-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
gather rendered assets as part of install-gather #1646
gather rendered assets as part of install-gather #1646
Conversation
e9cf296
to
e15ef23
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
cc wking abhinavdahiya
/retest |
@@ -25,6 +25,10 @@ do | |||
sudo podman inspect "${container}" >& "${ARTIFACTS}/bootstrap/pods/${container}.inspect" | |||
done | |||
|
|||
echo "Gathering rendered assets..." | |||
mkdir -p "${ARTIFACTS}/rendered-assets" | |||
cp -r /etc/kubernetes/ "${ARTIFACTS}/rendered-assets" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like it might gather secrets that we don't want gathered by default. Do you have a list handy of what this is pulling in?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feels like it might gather secrets that we don't want gathered by default. Do you have a list handy of what this is pulling in?
@sferich888 Do we filter sensitive information before or after we gather? If before, any advice for @vrutkovs? This is beyond my bash abilities
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In vsphere CI we filter out sensitive info in teardown
container. If all filenames with sensitive data is known it should be removed from /tmp/artifacts
before tar cx
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In vsphere CI we filter out sensitive info in
teardown
container. If all filenames with sensitive data is known it should be removed from/tmp/artifacts
beforetar cx
I thought so, but let's see what eric says.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the cloud creds are the only thing the installer asks for that are not generated.
So..... only scrub that?
/hold to sort out secret eliding and whether the storage location works on failed renders |
@wking I spoke with Eric. The only truly confidential information we have are the cloud creds and image pull secrets. What files are they in so I can delete them. The rest of the certs are created for each install. |
This is what goes up: $ jq -r '.storage.files[].path' /tmp/we/bootstrap.ign | grep 'secret\|docker'
/root/.docker/config.json
/opt/openshift/manifests/kube-system-secret-etcd-client-ca-deprecated.yaml
/opt/openshift/manifests/kube-system-secret-etcd-client.yaml
/opt/openshift/manifests/kube-system-secret-etcd-signer-client.yaml
/opt/openshift/manifests/kube-system-secret-etcd-signer.yaml
/opt/openshift/manifests/machine-config-server-tls-secret.yaml
/opt/openshift/manifests/openshift-config-secret-etcd-metric-client.yaml
/opt/openshift/manifests/openshift-config-secret-pull-secret.yaml
/opt/openshift/openshift/99_cloud-creds-secret.yaml
/opt/openshift/openshift/99_kubeadmin-password-secret.yaml
/opt/openshift/openshift/99_role-cloud-creds-secret-reader.yaml
/opt/openshift/openshift/99_openshift-cluster-api_master-user-data-secret.yaml
/opt/openshift/openshift/99_openshift-cluster-api_worker-user-data-secret.yaml On the bootstrap machine we copy some thing around, e.g. moving the admin kubeconfig under |
are we generally happy with removing the kubeconfig and then |
Drop /root/.docker/config.json as well, but given the list @wking provided, searching the way you are should be ok. Why don't we review an archive of what this collects currently to confirm that this is ok? Who/Where can I get one of these? CI? |
e15ef23
to
f4ffb5e
Compare
now with secret eliding |
f4ffb5e
to
13ea52b
Compare
/hold cancel |
/test e2e-openstack |
/test e2e-openstack |
/test e2e-aws-upgrade |
/approve |
@wking also had some comments, will let him lgtm |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, deads2k, vrutkovs, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Please review the full test history for this PR and help us cut down flakes. |
I've got a broken pull openshift/machine-config-operator#626, but in general, any future asset rendering error requires the rendered assets to make a determination of the failure. This gathers those.
@sdodson
/assign @vrutkovs