From 6a774d2186a9293c93a2e0c74623873731626895 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Thu, 12 Mar 2020 10:13:48 -0700 Subject: [PATCH] test/extended/cli/mustgather: Separate gather_audit_logs test [1] is removing these from the default gather, because they're mostly useful for internal debugging, less useful in end-user bug reports, and can run to hundreds of megabytes. But we still want to ensure that they work as expected when they are explicitly requested. This commit pulls the audit-log checks out of the test-case for the generic invocation. And it adds a new test case with those checks after an explict gather_audit_logs request. [1]: https://github.com/openshift/must-gather/pull/143 --- test/extended/cli/mustgather.go | 149 +++++++++++++++++++------------- 1 file changed, 91 insertions(+), 58 deletions(-) diff --git a/test/extended/cli/mustgather.go b/test/extended/cli/mustgather.go index f7df6a3ce3f9..ca35b3f2e874 100644 --- a/test/extended/cli/mustgather.go +++ b/test/extended/cli/mustgather.go @@ -29,36 +29,6 @@ var _ = g.Describe("[cli] oc adm must-gather", func() { defer g.GinkgoRecover() oc := util.NewCLI("oc-adm-must-gather", util.KubeConfigPath()).AsAdmin() g.It("runs successfully", func() { - // makes some tokens that should not show in the audit logs - const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit" - oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig()) - _, err1 := oauthClient.OAuthAccessTokens().Create(&oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, - }, - ClientName: "openshift-challenging-client", - ExpiresIn: 30, - Scopes: []string{"user:info"}, - RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", - UserName: "a", - UserUID: "1", - }) - o.Expect(err1).ToNot(o.HaveOccurred()) - _, err2 := oauthClient.OAuthAuthorizeTokens().Create(&oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, - }, - ClientName: "openshift-challenging-client", - ExpiresIn: 30, - Scopes: []string{"user:info"}, - RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", - UserName: "a", - UserUID: "1", - }) - o.Expect(err2).ToNot(o.HaveOccurred()) - // let audit log writes occurs to disk (best effort, should be enough to make the test fail most of the time) - time.Sleep(10 * time.Second) - tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") o.Expect(err).ToNot(o.HaveOccurred()) defer os.RemoveAll(tempDir) @@ -66,19 +36,14 @@ var _ = g.Describe("[cli] oc adm must-gather", func() { pluginOutputDir := getPluginOutputDir(oc, tempDir) - auditDirectories := [][]string{ - {pluginOutputDir, "audit_logs", "kube-apiserver"}, - {pluginOutputDir, "audit_logs", "openshift-apiserver"}, - } - - expectedDirectories := append([][]string{ + expectedDirectories := [][]string{ {pluginOutputDir, "cluster-scoped-resources", "config.openshift.io"}, {pluginOutputDir, "cluster-scoped-resources", "operator.openshift.io"}, {pluginOutputDir, "cluster-scoped-resources", "core"}, {pluginOutputDir, "cluster-scoped-resources", "apiregistration.k8s.io"}, {pluginOutputDir, "namespaces", "openshift"}, {pluginOutputDir, "namespaces", "openshift-kube-apiserver-operator"}, - }, auditDirectories...) + } expectedFiles := [][]string{ {pluginOutputDir, "cluster-scoped-resources", "config.openshift.io", "apiservers.yaml"}, @@ -98,8 +63,6 @@ var _ = g.Describe("[cli] oc adm must-gather", func() { {pluginOutputDir, "cluster-scoped-resources", "config.openshift.io", "schedulers.yaml"}, {pluginOutputDir, "namespaces", "openshift-kube-apiserver", "core", "configmaps.yaml"}, {pluginOutputDir, "namespaces", "openshift-kube-apiserver", "core", "secrets.yaml"}, - {pluginOutputDir, "audit_logs", "kube-apiserver.audit_logs_listing"}, - {pluginOutputDir, "audit_logs", "openshift-apiserver.audit_logs_listing"}, {pluginOutputDir, "host_service_logs", "masters", "crio_service.log"}, {pluginOutputDir, "host_service_logs", "masters", "kubelet_service.log"}, } @@ -121,9 +84,85 @@ var _ = g.Describe("[cli] oc adm must-gather", func() { if len(emptyFiles) > 0 { o.Expect(fmt.Errorf("expected files should not be empty: %s", strings.Join(emptyFiles, ","))).NotTo(o.HaveOccurred()) } + }) + + g.It("runs