deckhouse
diff --git a/‎internal/tools/sigmigrate/README.md‎
Lines changed: 146 additions & 0 deletions b/‎internal/tools/sigmigrate/README.md‎
Lines changed: 146 additions & 0 deletions
diff --git a/‎internal/tools/sigmigrate/cmd/flags.go‎
Lines changed: 60 additions & 0 deletions b/‎internal/tools/sigmigrate/cmd/flags.go‎
Lines changed: 60 additions & 0 deletions
diff --git a/‎internal/tools/sigmigrate/cmd/sigmigrate.go‎
Lines changed: 52 additions & 0 deletions b/‎internal/tools/sigmigrate/cmd/sigmigrate.go‎
Lines changed: 52 additions & 0 deletions
@@ -0,0 +1,146 @@
+# sig-migrate
+
+Subcommand for migrating Kubernetes resources by adding and removing migration annotations.
+
+## Description
+
+The `sig-migrate` command collects all Kubernetes resources (both namespaced and cluster-wide), adds a `d8-migration=<timestamp>` annotation, and then removes annotations with the `d8-migration-` prefix. This is useful for triggering reconciliation in Deckhouse controllers.
+
+## Usage
+
+```shell
+d8 tools sig-migrate [flags]
+```
+
+## Flags
+
+| Flag           | Description                                                                  | Default                                     |
+| -------------- | ---------------------------------------------------------------------------- | ------------------------------------------- |
+| `--retry`      | Retry annotation for objects that failed to be processed in the previous run | `false`                                     |
+| `--as`         | Specify a Kubernetes service account for kubectl operations (impersonation)  | `system:serviceaccount:d8-system:deckhouse` |
+| `--log-level`  | Set the log level (INFO, DEBUG, TRACE)                                       | `DEBUG`                                     |
+| `--kubeconfig` | Path to the kubeconfig file to use for CLI requests                          | `$HOME/.kube/config` or `$KUBECONFIG`        |
+| `--context`    | The name of the kubeconfig context to use                                    | `kubernetes-admin@kubernetes`               |
+
+## Usage Examples
+
+### Basic Usage
+
+Run migration for all resources in the cluster:
+
+```shell
+d8 tools sig-migrate
+```
+
+### With kubeconfig and context
+
+```shell
+d8 tools sig-migrate --kubeconfig ~/.kube/config --context my-cluster
+```
+
+### With a different service account
+
+Use a different service account for operations:
+
+```shell
+d8 tools sig-migrate --as system:serviceaccount:my-namespace:my-serviceaccount
+```
+
+### Retry for failed objects
+
+Retry annotation for objects that failed to be processed in the previous run:
+
+```shell
+d8 tools sig-migrate --retry
+```
+
+### With verbose logging
+
+Enable verbose logging (TRACE level):
+
+```shell
+d8 tools sig-migrate --log-level TRACE
+```
+
+### Combined example
+
+```shell
+d8 tools sig-migrate \
+  --kubeconfig ~/.kube/config \
+  --context production \
+  --as system:serviceaccount:d8-system:deckhouse \
+  --log-level DEBUG
+```
+
+## How It Works
+
+1. **Resource Collection**: The command uses Kubernetes API discovery to automatically discover all available resources (both namespaced and cluster-wide).
+
+2. **Adding Annotation**: For each resource, an annotation `d8-migration=<timestamp>` is added, where `timestamp` is the current time in Unix timestamp format.
+
+3. **Removing Annotations**: After adding the new annotation, all annotations starting with the `d8-migration-` prefix are removed.
+
+4. **Error Handling**: 
+   - If a resource does not support annotations (MethodNotAllowed), it is added to the list of unsupported types and skipped in the future.
+   - If the operation is forbidden for the current service account, the command automatically attempts to use an alternative service account (`system:serviceaccount:d8-multitenancy-manager:multitenancy-manager`).
+   - All failed attempts are recorded in `/tmp/failed_annotations.txt` and `/tmp/failed_errors.txt` files for subsequent retry.
