It commonly happens when a devops developer want to remotely/non-interactively rolling an update to a kubernetes deployment, for example after a success build.

And this post will explain how. This post assumes that the client machine has aws credential and awscli binary installed.

  • If you want to install awscli locally. Refer to this post.
  • If you want to inline the aws credential without placing it in $HOME/.aws. Inline it in each command via environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY.

Next, I will introduce how to rolling an update in remote kubernetes cluster.

With kubectl installed

aws eks --region "${EKS_AWS_REGION}" update-kubeconfig --name "${EKS_CLUSTER_NAME}"
kubectl rollout restart -n ${namespace} deployment ${deployment}

Without kubectl

eks_token="$(aws eks get-token --cluster-name "${EKS_CLUSTER_NAME}" | \
  jq .status.token -c | tr -d '"')"

eks_endpoint="$(aws eks describe-cluster \
  --name "${EKS_CLUSTER_NAME}" \
  --query cluster.endpoint \
  --region "${EKS_AWS_REGION}" | tr -d '"')"

curl -XPATCH \
  --cacert <(aws eks describe-cluster \
    --name "${EKS_CLUSTER_NAME}" \
    --query cluster.certificateAuthority.data \
    --region "${EKS_AWS_REGION}" | tr -d '"' | base64 -d) \
  -H "Content-Type: application/strategic-merge-patch+json" \
  "${eks_endpoint}/apis/extensions/v1beta1/namespaces/${EKS_NAMESPACE}/deployments/${EKS_DEPLOYMENT}" \
  -H "Authorization: Bearer ${eks_token}" \
  --data "{\"spec\":{\"template\":{\"metadata\":{\"annotations\":{\"kubectl.kubernetes.io/restartedAt\":\"$(TZ=Asia/Tokyo date +%YY-%m-%dT%H:%M:%S+09:00)\"}}}}}"
  • (optional) If you change the timezone in the last command (TZ=Asia/Tokyo), you should also change the timezone offset (+09:00) together to have correct timestamp in the cluster.
  • Where does the curl come from?
    The underneath curl command can be inspected from any kubectl command with --v=9. link