted access). In the Wiki (restricted access) you will as well find information how to get a Checkmarx user which is required to be able to do your assessment in the Checkmarx Web UI.

Is there a faster way to target a Shoot cluster other than

$ gardenctl target project <NAME>
$ gardenctl target shoot <NAME>

?

If not, can we have a faster way to do so?

Thanks.

Currently, gardenctl supports only k8s cluster version 1.6, 1.7 and 1.8.

When I execute gardenctl ls issues against k8s cluster version 1.9, I got error

$  gardenctl get target
target:
- kind: garden
  name: live
 $  gardenctl ls issues
Kubernetes cluster has version 1.9 which is not supported

Thank you for providing gardenctl. Here what I found out using it and how we can make it even better:

• In general think about making all output (but the help) structured and think about allowing for format options like -o json and -o yaml (like kubectl) and then we can again introduce a table/prose mode again, but we should have a technical output mode before that (e.g. yaml in the beginning, see examples below)

• Targeting projects missing completely, but that's more important for the operator than seeds (which can be automatically handled by gardenctl as that's the scope our users work in

• It would be convenient to support a form of gardenctl target where users don't have to explicitly name the kind (gardenctl should "guess" the kind project, seed, or shoot if unambiguously possible, otherwise it should show the conflict and ask the user to name the kind explicitly):

  • We could introduce garden clusters into the configuration, e.g. .garden/config:

    gardenClusters:
    - name: dev
      kubeConfig: ~/clusters/garden-dev/kubeconfig.yaml
    - name: prod
      kubeConfig: ~/clusters/garden-prod/kubeconfig.yaml

  • If nothing is in target, the argument may be a seed, project, or shoot (seed and project won't conflict in most cases, project and shoot could conflict sometimes), so gardenctl should take the argument and compare it against all seeds, all projects, and all shoots
  • If a project or seed is in target, the argument is always a shoot, so it's unambiguous anyway
  • Note 1: General expected behaviour in all cases:
    • If none matches, issue an error
    • If one matches, take it
    • If more than one matches, issue an error, output the matches, and ask the user for disambiguation
  • Note 2: As an extension of the above, plan to add the following as next step:
    • Allow for a * wildcard, e.g. foo* would match with foot or foo-bar, but not with my-foot (*foo* would match that as well)
    • Employ algorithms like https://en.wikipedia.org/wiki/Levenshtein_distance to measure the differences and pick the one with the shortest difference, but only up to a certain (ideally configurable in some file like e.g. .garden/config) limit

• Introduce a command like gardenctl get [(garden|project|seed|shoot) <name>] that shows the seed, project, or shoot resource (in yaml, similar to kubectl ... -o yaml) as that's often already sufficient for an operator (if argument is omitted, show currently targeted resource):

  • Garden: Garden KUBECONFIG
  • Seed: Seed secret (soon actual seed CRD with kubernetes/garden-operator#259)
  • Project: Project namespace
  • Shoot: Shoot CRD

• Consider renaming gardenctl get (gardens|projects|seeds|shoots|issues) into gardenctl ls (projects|seeds|shoots|issues), because that would feel more natural and wouldn't clash with get (ok, kubectl also uses get for both use cases, but that always feels wrong and commands such as aws or docker and the like all have an ls command)

• When a garden, seed or shoot is targeted, show the location of the cached kubeconfig (for seeds and shoots), so that the user can immediately export it (e.g. even automatically within a bash alias/function, i.e. in a structured way), if he intends to work with that cluster from now on (instead of gardenctl kubeconfig -- ... which is more verbose and lacks command line completion)

• Do not duplicate kubeconfigs in .garden/cache/tmp, but instead maintain the target as reference in e.g. in a file like .garden/target that contains the following (which would make it possible for users to embed that in their PS1 variable/command prompt):

  • If only the garden cluster is in target, the file contains:

    target:
    - kind: garden
      name: dev

  • If a project is in target, the file contains:

    target:
    - kind: garden
      name: dev
    - kind: project
      name: foo-bar

  • If a seed is in target, the file contains:

    target:
    - kind: garden
      name: dev
    - kind: seed
      name: seed-aws-eu1

