Deploy releases/k8s-manifests eebb6a2

.github/workflows/k8s-deploy.yml

@@ -28,35 +28,63 @@ jobs:
 
         # initialize empty log of kube operations
         echo -n '' > /tmp/kube.log
+        echo -n '' > /tmp/kube.err
 
     - name: 'Apply manifests: CRD resources'
       run: |
         if [ -d ./_/CustomResourceDefinition ]; then
-          kubectl apply -Rf ./_/CustomResourceDefinition | tee -a /tmp/kube.log
+          # Capture errors and add context
+          dir_errors=$(kubectl apply -Rf ./_/CustomResourceDefinition 2>&1 1>>/tmp/kube.log || true)
+
+          # Filter and append errors with context if meaningful
+          filtered_errors=$(echo "$dir_errors" | \
+                            grep -v "Warning: Use tokens from the TokenRequest API" | \
+                            grep -v "^Error: exit status [0-9]*$" | \
+                            grep -v "^[[:space:]]*$" || true)
+
+          if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+              echo "=== CRD Resources ===" >> /tmp/kube.err
+              echo "$filtered_errors" >> /tmp/kube.err
+              echo "" >> /tmp/kube.err
+          fi
         fi
 
     - name: 'Apply manifests: non-CRD global resources'
       run: |
         if [ -d ./_ ]; then
-          (
-            find _ \
-              -maxdepth 1 \
-              -mindepth 1 \
-              -type d \
-              -not -name 'CustomResourceDefinition' \
-              -print0 \
-            | sort -z \
-            | xargs -r0 -n 1 kubectl apply -Rf
-          ) | tee -a /tmp/kube.log
+          find _ \
+            -maxdepth 1 \
+            -mindepth 1 \
+            -type d \
+            -not -name 'CustomResourceDefinition' \
+            -print0 \
+          | sort -z \
+          | while IFS= read -r -d '' dir; do
+              # Capture errors and add context per directory
+              dir_errors=$(kubectl apply -Rf "$dir" 2>&1 1>>/tmp/kube.log || true)
+
+              # Filter and append errors with context if meaningful
+              filtered_errors=$(echo "$dir_errors" | \
+                                grep -v "Warning: Use tokens from the TokenRequest API" | \
+                                grep -v "^Error: exit status [0-9]*$" | \
+                                grep -v "^[[:space:]]*$" || true)
+
+              if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+                  echo "=== Directory: $dir ===" >> /tmp/kube.err
+                  echo "$filtered_errors" >> /tmp/kube.err
+                  echo "" >> /tmp/kube.err
+              fi
+            done
         fi
 
     - name: 'Apply manifests: generated regcred secrets'
       run: |
-
         # apply a copy of regcred secret for every deployed namespace
         while IFS= read -r namespace; do
           namespace="$(basename "${namespace}")"
-          cat <<EOF | kubectl apply -f - | tee -a /tmp/kube.log
+
+          # Capture errors for this namespace's regcred
+          secret_errors=$(cat <<EOF | kubectl apply -f - 2>&1 1>>/tmp/kube.log || true
         apiVersion: v1
         kind: Secret
         metadata:
@@ -66,20 +94,46 @@ jobs:
         data:
           .dockerconfigjson: ${{ secrets.DOCKER_CONFIG_BASE64 }}
         EOF
+        )
+
+          # Filter and append errors with context if meaningful
+          filtered_errors=$(echo "$secret_errors" | \
+                            grep -v "Warning: Use tokens from the TokenRequest API" | \
+                            grep -v "^Error: exit status [0-9]*$" | \
+                            grep -v "^[[:space:]]*$" || true)
+
+          if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+              echo "=== Regcred Secret: $namespace ===" >> /tmp/kube.err
+              echo "$filtered_errors" >> /tmp/kube.err
+              echo "" >> /tmp/kube.err
+          fi
         done <<< "$(find . -maxdepth 1 -type d -not -name '_' -not -name '.*')"
 
     - name: 'Apply manifests: namespaced resources'
       run: |
-        (
-          find . \
-            -maxdepth 1 \
-            -type d \
-            -not -name '_' \
-            -not -name '.*' \
-            -print0 \
-          | sort -z \
-          | xargs -r0 -n 1 kubectl apply -Rf
-        ) | tee -a /tmp/kube.log
+        find . \
+          -maxdepth 1 \
+          -type d \
+          -not -name '_' \
+          -not -name '.*' \
+          -print0 \
+        | sort -z \
+        | while IFS= read -r -d '' dir; do
+            # Capture errors and add context per directory
+            dir_errors=$(kubectl apply -Rf "$dir" 2>&1 1>>/tmp/kube.log || true)
+
+            # Filter and append errors with context if meaningful
+            filtered_errors=$(echo "$dir_errors" | \
+                              grep -v "Warning: Use tokens from the TokenRequest API" | \
+                              grep -v "^Error: exit status [0-9]*$" | \
+                              grep -v "^[[:space:]]*$" || true)
+
+            if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+                echo "=== Directory: $dir ===" >> /tmp/kube.err
+                echo "$filtered_errors" >> /tmp/kube.err
+                echo "" >> /tmp/kube.err
+            fi
+          done
 
