gather rendered assets as part of install-gather #1646
Conversation
openshift-ci-robot
added
the
size/XS
deads2k
force-pushed
the
gather-01-rendered
branch
2 times, most recently
from
e9cf296
to
e15ef23
Compare
|
/retest |
| @@ -25,6 +25,10 @@ do | |||
| sudo podman inspect "${container}" >& "${ARTIFACTS}/bootstrap/pods/${container}.inspect" | |||
| done | |||
|
|
|||
| echo "Gathering rendered assets..." | |||
| mkdir -p "${ARTIFACTS}/rendered-assets" | |||
| cp -r /etc/kubernetes/ "${ARTIFACTS}/rendered-assets" | |||
There was a problem hiding this comment.
This feels like it might gather secrets that we don't want gathered by default. Do you have a list handy of what this is pulling in?
There was a problem hiding this comment.
This feels like it might gather secrets that we don't want gathered by default. Do you have a list handy of what this is pulling in?
@sferich888 Do we filter sensitive information before or after we gather? If before, any advice for @vrutkovs? This is beyond my bash abilities
There was a problem hiding this comment.
In vsphere CI we filter out sensitive info in teardown container. If all filenames with sensitive data is known it should be removed from /tmp/artifacts before tar cx
There was a problem hiding this comment.
In vsphere CI we filter out sensitive info in
teardowncontainer. If all filenames with sensitive data is known it should be removed from/tmp/artifactsbeforetar cx
I thought so, but let's see what eric says.
There was a problem hiding this comment.
I think the cloud creds are the only thing the installer asks for that are not generated.
So..... only scrub that?
|
/hold to sort out secret eliding and whether the storage location works on failed renders |
openshift-ci-robot
added
the
do-not-merge/hold
|
@wking I spoke with Eric. The only truly confidential information we have are the cloud creds and image pull secrets. What files are they in so I can delete them. The rest of the certs are created for each install. |
This is what goes up: $ jq -r '.storage.files[].path' /tmp/we/bootstrap.ign | grep 'secret\|docker'
/root/.docker/config.json
/opt/openshift/manifests/kube-system-secret-etcd-client-ca-deprecated.yaml
/opt/openshift/manifests/kube-system-secret-etcd-client.yaml
/opt/openshift/manifests/kube-system-secret-etcd-signer-client.yaml
/opt/openshift/manifests/kube-system-secret-etcd-signer.yaml
/opt/openshift/manifests/machine-config-server-tls-secret.yaml
/opt/openshift/manifests/openshift-config-secret-etcd-metric-client.yaml
/opt/openshift/manifests/openshift-config-secret-pull-secret.yaml
/opt/openshift/openshift/99_cloud-creds-secret.yaml
/opt/openshift/openshift/99_kubeadmin-password-secret.yaml
/opt/openshift/openshift/99_role-cloud-creds-secret-reader.yaml
/opt/openshift/openshift/99_openshift-cluster-api_master-user-data-secret.yaml
/opt/openshift/openshift/99_openshift-cluster-api_worker-user-data-secret.yamlOn the bootstrap machine we copy some thing around, e.g. moving the admin kubeconfig under |
|
are we generally happy with removing the kubeconfig and then |
|
Drop /root/.docker/config.json as well, but given the list @wking provided, searching the way you are should be ok. Why don't we review an archive of what this collects currently to confirm that this is ok? Who/Where can I get one of these? CI? |
deads2k
force-pushed
the
gather-01-rendered
branch
from
e15ef23
to
f4ffb5e
Compare
|
now with secret eliding |
openshift-ci-robot
added
size/S
deads2k
force-pushed
the
gather-01-rendered
branch
from
f4ffb5e
to
13ea52b
Compare
|
/hold cancel |
openshift-ci-robot
removed
the
do-not-merge/hold
|
/test e2e-openstack |
|
/test e2e-openstack |
|
/test e2e-aws-upgrade |
|
/approve |
openshift-ci-robot
added
the
approved
|
@wking also had some comments, will let him lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: abhinavdahiya, deads2k, vrutkovs, wking The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/retest Please review the full test history for this PR and help us cut down flakes. |
I've got a broken pull openshift/machine-config-operator#626, but in general, any future asset rendering error requires the rendered assets to make a determination of the failure. This gathers those.
@sdodson
/assign @vrutkovs