New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release-4.5] Bug 1835090: Collect certificates #70
[release-4.5] Bug 1835090: Collect certificates #70
Conversation
Hi @martinkunc. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
func() ([]record.Record, []error) { | ||
requests, err := i.certClient.CertificateSigningRequests().List(metav1.ListOptions{}) | ||
if errors.IsNotFound(err) { | ||
return nil, nil |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I know this is used in previous gathering functions, but is the nil
handled properly later?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fortunately returning nil in a slice will return empty slice and wont fail. It looks even empty Record wont fail as its just a structure. I have just verified both.
*certificatesv1b1api.CertificateSigningRequest | ||
} | ||
|
||
func (a CSRAnonymizer) Marshal(_ context.Context) ([]byte, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick - all public methods should have proper docstring
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these comments are still pending, would be nice to add some docs in the whole file.
"k8s.io/apimachinery/pkg/util/json" | ||
) | ||
|
||
type CSRAnonymizer struct { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nitpick - all public data types should have proper docstring
} | ||
csr, err := x509.ParseCertificateRequest(block.Bytes) | ||
if err != nil { | ||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
don't we need to log these issues?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In overall it is a very nice work!
pkg/gather/clusterconfig/csr.go
Outdated
c.Spec.Request.PublicKeyAlgorithm = csr.PublicKeyAlgorithm.String() | ||
c.Spec.Request.DNSNames = utils.Map(csr.DNSNames, anonymizeURL) | ||
c.Spec.Request.EmailAddresses = utils.Map(csr.EmailAddresses, anonymizeURL) | ||
ipsl := []string{} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
if we know len(csr.IPAddresses)
, you can allocate an array, but it's up to you
package utils | ||
|
||
// Map applies each of functions to passed slice | ||
func Map(it []string, fn func(string) string) []string { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the future, we might create a common utils package outside operator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the future, Go may add map-reduce functions, but there already libraries like this available.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, but I think that golinter will fail on current sources ;/
/ok-to-test |
/ok-to-test |
/retest |
1 similar comment
/retest |
/lgtm |
/assign iNecas |
Great job on adding tests as well. I'm a bit concerned about the possible amounts of the records, so I would suggest filtering out @smarterclayton any suggestion for somebody close to CSRs to give us some hinds on what kinds of CSRs types are useful for troubleshooting? |
Well, we don't need the actual certificate, we are just using that to extract expiration date. If the cert is expired or will be expired on week or so. I'm totally fine if the data extraction will be part of the collection mechanism. So basically we just need info if the cert is approved and expiration date. If it is still too much data, we can move all logic to the operator and collect just unapproved, expired and those, which will expire in 7 (we can discuss this number) days. |
I can either filter all, or just gather certain data from Approved. Do you have any idea about numbers here ? One idea was that we might start thinking about maybe different profiles of small and bigger size. Which way would be the best for now ? |
My main question is, whether we care (have a use-case) for the approved ones, or we are interested into some specific cases? |
As far as I know, we don't care about approved ones (at least from the Insights perspective). |
Can you describe in more detail why we are collecting this? What scenarios will this enable us to detect (or which bugs are we seeing in the field that this info would return)? |
The unapproved or expired certificates were a root issue in some customer cases. Are we missing something? |
func IncludeCSR(c *CSRAnonymizedFeatures, opts ...FilterOptFunc) bool { | ||
opt := &FilterOpt{time: time.Now()} | ||
for _, o := range opts { | ||
o(opt) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these variables names are not good, e, t, o, i, etc, it could be a little more descriptive. In this case it could be optFn
.
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: martinkunc, tisnik The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
1 similar comment
/retest Please review the full test history for this PR and help us cut down flakes. |
@@ -0,0 +1,10 @@ | |||
package utils | |||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In general in go we do not create utility packages like this. This is a trivial method and would inline privately in a package. Utility packages cause dependency creep and attract unrelated use cases, which cause coupling.
Please move this to a private method at the package call site.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the comment. It makes sense, I will remove this in some further PR.
/retitle [release-4.3] Bug 1835090: Collect certificates |
@martinkunc: All pull requests linked via external trackers have merged: . Bugzilla bug 1835090 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/retitle [release-4.5] Bug 1835090: Collect certificates |
@martinkunc: Bugzilla bug 1835090 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/bugzilla refresh |
@martinkunc: All pull requests linked via external trackers have merged: . Bugzilla bug 1835090 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@martinkunc: Bugzilla bug 1835090 is in an unrecognized state (MODIFIED) and will not be moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The task should add collection of Certificate features, which could be used to verify their validity in further stages.