     - name: 'Apply manifests: deleted resources'
       run: |
@@ -90,10 +144,27 @@ jobs:
           kind="${kind_name%%/*}"
           name="${kind_name##*/}"
 
+          # Capture errors for this deletion
           if [ "${namespace}" == "_" ]; then
-            kubectl delete $kind $name | tee -a /tmp/kube.log
+            delete_errors=$(kubectl delete $kind $name 2>&1 1>>/tmp/kube.log || true)
           else
-            kubectl -n $namespace delete $kind $name | tee -a /tmp/kube.log
+            delete_errors=$(kubectl -n $namespace delete $kind $name 2>&1 1>>/tmp/kube.log || true)
+          fi
+
+          # Filter and append errors with context if meaningful
+          filtered_errors=$(echo "$delete_errors" | \
+                            grep -v "Warning: Use tokens from the TokenRequest API" | \
+                            grep -v "^Error: exit status [0-9]*$" | \
+                            grep -v "^[[:space:]]*$" || true)
+
+          if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+              if [ "${namespace}" == "_" ]; then
+                  echo "=== Deleting: $kind/$name ===" >> /tmp/kube.err
+              else
+                  echo "=== Deleting: $namespace/$kind/$name ===" >> /tmp/kube.err
+              fi
+              echo "$filtered_errors" >> /tmp/kube.err
+              echo "" >> /tmp/kube.err
           fi
         done
 
@@ -113,6 +184,17 @@ jobs:
         EOF
         )"
 
+        # Conditionally append error output if it has meaningful content
+        if [ -s /tmp/kube.err ]; then
+            comment_body="${comment_body}
+
+        ## Errors/Warnings
+
+        \`\`\`
+        $(cat /tmp/kube.err)
+        \`\`\`"
+        fi
+
 
         ## get most recent merged PR
         echo

.github/workflows/k8s-prepare.yml

@@ -33,15 +33,34 @@ jobs:
 
     - name: Generate diff
       run: |
-        (
-          find . \
-            -maxdepth 1 \
-            -type d \
-            -not -name '.*' \
-            -print0 \
-          | sort -z \
-          | xargs -r0 -n 1 kubectl diff -Rf || true
-        ) > /tmp/kube.diff
+        # Initialize output files
+        echo -n '' > /tmp/kube.diff
+        echo -n '' > /tmp/kube.err
+
+        # Process each directory
+        find . \
+          -maxdepth 1 \
+          -type d \
+          -not -name '.*' \
+          -print0 \
+        | sort -z \
+        | while IFS= read -r -d '' dir; do
+            # Run kubectl diff: stdout to file, capture stderr in variable
+            dir_errors=$(kubectl diff -Rf "$dir" 2>&1 1>>/tmp/kube.diff || true)
+
+            # Filter out known warnings, exit status messages, and blank lines
+            filtered_errors=$(echo "$dir_errors" | \
+                              grep -v "Warning: Use tokens from the TokenRequest API" | \
+                              grep -v "^Error: exit status [0-9]*$" | \
+                              grep -v "^[[:space:]]*$" || true)
+
+            # If there are meaningful errors, append with prefix
+            if [ -n "$filtered_errors" ] && echo "$filtered_errors" | grep -q '[^[:space:]]' 2>/dev/null; then
+                echo "=== Directory: $dir ===" >> /tmp/kube.err
+                echo "$filtered_errors" >> /tmp/kube.err
+                echo "" >> /tmp/kube.err
+            fi
+          done
 
     - name: Create/update pull request
       env:
@@ -63,6 +82,17 @@ jobs:
         EOF
         )"
 
+        # Conditionally append error output if it has meaningful content
+        if [ -s /tmp/kube.err ]; then
+            pr_body="${pr_body}
+
+        ## Errors/Warnings
+
+        \`\`\`
+        $(cat /tmp/kube.err)
+        \`\`\`"
+        fi
+
 
         ## generate initial commit for base if needed
         if ! git ls-remote --exit-code --heads origin "${BRANCH_DEPLOY}"; then

_/ClusterIssuer/letsencrypt-prod.yaml

@@ -7,7 +7,7 @@ spec:
     email: [email protected]
     privateKeySecretRef:
       name: letsencrypt-prod
-    server: 'https://acme-v02.api.letsencrypt.org/directory'
+    server: https://acme-v02.api.letsencrypt.org/directory
     solvers:
       - http01:
           ingress:

