From 6dcbbffc3e885da74cb11230126a165312d28d20 Mon Sep 17 00:00:00 2001 From: "W. Trevor King" Date: Thu, 12 Mar 2020 10:13:48 -0700 Subject: [PATCH] test/extended/cli/mustgather: Separate gather_audit_logs test [1] is removing these from the default gather, because they're mostly useful for internal debugging, less useful in end-user bug reports, and can run to hundreds of megabytes. But we still want to ensure that they work as expected when they are explicitly requested. This commit pulls the audit-log checks out of the test-case for the generic invocation. And it adds a new test case with those checks after an explict gather_audit_logs request. The EOF sleep was recommended by Maciej [2,3], although it's not clear to me how the oc call could exit success before the output directory was on disk. The annotation change was generated with: $ hack/verify-generated-bindata.sh [1]: https://github.com/openshift/must-gather/pull/143 [2]: https://github.com/openshift/origin/pull/24680#issuecomment-600199567 [3]: https://github.com/openshift/origin/pull/24680#discussion_r411347667 --- test/extended/cli/mustgather.go | 156 +++++++++++------- .../generated/zz_generated.annotations.go | 1 + 2 files changed, 98 insertions(+), 59 deletions(-) diff --git a/test/extended/cli/mustgather.go b/test/extended/cli/mustgather.go index fa3c01a1b8ad..b719ad32496e 100644 --- a/test/extended/cli/mustgather.go +++ b/test/extended/cli/mustgather.go @@ -32,40 +32,6 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { defer g.GinkgoRecover() oc := exutil.NewCLI("oc-adm-must-gather").AsAdmin() g.It("runs successfully", func() { - // makes some tokens that should not show in the audit logs - const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit" - oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig()) - _, err1 := oauthClient.OAuthAccessTokens().Create(context.Background(), &oauthv1.OAuthAccessToken{ - ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, - }, - ClientName: "openshift-challenging-client", - ExpiresIn: 30, - Scopes: []string{"user:info"}, - RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", - UserName: "a", - UserUID: "1", - }, metav1.CreateOptions{}) - o.Expect(err1).ToNot(o.HaveOccurred()) - _, err2 := oauthClient.OAuthAuthorizeTokens().Create(context.Background(), &oauthv1.OAuthAuthorizeToken{ - ObjectMeta: metav1.ObjectMeta{ - Name: tokenName, - }, - ClientName: "openshift-challenging-client", - ExpiresIn: 30, - Scopes: []string{"user:info"}, - RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", - UserName: "a", - UserUID: "1", - }, metav1.CreateOptions{}) - o.Expect(err2).ToNot(o.HaveOccurred()) - // let audit log writes occurs to disk (best effort, should be enough to make the test fail most of the time) - time.Sleep(10 * time.Second) - - // wait for the default service account to be avaiable - err := exutil.WaitForServiceAccount(oc.KubeClient().CoreV1().ServiceAccounts(oc.Namespace()), "default") - o.Expect(err).ToNot(o.HaveOccurred()) - tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") o.Expect(err).ToNot(o.HaveOccurred()) defer os.RemoveAll(tempDir) @@ -73,19 +39,14 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { pluginOutputDir := getPluginOutputDir(oc, tempDir) - auditDirectories := [][]string{ - {pluginOutputDir, "audit_logs", "kube-apiserver"}, - {pluginOutputDir, "audit_logs", "openshift-apiserver"}, - } - - expectedDirectories := append([][]string{ + expectedDirectories := [][]string{ {pluginOutputDir, "cluster-scoped-resources", "config.openshift.io"}, {pluginOutputDir, "cluster-scoped-resources", "operator.openshift.io"}, {pluginOutputDir, "cluster-scoped-resources", "core"}, {pluginOutputDir, "cluster-scoped-resources", "apiregistration.k8s.io"}, {pluginOutputDir, "namespaces", "openshift"}, {pluginOutputDir, "namespaces", "openshift-kube-apiserver-operator"}, - }, auditDirectories...) + } expectedFiles := [][]string{ {pluginOutputDir, "cluster-scoped-resources", "config.openshift.io", "apiservers.yaml"}, @@ -135,9 +96,91 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { if len(emptyFiles) > 0 { o.Expect(fmt.Errorf("expected files should not be empty: %s", strings.Join(emptyFiles, ","))).NotTo(o.HaveOccurred()) } + }) + + g.It("runs successfully with options", func() { + tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") + o.Expect(err).ToNot(o.HaveOccurred()) + defer os.RemoveAll(tempDir) + args := []string{ + "--dest-dir", tempDir, + "--source-dir", "/artifacts", + "--", + "/bin/bash", "-c", + "ls -l > /artifacts/ls.log", + } + o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) + expectedFilePath := path.Join(getPluginOutputDir(oc, tempDir), "ls.log") + o.Expect(expectedFilePath).To(o.BeAnExistingFile()) + stat, err := os.Stat(expectedFilePath) + o.Expect(err).ToNot(o.HaveOccurred()) + o.Expect(stat.Size()).To(o.BeNumerically(">", 0)) + }) + + g.It("runs successfully for audit logs", func() { + // makes some tokens that should not show in the audit logs + const tokenName = "must-gather-audit-logs-token-plus-some-padding-here-to-make-the-limit" + oauthClient := oauthv1client.NewForConfigOrDie(oc.AdminConfig()) + _, err1 := oauthClient.OAuthAccessTokens().Create(context.Background(), &oauthv1.OAuthAccessToken{ + ObjectMeta: metav1.ObjectMeta{ + Name: tokenName, + }, + ClientName: "openshift-challenging-client", + ExpiresIn: 30, + Scopes: []string{"user:info"}, + RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", + UserName: "a", + UserUID: "1", + }, metav1.CreateOptions{}) + o.Expect(err1).ToNot(o.HaveOccurred()) + _, err2 := oauthClient.OAuthAuthorizeTokens().Create(context.Background(), &oauthv1.OAuthAuthorizeToken{ + ObjectMeta: metav1.ObjectMeta{ + Name: tokenName, + }, + ClientName: "openshift-challenging-client", + ExpiresIn: 30, + Scopes: []string{"user:info"}, + RedirectURI: "https://127.0.0.1:12000/oauth/token/implicit", + UserName: "a", + UserUID: "1", + }, metav1.CreateOptions{}) + o.Expect(err2).ToNot(o.HaveOccurred()) + + // let audit log writes occurs to disk (best effort, should be enough to make the test fail most of the time) + time.Sleep(10 * time.Second) + + // wait for the default service account to be avaiable + err := exutil.WaitForServiceAccount(oc.KubeClient().CoreV1().ServiceAccounts(oc.Namespace()), "default") + o.Expect(err).ToNot(o.HaveOccurred()) + + tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") + o.Expect(err).ToNot(o.HaveOccurred()) + defer os.RemoveAll(tempDir) + + args := []string{ + "--dest-dir", tempDir, + "--", + "/usr/bin/gather_audit_logs", + } + + o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) + // wait for the contents to show up in the plugin output directory, avoiding EOF errors + time.Sleep(10 * time.Second) + + pluginOutputDir := getPluginOutputDir(oc, tempDir) + + expectedDirectories := [][]string{ + {pluginOutputDir, "audit_logs", "kube-apiserver"}, + {pluginOutputDir, "audit_logs", "openshift-apiserver"}, + } + + expectedFiles := [][]string{ + {pluginOutputDir, "audit_logs", "kube-apiserver.audit_logs_listing"}, + {pluginOutputDir, "audit_logs", "openshift-apiserver.audit_logs_listing"}, + } // make sure we do not log OAuth tokens - for _, auditDirectory := range auditDirectories { + for _, auditDirectory := range expectedDirectories { eventsChecked := 0 err := filepath.Walk(path.Join(auditDirectory...), func(path string, info os.FileInfo, err error) error { g.By(path) @@ -182,25 +225,20 @@ var _ = g.Describe("[sig-cli] oc adm must-gather", func() { o.Expect(eventsChecked).To(o.BeNumerically(">", 10000)) } } - }) - g.It("runs successfully with options", func() { - tempDir, err := ioutil.TempDir("", "test.oc-adm-must-gather.") - o.Expect(err).ToNot(o.HaveOccurred()) - defer os.RemoveAll(tempDir) - args := []string{ - "--dest-dir", tempDir, - "--source-dir", "/artifacts", - "--", - "/bin/bash", "-c", - "ls -l > /artifacts/ls.log", + emptyFiles := []string{} + for _, expectedFile := range expectedFiles { + expectedFilePath := path.Join(expectedFile...) + o.Expect(expectedFilePath).To(o.BeAnExistingFile()) + stat, err := os.Stat(expectedFilePath) + o.Expect(err).ToNot(o.HaveOccurred()) + if size := stat.Size(); size < 50 { + emptyFiles = append(emptyFiles, expectedFilePath) + } + } + if len(emptyFiles) > 0 { + o.Expect(fmt.Errorf("expected files should not be empty: %s", strings.Join(emptyFiles, ","))).NotTo(o.HaveOccurred()) } - o.Expect(oc.Run("adm", "must-gather").Args(args...).Execute()).To(o.Succeed()) - expectedFilePath := path.Join(getPluginOutputDir(oc, tempDir), "ls.log") - o.Expect(expectedFilePath).To(o.BeAnExistingFile()) - stat, err := os.Stat(expectedFilePath) - o.Expect(err).ToNot(o.HaveOccurred()) - o.Expect(stat.Size()).To(o.BeNumerically(">", 0)) }) }) diff --git a/test/extended/util/annotate/generated/zz_generated.annotations.go b/test/extended/util/annotate/generated/zz_generated.annotations.go index 17421a3a1d64..531be4f7bb78 100644 --- a/test/extended/util/annotate/generated/zz_generated.annotations.go +++ b/test/extended/util/annotate/generated/zz_generated.annotations.go @@ -689,6 +689,7 @@ var annotations = map[string]string{ "[Top Level] [sig-cli] Kubectl client Simple pod should support port-forward": "should support port-forward [Suite:openshift/conformance/parallel] [Suite:k8s]", "[Top Level] [sig-cli] Kubectl client Update Demo should create and stop a replication controller [Conformance]": "should create and stop a replication controller [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]", "[Top Level] [sig-cli] Kubectl client Update Demo should scale a replication controller [Conformance]": "should scale a replication controller [Conformance] [Suite:openshift/conformance/parallel/minimal] [Suite:k8s]", + "[Top Level] [sig-cli] oc adm must-gather runs successfully for audit logs": "runs successfully for audit logs [Suite:openshift/conformance/parallel]", "[Top Level] [sig-cli] oc adm must-gather runs successfully with options": "runs successfully with options [Suite:openshift/conformance/parallel]", "[Top Level] [sig-cli] oc adm must-gather runs successfully": "runs successfully [Suite:openshift/conformance/parallel]", "[Top Level] [sig-cli] oc adm oc adm node-logs --boot=0": "oc adm node-logs --boot=0 [Suite:openshift/conformance/parallel]",