-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: save YAML spec used to generate support bundle/preflight #1713
Conversation
c24a3a1
to
8d3d641
Compare
while testing this I noticed that the output spec gets wrapped oddly: input spec:
spec.yaml from output bundle:
|
The YAML wrapping and structure ordering differences are expected - we're re-using the same method as the troubleshoot/pkg/loader/loader.go Lines 111 to 136 in 0113624
Regarding the missing troubleshoot/pkg/apis/troubleshoot/v1beta2/outcome.go Lines 3 to 13 in 10a34c2
Please let me know if this is fine. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like this clean approach of reusing redactors. It however comes with limitations of missing some cases such as redacting TLS certs & keys, complex commands in runPod
, exec
or run
collectors
I tested using this spec and TLS params were not redacted. For this specific case, I think we can add a redactor similar to https://troubleshoot.sh/docs/redact/aws-credentials/ to redact this
---
apiVersion: troubleshoot.sh/v1beta2
kind: SupportBundle
spec:
collectors:
- postgres:
collectorName: pg
uri: postgresql://user:password@hostname:5432/defaultdb?sslmode=require
tls:
cacert: |
-----BEGIN CERTIFICATE-----
MIIC0zCCAbugAwIBAgIUFfxLmF5NnpsVWjZZEYMsOziWLJ0wDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yNTAxMDIxMjM0MjZaFw0yNjAxMDIx
MjM0MjZaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDz9qD7kebmAMODM/nZapSKxzR3Zmfiyej3ZIpUNsx+J1iVnMY0
du8Nd/coCvrl3zWMNp0o3aC3asf/9pYdluq9nhzlhJ/4lEc3d1O+cvrChB6ZugaO
YQtNt5yVgaAWPDSUN5y6iR2tefy7blImqmSonbX5CKcowBKmaqxhOM5HfzzYH5Mm
4goAckHMddxjaCQLKFLi2yluI/4ibR/f5HJkwUWJskXHXqDtUXfyblGYrQiFV3xY
wjk0lodokTUiSw/Od6klRFaRyCzVnpVu/U5Nu4XICllhKWq4fRl0HO5lVsxYtxMy
SDkzI9b32H+GJHMnSx9HZS4wxwikFqGJf6zjAgMBAAGjITAfMB0GA1UdDgQWBBQ8
DrTUuKHO1CUe5xCyglC/j+cYijANBgkqhkiG9w0BAQsFAAOCAQEAwsP3Z9IO7XR/
3jaIVdaS9qtZyyAzmUpAOGceX32KZYcUKge7P9Uxoc8eEbo6Pl1z/lFL4bRx9fMo
ncIp6v6uDN/3T3jvB1bC72nmHXwtnqj66Sb13Oww8gksmS8YVWSgrJa2PULKF7Vm
fkUuatJCaTiJ92tu11+tWOmhLVFP57YuszQyK/rPxajbNcWjWhURep25Z6qVfRT6
g4Ezs00DeclA5T5rGN6MPnbwc1n/s9blGivY/ThyOBliFUqIs7fiQ64P1u6iPpGp
akrDN/vtroh3becWAgRbUmSiDEaMZyDfFSHNoHh5B4ubsitPrr5VTWkYZNMV17oY
jdp5rEI1xQ==
-----END CERTIFICATE-----
clientCert: |
-----BEGIN CERTIFICATE-----
MIIDETCCAfmgAwIBAgIUOsEL8px9x/r6KSsMwfC32J+DcLswDQYJKoZIhvcNAQEL
BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yNTAxMDIxMjM0MjZaFw0yNjAxMDIx
MjM0MjZaMBExDzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAJ0gphBdscEVO47pG/dl2kWAEnF3O11QHCaxi/2hiiu+R4BfRdO1
oa6C6FgIlSuj+KCSyYIuFY3YZkOe7+zhjeMxaTfZZZzZKWnL2t7l84Qn9XWXrZiq
y9xjMyEb1NBm06uy8bgAEtk8gbnkHVuHGSw4mi5MWmP/H9dm6MSjJacYqPdi35cG
zuuqTHw9hS6VQkuDaaqerrJSfE12gNX3YhTKbdTGtgVRJiI9z7tJJs3LtDpD0H6s
APzcXQOjRmNHUdYlCrrA0L5qEmEAZ5J+unpbqO+UZhZJoJZySaFnslFQnnvtrJDy
nEgiyp6yqLYRO0zSXdAuobxNmnpcUiqjRfkCAwEAAaNgMF4wHAYDVR0RBBUwE4IL
ZXhhbXBsZS5jb22HBH8AAAEwHQYDVR0OBBYEFJQijKu7eBhTqqIh0x9KKtn9RXlC
MB8GA1UdIwQYMBaAFDwOtNS4oc7UJR7nELKCUL+P5xiKMA0GCSqGSIb3DQEBCwUA
A4IBAQCctYs1ooIZs3tjKXsGctuz4df2ZFUeKXhTTCAoy5CJxW9Qq4dqKe3J0Cy9
Ms6sANSXRABXlnkCzrepsaG9dbJRjIsfyNOGv+eCSKyObvXM0eShnHN7rGwpjLE0
qC+Yozo9tbsEgSMpnlNyB9sm6QK/aR4b9cAq4k5nf9Vi56YMQBNoQheQyD+CfGWa
C+VOJs1I4aq9iMf/cEh/i4u7dd9xuRxp62Xlbk67McorXBlLDDXvAXvbeZf3MR/Z
