a >hC@sFddlmZddlZddlZddlmZmZmZGdddeeZdS)) translateN)Plugin RedHatPlugin PluginOptc @seZdZdZdZdZdZdZdZdZ dZ e d d e d d e d d e dd e dddde dddde dddde dde dd e dde dd e dde dd gZ d d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd S)4 OpenshiftaThis is the plugin for OCP 4.x collections. While this product is still built ontop of kubernetes, there is enough difference in the collection requirements and approach to warrant a separate plugin as opposed to further extending the kubernetes plugin (or the OCP 3.x extensions included in the Red Hat version of the kube plugin). This plugin may collect OCP API information when the `with-api` option is enabled. This option is disabled by default. When enabled, this plugin will collect cluster information and inspect the default namespaces/projects that are created during deployment - i.e. the namespaces of the cluster projects matching openshift.* and kube.*. At the time of this plugin's creation that number of default projects is already north of 50; hence this plugin is expected to take a long time in both the setup() and collect() phases. End-user projects may also be collected from when those projects are included in the `add-namespaces` or `only-namespaces` options. It is expected to need to perform an `oc login` command in order for this plugin to be able to correctly capture information, as system root is not considered cluster root on the cluster nodes in order to access the API. Users will need to either: 1) Accept the use of a well-known stock kubeconfig file provided via a static pod resource for the kube-apiserver 2) Provide the bearer token via the `-k openshift.token` option 3) Provide the bearer token via the `SOSOCPTOKEN` environment variable 4) Otherwise ensure that the root user can successfully run `oc` and get proper output prior to running this plugin It is highly suggested that option #1 be used first, as this uses well known configurations and requires the least information from the user. If using a token, it is recommended to use option #3 as this will prevent the token from being recorded in output saved to the archive. Option #2 may be used if this is considered an acceptable risk. It is not recommended to rely on option #4, though it will provide the functionality needed. z Openshift Container Platform 4.x openshifti)r)zopenshift-hyperkubezopenshift-kubeletzg/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfigzoc get tokenNz admin token to allow API queries)defaultZval_typedesc kubeconfigz+Path to a locally available kubeconfig filehostzhttps://localhost:6443z0host address to use for oc login, including port)r r with-apiFzcollect output from the OCP APIpodlogsTzcollect logs from each podpodlogs-filterz1only collect logs from pods matching this patternonly-namespacesz2colon-delimited list of namespaces to collect fromadd-namespaceszHcolon-delimited list of namespaces to add to the default collection listcCs|dddkS)z(Check to see if we can run `oc` commandsz oc whoamistatusr)exec_cmdselfr@/usr/lib/python3.9/site-packages/sos/report/plugins/openshift.py_check_oc_functionYszOpenshift._check_oc_functioncCs||dS)z?Check if the localhost.kubeconfig exists with system:admin userr )Z path_exists get_optionrrrr_check_localhost_kubeconfig]sz%Openshift._check_localhost_kubeconfigcCs|r dS|ddur(|d|j|r|d|di|d}|ddkrf|rfdS|d|dd |d d S|d pt d d}|r|d|dd|d}|ddkr|rdS|dd S|dd S)zuSee if we're logged in to the API service, and if not attempt to do so using provided plugin options Tr NZ KUBECONFIGz8oc login -u system:admin --insecure-skip-tls-verify=Truerrz&The login command failed with status: z and error: outputFrZ SOSOCPTOKENz oc login r z --token=z --insecure-skip-tls-verify=TruezIAttempt to login to OCP API failed, will not run or collect `oc` commandszUNot logged in to OCP API, and no login token provided. Will not collect `oc` commands) rrZ set_optionmaster_localhost_kubeconfigrZset_default_cmd_environmentr _log_warnosgetenv)rZoc_resrrrr_check_oc_logged_inasH     zOpenshift._check_oc_logged_incCsT|drt|ddSddg}|drP|ddD]}||q@|S)zCombine a set of regexes for collection with any namespaces passed to sos via the -k openshift.add-namespaces option. Note that this does allow for end users to specify namespace regexes of their own. r:z openshift.*zkube.