add must-gather command

[sanchezl]

Launch a pod to gather debugging information 

This command will launch a pod in a temporary namespace on your cluster that gathers debugging
information, using a copy of the active client config context, and then downloads the gathered
information.

Usage:
  oc adm must-gather [flags]

Examples:
  # gather default information using the default image and command, writing into ./must-gather.local.<rand>
  oc adm must-gather
  
  # gather default information with a specific local folder to copy to
  oc adm must-gather --dest-dir=/local/directory
  
  # gather default information using a specific image, command, and pod-dir
  oc adm must-gather --image=my/image:tag --source-dir=/pod/directory -- myspecial-command.sh

Options:
      --dest-dir='': Set a specific directory on the local machine to write gathered data to.
      --image='': Set a specific to use - by default the image will be looked up for OpenShift's must-gather
      --node-name='': Set a specific node to use - by default a random master will be used

Picking up from #22405

• Create a temporary namespace
• Create a cluster role binding for the default service account for the temporary namespace.
• Create a pod that runs the 'gather' command in that image.
• Wait for completion of that command.
• Look up the image to use for gathering information
• Copy the gathered data locally
• Delete the temporary namespace.
• Delete the cluster role binding.

https://jira.coreos.com/browse/MSTR-351

[deads2k]

@sanchezl add a phase-in plan for the description please.

[soltysh]

Left you some initial comments....

[soltysh]

We try not to embed the name in the examples, use %[1]s instead and then
Example: fmt.Sprintf(mustGatherExample, fullName)

[deads2k]

We try not to embed the name in the examples, use %[1]s instead and then
Example: fmt.Sprintf(mustGatherExample, fullName)

@soltysh I don't think we're gaining much with that, do you? Clayton came to a similar conclusion.

[soltysh]

I know tools that are consuming us, and just trying to be good citizen and allow that consumption. Also I'm slowly accepting the fact that both kubectl and oc are primitives that folks use to build their opinionated flows on top (see https://www.youtube.com/watch?v=ytu3aUCwlSg for example how AirBnB is wrapping kubectl just for that). But that's not a strong requirement, yet it doesn't cost us that much to have it done this way.

[soltysh]

You should not need this, since you're part of oc this is implicit.

[sanchezl]

No longer applicable.

[soltysh]

Nit: o is the preferred var name for option structs, this applies to entire file.

[sanchezl]

Done

[soltysh]

kcmdutil.CheckErr(o.Complete(f, cmd, args))
kcmdutil.CheckErr(o.Run())

is preferred.

[sanchezl]

Done

[soltysh]

Set a specific image to use, by default the OpenShift's must-gather image will be used.

[sanchezl]

Done

[soltysh]

Something smells here. You should have only one MustGatherOptions struct and work from there through Complete -> Validate (if needed) -> Run. That is the required flow for all commands.

[sanchezl]

Done

[soltysh]

ns is not being used

[sanchezl]

It's used now.

[deads2k]

Picking up from #22405

• Create a temporary namespace
• Create a secret an upload the local kubeconfig content into it
• Look up the image to use for gathering information
• Create a pod that runs the 'gather' command in that image
• Wait for completion of that command
• Copy the gathered data locally

Let's get this into a Jira story. Add deleting the namespace. Mark the command hidden and deprecated and see about starting to phase this in with @soltysh and reasonable tests on subsets.

Redorder the pod creation and the image lookup. Use a floating tag on quay to start this. Describe a way to recognize from the client that the command has finished.

[deads2k]

• Create a secret an upload the local kubeconfig content into it

If we didn't do this, could we use a cluster-reader + secret/metrics/debug/health reader assigned to a service account with an audience.

@enj

[soltysh]

Let's get this into a Jira story. Add deleting the namespace. Mark the command hidden and deprecated and see about starting to phase this in with @soltysh and reasonable tests on subsets.

Hidden 👍, but why deprecated, better experimental. Let's make it clear it's a moving target.

[deads2k]

but why deprecated, better experimenta

sure

[sferich888]

Updated openshift/must-gather#65 as it will be needed in tandem with this command.

[deads2k]

quay.io/openshift/origin-must-gather:latest I'd think

[sanchezl]

Done

[deads2k]

let's not do this and grant an aggregator cluster-role to the service account in this namespace

[deads2k]

Simplest possible thing to start. Grant it cluster-admin to land

[sanchezl]

Went with cluster-admin for now. Opened #22430 as a reminder to fix in the future.

[deads2k]

let's stop doin this

[sanchezl]

Done

[deads2k]

delete

[sanchezl]

Done

[deads2k]

ha, this is clever. Was this me or you?

[sanchezl]

Me. It's gone now.

[deads2k]

@sanchezl take out of WIP, add a test-cmd test for it test/cmd/admin.sh I'd think.

[smarterclayton]

What happens when launching pods won't work. How do I must-gather then?

[sferich888]

must-gather can be run as a CLI plug-in (or standalone binary) too. The benefit of an image is that it let's us ship the binary as part of a release (connect but independent), with oc we don't have the same mechanism (thus why a plug-in was not considered).

In short this is a short comming of this implementation (by using an image and the oc shim to call start the image and exfiltrate data), however if your cluster is in that bad of shape your going to likely need host level access to debug issues that are likely not cluster related.

[sanchezl]

/test verify

[soltysh]

A few more fresh comments + some old ones are still not addressed.

[soltysh]

This is still not addressed.

[soltysh]

Set the default in NewMustGatherOptions, this way the default will be nicely presented in the command's help.

[sanchezl]

This isn't the real default, see #22528.

[deads2k]

verify failure is real again because you're relying on a new package. Whitelist all of k8s.io/apimachinery to save trouble

[sanchezl]

/retest

[sferich888]

/retest

[soltysh]

The switch from pending to running in most cases should be fast, but why wait for pending and then check its status after wait, and not just wait for running in wait.PollImmediate ?

[sanchezl]

It might go from Pending to Failed (or even Success or Completed). With a RestartPolicy: Never, I would be waiting for a transition that might never happen if I look for Running specifically. This way we fail ASAP, instead of timing out the wait.PollIntermediate call.

[soltysh]

Right but the transition from Pending to Running might not be as fast as this check and you will fail then, b/c pod is still in pending. Maybe you should have a more explicit checks in place then.

[soltysh]

My bad, I misread the condition in wait.PollImmediate, it's 👍

[soltysh]

Don't log the error here, if you care, log it at higher debug levels, it's not an error per se.

[sanchezl]

removed in PR #22561

[deads2k]

I see that fake test. Start an e2e one

/lgtm
/retest

[deads2k]

I see that fake test. Start an e2e one

/lgtm
/retest

This is how bad I want this in a beta.

[openshift-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, sanchezl

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/oc/OWNERS [deads2k]
• test/cmd/OWNERS [deads2k]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[deads2k]

ci-operator failure

/retest

[deads2k]

/test all

[sanchezl]

/test e2e-aws

[sanchezl]

/retest

[openshift-bot]

/retest

Please review the full test history for this PR and help us cut down flakes.

[openshift-ci-robot]

@sanchezl: The following test failed, say /retest to rerun them all:

Test name	Commit	Details	Rerun command
ci/prow/e2e-aws	5089636	link	/test e2e-aws

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.