+
+## Retry Files
+
+The command creates two files to track failed operations:
+
+- `/tmp/failed_annotations.txt` - list of objects in `namespace|name|kind` format that failed to be processed
+- `/tmp/failed_errors.txt` - detailed error information in `namespace|name|kind|error_message` format
+
+### Automatic Failure Detection
+
+At the end of execution, if any objects failed to be annotated, the command will automatically display a warning message with:
+
+- The number of failed objects
+- Paths to both error log files
+- Instructions on how to investigate and retry
+
+Example output when failures occur:
+
+```
+⚠️  Migration completed with 5 failed object(s).
+
+Some objects could not be annotated. Please check the error details:
+  Error log file: /tmp/failed_errors.txt
+  Failed objects list: /tmp/failed_annotations.txt
+
+To investigate the issues:
+  1. Review the error log file to understand why objects failed
+  2. Check permissions and resource availability
+  3. Retry migration for failed objects only using:
+     d8 tools sig-migrate --retry
+```
+
+To retry failed objects, use the `--retry` flag:
+
+```shell
+d8 tools sig-migrate --retry
+```
+
+## Log Levels
+
+- **INFO**: Minimal output, only important messages
+- **DEBUG**: Detailed output with progress information (default)
+- **TRACE**: Maximum verbose output, including all commands and API responses
+
+## Limitations
+
+- Some resource types may not support annotations (e.g., some CRDs). Such types are automatically detected and skipped.
+- The command requires appropriate access rights to annotate resources in the cluster.
+- For large clusters, execution may take a significant amount of time.
+
+## Notes
+
+- The command uses impersonation to perform operations on behalf of the specified service account.
+- All operations are performed sequentially to ensure stability.
+- Execution progress is displayed in real-time with completion percentage.
+
+## See Also
+
+- [d8 tools](https://github.com/deckhouse/deckhouse-cli) - other tools in the tools category
+- [Deckhouse Documentation](https://deckhouse.io/) - Deckhouse Kubernetes Platform documentation
@@ -0,0 +1,60 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"os"
+
+	"github.com/spf13/pflag"
+)
+
+func addFlags(flags *pflag.FlagSet) {
+	flags.Bool(
+		"retry",
+		false,
+		"Retry annotation for previously failed objects.",
+	)
+
+	flags.String(
+		"as",
+		"system:serviceaccount:d8-system:deckhouse",
+		"Specify a Kubernetes service account for the kubectl operations (impersonation).",
+	)
+
+	flags.String(
+		"log-level",
+		"DEBUG",
+		"Set the log level (INFO, DEBUG, TRACE). Defaults to DEBUG.",
+	)
+
+	defaultKubeconfigPath := os.ExpandEnv("$HOME/.kube/config")
+	if p := os.Getenv("KUBECONFIG"); p != "" {
+		defaultKubeconfigPath = p
+	}
+
+	flags.String(
+		"kubeconfig",
+		defaultKubeconfigPath,
+		"Path to the kubeconfig file to use for CLI requests. (default is $KUBECONFIG when it is set, $HOME/.kube/config otherwise)",
+	)
+
+	flags.String(
+		"context",
+		"kubernetes-admin@kubernetes",
+		"The name of the kubeconfig context to use.",
+	)
+}
@@ -0,0 +1,52 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package cmd
+
+import (
+	"github.com/spf13/cobra"
+	"k8s.io/kubectl/pkg/util/templates"
+
+	"github.com/deckhouse/deckhouse-cli/internal/tools/sigmigrate"
+)
+
+var sigMigrateLong = templates.LongDesc(`
+Migrate Kubernetes resources by adding and removing migration annotations.
+
+This command collects all Kubernetes resources (both namespaced and cluster-wide),
+adds a migration annotation (d8-migration=<timestamp>), and then removes the
+d8-migration- annotation prefix. This is useful for triggering reconciliation
+in Deckhouse controllers.
+
+The command supports:
+- Retrying failed annotations from previous runs
+- Using different service accounts via impersonation
+- Configurable log levels (INFO, DEBUG, TRACE)
+
+© Flant JSC 2025`)
+
+func NewCommand() *cobra.Command {
+	sigMigrateCmd := &cobra.Command{
+		Use:   "sig-migrate",
+		Short: "Migrate Kubernetes resources by adding and removing migration annotations",
+		Long:  sigMigrateLong,
+		RunE:  sigmigrate.SigMigrate,
+	}
+
+	addFlags(sigMigrateCmd.Flags())
+
+	return sigMigrateCmd
+}