  • If a shoot is in target and the user reached it via a project, the file contains:

    target:
    - kind: garden
      name: dev
    - kind: project
      name: foo-bar
    - kind: shoot
      name: cl-54321

  • If a shoot is in target and the user reached it via a seed, the file contains:

    target:
    - kind: garden
      name: dev
    - kind: seed
      name: seed-aws-eu1
    - kind: shoot
      name: cl-54321

  • If the user runs gardenctl drop without a kind, the last entry from the target "stack" is "popped" until the target "stack" is empty (in which case gardenctl should issue an error)

  • If the user runs gardenctl drop project or gardenctl drop seed while targeting a shoot, both project/seed and the shoot are "popped" from the target "stack"

  • Instead, gardenctl drop is expecting some "target" right now (the concrete resource maybe, but why?) and the sub command help (like for many other sub commands) is completely missing and instead I get some "Cobra" hint:

    > g drop
    Command must be in the format: drop [target]
    
    > g drop shoot
    Command must be in the format: drop [target]
    
    > g drop --help
    A longer description that spans multiple lines and likely contains examples
    and usage of using your command. For example:
    
    Cobra is a CLI library for Go that empowers applications.
    This application is a tool to generate the needed files
    to quickly create a Cobra application.
    
    Usage:
      gardenctl drop [flags]
    
    Global Flags:
          --cache int       activate 1 / deactivate 0 caching (default 1)
          --config string   config file (default is $HOME/.gardenctl.yaml)

    Expected is the behaviour from above and proper sub command help for all sub commands.

• Do not show the seed cluster namespace when listing shoots (e.g. shoot-garden-mitsubishi-clust4vora), but depending on the target:

  • If neither seed nor project is in target and someone runs gardenctl ls shoots (group rather by project than seed):

  projects:
  - project: foo-bar
    shoots:
    - cl-12345
  - project: john-doe
    shoots:
    - cl-54321
  - project: some-thing
    shoots:
    - cl-thing

  • If a project is in target and someone runs gardenctl ls shoots:

  seeds:
  - seed: seed-aws-eu1
    shoots:
    - cl-12345
    - cl-54321
  - seed: seed-aws-na1
    shoots:
    - cl-thing

  • If a seed is in target and someone runs gardenctl ls shoots:

  projects:
  - project: foo-bar
    shoots:
    - cl-12345
  - project: john-doe
    shoots:
    - cl-54321

• Do not hide IaaS CLI stdout/err, e.g. when launching the command wrongly, I don't know what went wrong:

  > g aws s3 nonsense
  panic: Please make sure to use a valid aws command
  
  goroutine 1 [running]:
  [callstack...]

  Expected:

  > aws s3 nonsense
  usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
  To see help text, you can run:
  
    aws help
    aws <command> help
    aws <command> <subcommand> help
  aws: error: argument subcommand: Invalid choice, valid choices are:
  
  ls                                       | website
  cp                                       | mv
  rm                                       | sync
  mb                                       | rb
  presign
  

• The same also happens with kubectl:

  > g kubectl get nodes
  panic: exit status 1
  
  goroutine 1 [running]:
  [callstack...]

  Expected was the error message of kubectl.

• Generally, in case of expected (user) errors (like above or below), do not write a call stack (write a callstack only when something unanticipated happens, e.g. the program reaches its outermost catch block):

> $ g download tf shoot-garden-core-itpa-436 infra
panic: configmaps "itpa-436.infra.tf-config" not found <-- that is helpful

goroutine 1 [running]:                                 <-- that is not helpful
[callstack...]

• Remove gardectl get all as that's implicit if the user hasn't targeted any project or seed before anyhow with gardectl get shoots
• Remove gardenctl target direct as that's not part of the spec #2 and confusing, because the word direct is used to target shoots, but the word has no relation to that kind
• Instead, add the following optional options to garden target: --garden|-g, --project|-p or --seed|-s (never allow both, project and seed, at the same time)
• Make gardenctl get issues more helpful (and faster if possible? why is it so slow?):
  • Do not show the namespace, but the project as this is the main hierarchical level and show it first
  • Show the shoot cluster resource status (without uid and gardenOperator and possibly later also other black-listed fields not helpful for this command)