/esYq/TucZeEx5XjVepahbCvNwbtELKk1xlrH78oKAYUCW4/WwFesCiGgwqi6mUh
BJ0p6Kp9fgaRuE270p6NetwHoWio
-----END CERTIFICATE-----
clientKey: |
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCdIKYQXbHBFTuO
6Rv3ZdpFgBJxdztdUBwmsYv9oYorvkeAX0XTtaGuguhYCJUro/igksmCLhWN2GZD
nu/s4Y3jMWk32WWc2Slpy9re5fOEJ/V1l62YqsvcYzMhG9TQZtOrsvG4ABLZPIG5
5B1bhxksOJouTFpj/x/XZujEoyWnGKj3Yt+XBs7rqkx8PYUulUJLg2mqnq6yUnxN
doDV92IUym3UxrYFUSYiPc+7SSbNy7Q6Q9B+rAD83F0Do0ZjR1HWJQq6wNC+ahJh
AGeSfrp6W6jvlGYWSaCWckmhZ7JRUJ577ayQ8pxIIsqesqi2ETtM0l3QLqG8TZp6
XFIqo0X5AgMBAAECggEAPyzXWBEz3PwafDVBp1DuV69Muw5Dchs5ll0gehOvKDNT
MEweGScYIMBFhs+8mlVNK9KY7px00hlF1L5cnRN7JvPA6FGiR1QREJaEI8a1CFfA
m00m4REa8jt4XUGBaWFOjeRex6pP6cQoLIOJQjmpZ1xCsYbFeRskxEh+IkGua+Ye
yZG3AFSWhei5YkxCZ7kvg820hkPwYGu8082oWgNQDB9qE7H9E6iVL0UvczipiqXl
fcCHaw5iKHHKSJIueEfpFgSOzYu8ZaWPPz8dKs2GuW0JWs+RYyAUTE0f7F2uS+8u
Oc65HhJkEpGx4FVNrOL2AGBq3raTSM+BnqlVYkab2QKBgQDU0NCw8/22qLwy3yKK
8xq5ECsXvUIVd7iDnN5yffGXpAJ4NsQPiJQZlucqa7PpEwgoYRIyFMX69DTG3wET
DPiMf/NZgCSekFV6UAuGlvKn9nEkFpdHCKPx7S0FZbUuo2ycb6monfY2nQoW53yx
qIBAxcrt6UNmJvxhAVormHtXdwKBgQC9Av0Lsy+79en32kHj8gjQujJKd1DCTU/o
pP02AVNveKfgmhC18CkOaTvh80Q1IOC62tNoPqrEd2kNIilP0W/FOIbeYo30Lrja
UTXj2/Ivei8BNLFg28YPOnF4Izzkx0W0Rsgnp7dMzp4+wwNjAiKGkjyMdEhsL34V
/ZM4WpWKDwKBgC+FOTRqJxskbnHFlYcFZdAxJg40+o6knxT0cE+Mg+fifZKuV/VI
ABn+sjustQ20bDvoARIhxVuWMDrADRNd8BofcA1qKcMmY4/eU9SH3ENZKkZurPT1
nvYkicsMvPpfD5+W54F5VEM5qckXg6aAA7Ny9y9MyPoEdpKKpMHbWJ9dAoGASuGg
Nr5qruCiLNt/NztwWqEpw265xAC1I8oZtweXcpYujED9VdcrrNXsL3wdDZ9U6TJA
hxAsv2E/cUCTdVfYHB5k8D3DV3YbLgL2gqtkq4KQlL23eFQZh3bz9VCgk1KPPvi7
21oKuJczAlJoSRVTcFUHP+3hs1qtbTDk3nKkw+kCgYBEe0N6HgveemCVf7SM4wHK
EoajmtOXlieCCEcWha/NsdaleXQmFhOgJkjirBj6XGFxEXX8+W2yy8DD027XgR5k
D5fuQkMNOmIzIKtgRML+W+vC5UUH0i9DIYNxJ5QAk++388bIrvd7ZLvUxIpW+JH/
2Qi6wSRvRTbThG6ZL93YKw==
-----END PRIVATE KEY-----
I'm however not sure if we can find a good enough way to redact user crafted commands. Perhaps we would just redact entire commands and environment variables.
- http:
collectorName: healthz
get:
url: http://api:3000/healthz
timeout: 5s
headers:
Authorization: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c' The auth token here does not get redacted as well |
This is a gap in the redactors, which would block this change - there's no way we can or should store private keys and there's no way to supply them to Troubleshoot otherwise.
Let's be very mindful of adding complexity if we can. This task is getting more complex the more we look at it, and we may need to divert and get a design review before adding more code. |
As discussed, I've updated the PR to have extra TLS private key redactor for the final YAML file. Please let me know how it goes. |
57601cc
to
9e6affc
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One more little issue needed still
Description, Motivation and Context
As of now, it is not possible to know which final YAML spec is used to generate a support bundle.
Knowing the spec used to generate a support bundle will aid with further troubleshooting, to understand the content of a support bundle, e.g. which collectors, analyzers are used, any render, conditional error?
Demo: https://asciinema.org/a/rTzxKjMRQezLAfNpTLEqJGESZ
Checklist
Does this PR introduce a breaking change?