*r)rlistsplitappend)rZcollect_regexesZnsprrr_setup_namespace_regexess   z"Openshift._setup_namespace_regexescs(dd|tfdd|DS)aReduce the namespace listing returned to just the ones we want to collect from. By default, as requested by OCP support personnel, this must include all 'openshift' prefixed namespaces :param nsps list: Namespace names from oc output cSs |D]}t||rdSqdS)zMatch a particular namespace for inclusion (or not) in the collection phases :param namespace str: The name of a namespace TF)rematch) namespaceregexesregexrrr_match_namespaces z:Openshift._reduce_namespace_list.._match_namespacecsh|]}|r|qSrr.0nr,r*rr z3Openshift._reduce_namespace_list..)r&r#)rnspsrr0r_reduce_namespace_lists z Openshift._reduce_namespace_listcCs|d|d|ddg|d|dr@|}nd}|r|dg}|gd|| |j d }|d d krd d |d ddD}| |}|D]}| |qdS)aThe setup() phase of this plugin will iterate through all default projects (namespaces), and/or those specified via the `add-namespaces` and `only-namespaces` plugin options. Both of these options accept shell-style regexes. Cluster-wide information, that is information that is not tied to a specific namespace, will be saved in the top-level plugin directory. Each namespace will have it's own subdir within the `namespaces` subdir to aide in organization. From there, each namespace subdir will have a subsequent subdir for each type of API resource the plugin collects. In contrast with the `kubernetes` plugin, this plugin will collect logs from all pods within each namespace, as well as the previous pod's logs, by default. The `-k openshift.podlogs-filter` option can be used to greatly reduce the amount of collected information. Zkubeletz/etc/kubernetes/*.crtz/etc/kubernetes/*.key/etc/kubernetes/*r FzNote that the Openshift Container Platform plugin can be expected in most configurations to take 5+ minutes in both the setup and collection phases)zoc cluster-infoz oc get -A pvz oc get -A csrz oc statusz oc versionz namespacesrrcSsg|]}|dqSrr$r-rrr sz#Openshift.setup..rN)Z add_journalZadd_service_statusZadd_forbidden_pathZ add_copy_specrr!radd_cmd_outputcollect_cluster_resourcescollect_cmd_outputoc_cmd splitlinesr4collect_from_namespace)rZ can_run_ocZoc_nspsZ_nm_resr3r)rrrsetups2        zOpenshift.setupcCsgd}|D]~}d|}d|g}|j|jd|||d}|ddkr |dd d D]&}|jd |d|d|d qbq d S) zFCollect cluster-level (non-namespaced) resources from the API )ZclusternetworksZclusteroperatorsZclusterversionsZcomponentstatusesZconfigsZcontainerruntimeconfigsZcontrollerconfigsZdnsesZ hostsubnetsZinfrastructuresZmachineconfigpoolsZmachineconfigsZ netnamespacesZnetworksZnodesZproxiesZstorageclasseszcluster_resources/ocp_ subdirtagsrrrr9Nz oc describe rD)r<r=r>r:r$)rZglobal_resourcesresource_subdirZ_tagZ_resZ _res_namerrrr; s   z#Openshift.collect_cluster_resourcesc Cs gd}d|}|jd||d|D]}|d|}d|d|d||g}|jd|d |}|j|||d }|d d kr*|d dd} | D]2} | d } |j|d | d|| ddq|dkr*| r*|dr*dd| D} ||| q*dS)zRun through the collection routines for an individual namespace. This collection should include all requested resources that exist within that namesapce :param namespace str: The name of the namespace )Z buildconfigsZbuildsZcatalogsourceconfigsZcatalogsourcesZclusterserviceversionsZ configmapsZ daemonsetsZdeploymentconfigsZ deploymentsZeventsZhorizontalpodautoscalersZ imagestreamsZingresscontrollersZ ingressesZ installplansZ limitrangesZmachinesZ machinesetsZ mcoconfigsznet-attach-defZoperatorgroupsZoperatorsourcespodsZpvcZresourcequotasZroutessecretsZservicesZ statefulsetsZ subscriptions namespaces/zoc describe namespace rF/rA_z --namespace=rBrCrrrr9Nz -o yamlz.yaml)rDZsuggest_filenamerIrcSsg|]}|dqSr6r7)r.prrrr8{r2z4Openshift.collect_from_namespace..)r:r=r<r>r$rcollect_podlogs) rr)Z resourcesrDresrHZ_tagsZ_get_cmdZ_res_outZ _instancesZ _instanceZ_instance_namepod_listrrrr?-s: #    z Openshift.collect_from_namespacecCspd|d}|dr&t|d}nd}|D]<}|rDt||sDq.d|d|}|j||dg|dq.dS) zFor any namespace that has active pods in it, collect the current and previous pod's logs :param pod_list list: A list of pod names rKz /pods/podlogsrNzoc logs --namespace=rBz -prF)rrr'r(r:)rr)rQZ_log_dirr+ZpodZ_log_cmdrrrrO~s  zOpenshift.collect_podlogscCs`|d|dgd}dd|d}|d|d|d|dd }|d |d dS) Nzoc r5)z.*.crtzclient-certificate-datazclient-key-datazcertificate-authority-dataz.*.keyrz.*token.*.valuez(\s*(|z):)(.*)z \1 *******rJz((?P(.*\\n)?Source:\s(.*),)((.*?))\nz oc describez\g *******\n)Zdo_cmd_private_subZdo_file_private_subjoinZdo_path_regex_subZdo_cmd_output_sub)r_fieldsr+rrrpostprocs   zOpenshift.postproc)__name__ __module__ __qualname____doc__Z short_descZ plugin_nameZplugin_timeoutZprofilesZpackagesrr=rstrZ option_listrrr!r&r4r@r;r?rOrUrrrrrsT( 7F#Qr) fnmatchrrr'Zsos.report.pluginsrrrrrrrr s