successfully with options", func() { + tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") + o.Expect(err).ToNot(o.HaveOccurred()) + defer os.RemoveAll(tempDir) + args := []string{ + "--dest-dir", tempDir, + "--source-dir", "/artifacts", + "--", + "/bin/bash", "-c", + "ls -l > /artifacts/ls.log", + } + o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) + expectedFilePath := path.Join(getPluginOutputDir(oc, tempDir), "ls.log") + o.Expect(expectedFilePath).To(o.BeAnExistingFile()) + stat, err := os.Stat(expectedFilePath) + o.Expect(err).ToNot(o.HaveOccurred()) + o.Expect(stat.Size()).To(o.BeNumerically(">", 0)) + }) + + g.It("runs successfully for audit logs", func() { + // makes some tokens that should not show in the audit logs + const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit" + oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig()) + _, err1 := oauthClient.OAuthAccessTokens().Create(&oauthv1.OAuthAccessToken{ + ObjectMeta: metav1.ObjectMeta{ + Name: tokenName, + }, + ClientName: "openshift-challenging-client", + ExpiresIn: 30, + Scopes: []string{"user:info"}, + RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", + UserName: "a", + UserUID: "1", + }) + o.Expect(err1).ToNot(o.HaveOccurred()) + _, err2 := oauthClient.OAuthAuthorizeTokens().Create(&oauthv1.OAuthAuthorizeToken{ + ObjectMeta: metav1.ObjectMeta{ + Name: tokenName, + }, + ClientName: "openshift-challenging-client", + ExpiresIn: 30, + Scopes: []string{"user:info"}, + RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", + UserName: "a", + UserUID: "1", + }) + o.Expect(err2).ToNot(o.HaveOccurred()) + + // let audit log writes occurs to disk (best effort, should be enough to make the test fail most of the time) + time.Sleep(10 * time.Second) + + tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") + o.Expect(err).ToNot(o.HaveOccurred()) + defer os.RemoveAll(tempDir) + + args := []string{ + "--dest-dir", tempDir, + "--", + "/usr/bin/gather_audit_logs", + } + + o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) + + pluginOutputDir := getPluginOutputDir(oc, tempDir) + + expectedDirectories := [][]string{ + {pluginOutputDir, "audit_logs", "kube-apiserver"}, + {pluginOutputDir, "audit_logs", "openshift-apiserver"}, + } + + expectedFiles := [][]string{ + {pluginOutputDir, "audit_logs", "kube-apiserver.audit_logs_listing"}, + {pluginOutputDir, "audit_logs", "openshift-apiserver.audit_logs_listing"}, + } // make sure we do not log OAuth tokens - for _, auditDirectory := range auditDirectories { + for _, auditDirectory := range expectedDirectories { eventsChecked := 0 err := filepath.Walk(path.Join(auditDirectory...), func(path string, info os.FileInfo, err error) error { g.By(path) @@ -163,26 +202,20 @@ var _ = g.Describe("[cli] oc adm must-gather", func() { o.Expect(err).ToNot(o.HaveOccurred()) o.Expect(eventsChecked).To(o.BeNumerically(">", 10000)) } - }) - g.It("runs successfully with options", func() { - tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") - o.Expect(err).ToNot(o.HaveOccurred()) - defer os.RemoveAll(tempDir) - args := []string{ - "--dest-dir", tempDir, - "--source-dir", "/artifacts", - "--", - "/bin/bash", "-c", - "ls -l > /artifacts/ls.log", + emptyFiles := []string{} + for _, expectedFile := range expectedFiles { + expectedFilePath := path.Join(expectedFile...) + o.Expect(expectedFilePath).To(o.BeAnExistingFile()) + stat, err := os.Stat(expectedFilePath) + o.Expect(err).ToNot(o.HaveOccurred()) + if size := stat.Size(); size < 50 { + emptyFiles = append(emptyFiles, expectedFilePath) + } + } + if len(emptyFiles) > 0 { + o.Expect(fmt.Errorf("expected files should not be empty: %s", strings.Join(emptyFiles, ","))).NotTo(o.HaveOccurred()) } - o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) - expectedFilePath := path.Join(getPluginOutputDir(oc, tempDir), "ls.log") - o.Expect(expectedFilePath).To(o.BeAnExistingFile()) - stat, err := os.Stat(expectedFilePath) - o.Expect(err).ToNot(o.HaveOccurred()) - o.Expect(stat.Size()).To(o.BeNumerically(">", 0)) - }) }) func getPluginOutputDir(oc *util.CLI, tempDir string) string {