_/ClusterIssuer/letsencrypt-staging.yaml

@@ -7,7 +7,7 @@ spec:
     email: [email protected]
     privateKeySecretRef:
       name: letsencrypt-staging
-    server: 'https://acme-staging-v02.api.letsencrypt.org/directory'
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
     solvers:
       - http01:
           ingress:

_/ClusterRole/cert-manager-controller-approve:cert-manager-io.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/version: v1.10.1
     helm.sh/chart: cert-manager-v1.10.1
-  name: 'cert-manager-controller-approve:cert-manager-io'
+  name: cert-manager-controller-approve:cert-manager-io
 rules:
   - apiGroups:
       - cert-manager.io

_/ClusterRole/cert-manager-webhook:subjectaccessreviews.yaml

@@ -9,7 +9,7 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/version: v1.10.1
     helm.sh/chart: cert-manager-v1.10.1
-  name: 'cert-manager-webhook:subjectaccessreviews'
+  name: cert-manager-webhook:subjectaccessreviews
 rules:
   - apiGroups:
       - authorization.k8s.io

_/ClusterRole/ingress-nginx-admission.yaml

@@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
   annotations:
-    helm.sh/hook: 'pre-install,pre-upgrade,post-install,post-upgrade'
-    helm.sh/hook-delete-policy: 'before-hook-creation,hook-succeeded'
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx

_/ClusterRole/system:aggregated-metrics-reader.yaml

@@ -6,7 +6,7 @@ metadata:
     rbac.authorization.k8s.io/aggregate-to-admin: 'true'
     rbac.authorization.k8s.io/aggregate-to-edit: 'true'
     rbac.authorization.k8s.io/aggregate-to-view: 'true'
-  name: 'system:aggregated-metrics-reader'
+  name: system:aggregated-metrics-reader
 rules:
   - apiGroups:
       - metrics.k8s.io

_/ClusterRole/system:metrics-server.yaml

@@ -3,7 +3,7 @@ kind: ClusterRole
 metadata:
   labels:
     k8s-app: metrics-server
-  name: 'system:metrics-server'
+  name: system:metrics-server
 rules:
   - apiGroups:
       - ''

_/ClusterRoleBinding/cert-manager-controller-approve:cert-manager-io.yaml

@@ -9,11 +9,11 @@ metadata:
     app.kubernetes.io/name: cert-manager
     app.kubernetes.io/version: v1.10.1
     helm.sh/chart: cert-manager-v1.10.1
-  name: 'cert-manager-controller-approve:cert-manager-io'
+  name: cert-manager-controller-approve:cert-manager-io
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: 'cert-manager-controller-approve:cert-manager-io'
+  name: cert-manager-controller-approve:cert-manager-io
 subjects:
   - kind: ServiceAccount
     name: cert-manager

_/ClusterRoleBinding/cert-manager-webhook:subjectaccessreviews.yaml

@@ -9,11 +9,11 @@ metadata:
     app.kubernetes.io/name: webhook
     app.kubernetes.io/version: v1.10.1
     helm.sh/chart: cert-manager-v1.10.1
-  name: 'cert-manager-webhook:subjectaccessreviews'
+  name: cert-manager-webhook:subjectaccessreviews
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: 'cert-manager-webhook:subjectaccessreviews'
+  name: cert-manager-webhook:subjectaccessreviews
 subjects:
   - apiGroup: ''
     kind: ServiceAccount

_/ClusterRoleBinding/ingress-nginx-admission.yaml

@@ -2,8 +2,8 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   annotations:
-    helm.sh/hook: 'pre-install,pre-upgrade,post-install,post-upgrade'
-    helm.sh/hook-delete-policy: 'before-hook-creation,hook-succeeded'
+    helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
   labels:
     app.kubernetes.io/component: admission-webhook
     app.kubernetes.io/instance: ingress-nginx

_/ClusterRoleBinding/metrics-server:system:auth-delegator.yaml

@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     k8s-app: metrics-server
-  name: 'metrics-server:system:auth-delegator'
+  name: metrics-server:system:auth-delegator
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: 'system:auth-delegator'
+  name: system:auth-delegator
 subjects:
   - kind: ServiceAccount
     name: metrics-server

_/ClusterRoleBinding/system:metrics-server.yaml

@@ -3,11 +3,11 @@ kind: ClusterRoleBinding
 metadata:
   labels:
     k8s-app: metrics-server
-  name: 'system:metrics-server'
+  name: system:metrics-server
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: 'system:metrics-server'
+  name: system:metrics-server
 subjects:
   - kind: ServiceAccount
     name: metrics-server