  issues:
  - project: foo-bar
    seed: seed-aws-eu1
    shoot: cl-54321
    status:
      lastError: "Failed to create Shoot cluster (Errors occurred during parallel execution:
        '(CloudBotanist).DeployInfrastructure' returned 'Terraform execution job could
        not be completed. The following issues have been found in the logs:\n\n-> Pod
        'paj7wlu4tu.infra.tf-job-79984' reported:\n* aws_vpc.vpc: 1 error(s) occurred:\n*
        aws_vpc.vpc: Error creating VPC: VpcLimitExceeded: The maximum number of VPCs
        has been reached.\n\tstatus code: 400, request id: <omitted>')"
      lastOperation:
        description: "Failed to create Shoot cluster (Errors occurred during parallel
          execution: '(CloudBotanist).DeployInfrastructure' returned 'Terraform execution
          job could not be completed. The following issues have been found in the logs:\n\n->
          Pod 'paj7wlu4tu.infra.tf-job-79984' reported:\n* aws_vpc.vpc: 1 error(s) occurred:\n*
          aws_vpc.vpc: Error creating VPC: VpcLimitExceeded: The maximum number of VPCs
          has been reached.\n\tstatus code: 400, request id: <omitted>')"
        lastUpdateTime: 2017-12-05T10:01:15Z
        progress: 36
        state: Failed
        type: Create

• g download tf NAME infra wasn't doing anything for me, it just ended
• Remove the need to name the cluster in above command
• g show vpn-seed isn't showing all control plane pods that contain a vpn (sidecar) container (e.g. Prometheus needs the vpn (sidecar) container as well)
• g show (ui|dashboard) isn't showing the pod information on the command line like g show (prometheus|grafana|alertmanager) does (all show sub commands should do that)
• g show ui was opening the (singular) landing page, instead of opening the corresponding gardener UI by looking into the garden cluster (and then e.g. the ingress gardener-ingress resource)
• g (show|logs) tf (infra|dns|ingress) not yet implemented (watch out, a.) there may be many terraform pods, pick the latest/running and b.) terraform pods may alreadybe gone, when the operation completed)
• g logs operator wasn't doing anything for me (when a shoot was in target), it just ended
• g logs operator should show the operator logs filtered by the currently targeted shoot (I targeted the shoot cluster that appeared last in the full log)
• g logs dashboard wasn't doing anything for me, it just ended
• g logs addon-manager wasn't doing anything for me, it just ended
• g logs (prometheus|grafana|alertmanager) failed with an exception right away
• What is the help entry save [config] supposed to do/mean (not in spec #2)?
• Remove help entry (and logic behind that if implemented) for --config string config file (default is $HOME/.gardenctl.yaml) (not in spec #2) and use a default such as $HOME/.garden/config or allow for an environment variable such as GARDENCONFIG that points to said file; mention that in the help
• Remove help entry (and logic behind that if implemented) for --cache int activate 1 / deactivate 0 caching (default 1) (not in spec #2) and always cache unless user runs gardenctl with the --no-cache option; mention said option --no-cache in the help
• Introduce the following short forms for gardenctl kubectl (can be, but doesn't necessarily have to be mentioned in the help if it would make it unreadable):
  • gardenctl k substitutes gardenctl kubectl
  • gardenctl ks substitutes gardenctl kubectl --namespace=kube-system
  • gardenctl ka substitutes gardenctl kubectl --all-namespaces=true
• Remove the welcome line in the help, especially since it says Gardenctl, which is incorrect (not the name of the command, which is case-sensitive)
• Rearrange the help as it uses alphabetical order which is hard to read and makes it difficult for the user to get the gist of what gardenctl is actually doing:

Usage:
  gardenctl <command>

Available Commands:
  ls          (gardens|projects|seeds|shoots|issues)   list all resource instances, e.g. list of shoots
  target      (garden|project|seed|shoot) <name>      set scope for next operations
  drop        [(garden|project|seed|shoot)]           drop scope for next operations (default: last target)
  get         [(garden|project|seed|shoot) <name>]    get single resource instance, e.g. CRD of a shoot (default: current target)

  download    tf (infra|dns|ingress)                  download terraform configuration/state for local execution for the targeted shoot
  show        (operator|ui|                           show details about endpoint/service and open in Chrome if applicable
               tf (infra|dns|ingress)|                (tf sub commands require targeted shoot)
               api|scheduler|controller-manager|etcd-operator|etcd-main|etcd-events|
               addon-manager|vpn-seed|vpn-shoot|auto-node-repair|
               dashboard|prometheus|grafana|alertmanager)
  logs        (operator|ui|                           show and optionally follow logs of given component
               tf (infra|dns|ingress)|                (tf sub commands require targeted shoot)
               api|scheduler|controller-manager|etcd-operator|etcd-main|etcd-events|
               addon-manager|vpn-seed|vpn-shoot|auto-node-repair|
               dashboard|prometheus|grafana|alertmanager)

  kubectl     <args>
  aws         <args>
  az          <args>
  gcloud      <args>
  openstack   <args>

Available Options:
      --no-cache        do not cache KUBECONFIG files
  -h, --help            help for gardenctl

Use "gardenctl <command> --help" for more information about a given specific command.
Configuration and KUBECONFIG file cache located $GARDENCTL_HOME or ~/.garden (default).

Go modules wiki in golang/go

This is a minor issue that I noticed when I first installed gardenctl on my Mac. After building the tool, I typed
gardenctl
and got the following error message

panic: runtime error: index out of range

goroutine 1 [running]:
github.com/gardener/gardenctl/cmd.getGardenClusterKubeConfigFromConfig()
	/Users/d047401/go/src/github.com/gardener/gardenctl/cmd/miscellaneous.go:47 +0x359
github.com/gardener/gardenctl/cmd.Execute()
	/Users/d047401/go/src/github.com/gardener/gardenctl/cmd/root.go:62 +0x508
main.main()
	/Users/d047401/go/src/github.com/gardener/gardenctl/gardenctl.go:20 +0x20

The reason for the error is that I was lacking a cluster entry in the gardenctl config file.
However, I would expect some nicer output, something like "You need to add a cluster config to your configuration before you can use the tool" rather than an out of bounds exception.

How about adding direct support in gardectl to ssh into worker nodes? The ops guide (in the works, kb/ssh-to-aws-shoot-node.md) anyways describes a way that is no longer supported as Gardener doesn't create the bastion ASGs anymore for AWS (cc @plkokanov). GCP on the other hand, requires opening up firewall rules (ideally, gardenctl closes them afterwards again).

E.g. on AWS we could now automate (based on input from @rfranzke):

• gardenctl aws ec2 run-instances -- --iam-instance-profile Name=shoot-<project>-<cluster>-bastions --image-id ami-d0dcef3b --count 1 --instance-type t2.nano --key-name shoot-<project>-<cluster>-ssh-publickey --security-group-ids <securitygroup> --subnet-id <subnet> --associate-public-ip-address and then ssh -i <(kubectl -n garden--<project> get secret <cluster>.ssh-keypair -o jsonpath={.data.id_rsa} | base64 -d) core@<bastion-public-ip>

P.S.: There is only a bug template, but I believe it's also OK to open feature requests, right? :-)

Feature

Add download function for VPN log files to ease the debugging of VPN problems on the different infrastructures.

Implementation Proposal:

• Download VPN logs file of all kube-apiserver on the seed side
• Download VPN log file of prometheus on the seed side
• Download VPN log file of the shoot

Update to read Secret from SecretBinding Reference for Shoot Cluster instead of Secret directly.
Changed requirements due to trial clusters.

Describe the bug
gardenctl shell and gardenctl ssh don't work when the operating system on the nodes is JeOS.

To Reproduce

$ gardenctl version
gardenctl:
	version     : 0.10.0
	build date  : 2019-05-02
	go version  : go1.12.4
	go compiler : gc
	platform    : darwin/amd64
$ gardenctl shell
ip-10-250-2-103.eu-central-1.compute.internal
$ gardenctl shell ip-10-250-2-103.eu-central-1.compute.internal
Error: node "ip-10-250-2-103.eu-central-1.compute.internal" not found
$ gardenctl ssh
Node ips:
- 10.250.2.103
$ gardenctl ssh 10.250.2.103
Downloaded id_rsa key
Creating bastion host
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --image-id: expected one argument
$

cluster is dev - core - dm-jeos3

Expected behavior
It should work

Screenshots
n/a

Gardenctl Version (please complete the following information):

see above

Additional context

Can we please brew gardenctl, so that Mac users can more easily install this tool? Or is that not worth the effort (single binary anyway) as we would have to maintain a tap, too?

When not having a config, gardenctl is not helping the user, even gardenctl -h is not reachable, either:

$ gardenctl
open /Users/d043832/.garden/config: no such file or directory
$ gardenctl --help
open /Users/d043832/.garden/config: no such file or directory

Expected is to get to the help independent of the configuration file, ideally explaining what to do (without reading the README.md, that is not available locally if the user has not cloned the repo).

Read the kubeconfig and ssh secrets from garden cluster instead of seed cluster.
The secrets are synced in the garden cluster and can be accessed under <shoot-name>.<kubeconfig|ssh>

• read the kubeconfig from the garden cluster, done by #107
• read the ssh keys from the garden cluster

Moved from gardener/gardener#220 (@praveendhac)

Created new shoot cluster successfully. Saw segmentation error while setting target to Shoot cluster
gardenctl target shoot pd-shoot1-azure

Crash Trace
`panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x28 pc=0x11ef756]

goroutine 1 [running]:
github.com/gardener/gardenctl/vendor/github.com/sirupsen/logrus.(*Logger).level(...)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/sirupsen/logrus/logger.go:312
github.com/gardener/gardenctl/vendor/github.com/sirupsen/logrus.(*Logger).Debugf(0x0, 0x1cf383d, 0x64, 0xc42051bc30, 0x1, 0x1)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/sirupsen/logrus/logger.go:116 +0x26
github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes.newKubernetesClient(0xc4200f0000, 0xc420106b40, 0x1da60c0, 0xc4200caaf0, 0x50, 0xc4200f0000, 0x0, 0x0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes/client.go:139 +0x354
github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes.newClientSet(0xc4200f0000, 0x1da60c0, 0xc4200caaf0, 0x0, 0xc4200f0000, 0xc4200d4d20, 0xc4206a40c0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes/client.go:88 +0x7f
github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes.NewClientFromFile(0xc4202b2f20, 0x1e, 0xc4200d4d20, 0x0, 0x0, 0x0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/gardener/gardener/pkg/client/kubernetes/client.go:45 +0x17d
github.com/gardener/gardenctl/cmd.getSeedForProject(0xc42040e120, 0xf, 0xc4206a40c0, 0x1012009)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/target.go:626 +0xa7
github.com/gardener/gardenctl/cmd.getKubeConfigOfClusterType(0x1cad619, 0x4, 0x19, 0xc4202b21e0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/target.go:656 +0x105
github.com/gardener/gardenctl/cmd.clientToTarget(0x1cad619, 0x4, 0x1cae294, 0x7, 0x0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/miscellaneous.go:77 +0x56d
github.com/gardener/gardenctl/cmd.targetShoot(0xc420260b70, 0xf)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/target.go:595 +0x1992
github.com/gardener/gardenctl/cmd.glob..func17(0x2451180, 0xc42019dee0, 0x2, 0x2)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/target.go:121 +0x13ed
github.com/gardener/gardenctl/vendor/github.com/spf13/cobra.(*Command).execute(0x2451180, 0xc42019de20, 0x2, 0x2, 0x2451180, 0xc42019de20)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/spf13/cobra/command.go:702 +0x2c6
github.com/gardener/gardenctl/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0x244f1a0, 0x0, 0x0, 0x100000000000028)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/spf13/cobra/command.go:783 +0x2e4
github.com/gardener/gardenctl/vendor/github.com/spf13/cobra.(*Command).Execute(0x244f1a0, 0x20, 0xc42003fdc0)
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/vendor/github.com/spf13/cobra/command.go:736 +0x2b
github.com/gardener/gardenctl/cmd.Execute()
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/cmd/root.go:64 +0x56b
main.main()
/Users/pdarshanam/go/src/github.com/gardener/gardenctl/gardenctl.go:20 +0x20 `

Project list
`$ gardenctl ls projects
projects:

• project: garden-dev
  shoots:
  • pd-shoot1-azure`

The command sometimes throws secret not found error
$ gardenctl target shoot pd-shoot1-azure secrets "kubecfg" not found

Could not reproduce the crash consistently.

Extend gardenctl ssh cmd to work with shoot cluster on alibaba cloud.

Since gardener/gardener#552, Gardener reports a Shoot's healthiness additionally via the shoot.garden.sapcloud.io/status label. The old (shoot.garden.sapcloud.io/unhealthy) label is still there but is deprecated and will be removed in the future. gardenctl should adapt and use the new status label with its current three distinct values healthy, unhealthy and progressing (maybe in accordance with how the dashboard does it?).

gardenctl ls shows:

Command must be in the format: ls [issues|projects|gardens|seeds|shoots]

Maybe this order is more logical:

Command must be in the format: ls [gardens|projects|seeds|shoots|issues]

Gardenctl should look for a virtual garden cluster apiserver in the garden namespace if available and use it.

Describe the bug
Gardenctl doesn't work with AAD+RABAC enabled AKS cluste with regular user credentials (user has the cluster-admin ClusterRole assigned).

$ gardenctl ls shoots
No Auth Provider found for name "azure"

To Reproduce
Steps to reproduce the behavior:

1. install an AAD enabled AKS cluster to use as garden cluster: https://docs.microsoft.com/en-us/azure/aks/aad-integration
2. Get admin token:

az aks get-credentials -g myAKSCluster -n myAKSCluster --admin -f ~/.kube/myAKSCluster.config

3. Define cluster-admin role to your own AAD user:

env KUBECONFIG=~/.kube/myAKSCluster.config kubectl create clusterrolebinding my-user-is-cluster-admin --user [email protected] --clusterrole cluster-admin

4. Get kubeconfig for your user:

az aks get-credentials -g myAKSCluster -n myAKSCluster -f ~/.kube/myAKSCluster.config

5. Configure gardenctl to use my user's kubeconfig:

$ cat <<EOF >> ~/.garden/config 
- name: myAKSCluster
  kubeConfig: ~/.kube/myAKSCluster.config
EOF

6. Test your user can issue kubectl commands on your cluster:

$ env KUBECONFIG=~/.kube/myAKSCluster.config kubectl get svc
To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code DRP2MRQYZ to authenticate.
NAME         TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
kubernetes   ClusterIP   10.0.0.1     <none>        443/TCP   2d

7. Test if gardenctl can reach the garden cluster:

$ gardenctl ls gardens
gardenClusters:
- name: msa-dev
$ gardenctl target garden msa-dev
KUBECONFIG=/Users/user/.kube/myAKSCluster.config
$ gardenctl ls seeds
No Auth Provider found for name "azure"

Expected behavior
gardenctl ls seeds should ask me to login to Azure AAD domain.

Gardenctl Version (please complete the following information):

commit b21b4bde14663faee381697cb1d93a8b53a3e81a
Author: Sebastian Stauch <[email protected]>
Date:   Fri Jun 8 12:29:35 2018 +0200

With gardener/gardener#930 the AMI is no longer part of the CloudProfile resource.
gardenctl was relying on it during gardenctl ssh to determine the --image-id of the bastion vm.

https://github.com/gardener/gardenctl/blob/6031b4adf8992802e309e11cf044a14b22b8f982/cmd/ssh.go#L85-L94

$ gardenctl ssh <ip>
Downloaded id_rsa key
Creating bastion host
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:

  aws help
  aws <command> help
  aws <command> <subcommand> help
aws: error: argument --image-id: expected one argument

Describe the bug
I'd like to be able to connect to gardener cluster installed on GKE. Right now it's not possible because of such error when I do gardenctl ls projects:

No Auth Provider found for name "gcp"

To Reproduce
Steps to reproduce the behavior:

• install gardener on GKE
• get kubeconfig for GKE cluster, set proper ~/.garden/config etc
• run gardenctl ls projects

Expected behavior
I will see list of projects

Screenshots
If applicable, add screenshots to help explain your problem.

Gardenctl Version (please complete the following information):

• 0.5.0

Additional context
Add any other context about the problem here.