Merge pull request #86 from martinkunc/collect-configmap

Collecting config maps

Author: openshift-merge-robot

pkg/gather/clusterconfig/clusterconfig.go

@@ -14,6 +14,9 @@ import (
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	certificatesv1beta1 "k8s.io/client-go/kubernetes/typed/certificates/v1beta1"
 
+	"encoding/base64"
+	"encoding/pem"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -140,6 +143,23 @@ func (i *Gatherer) Gather(ctx context.Context, recorder record.Interface) error
 
 			return records, nil
 		},
+		func() ([]record.Record, []error) {
+			cms, err := i.coreClient.ConfigMaps("openshift-config").List(metav1.ListOptions{})
+			if err != nil {
+				return nil, []error{err}
+			}
+			records := make([]record.Record, 0, len(cms.Items))
+			for i := range cms.Items {
+				for dk, dv := range cms.Items[i].Data {
+					records = append(records, record.Record{Name: fmt.Sprintf("config/configmaps/%s/%s", cms.Items[i].Name, dk), Item: ConfigMapAnonymizer{v: []byte(dv), encodeBase64: false}})
+				}
+				for dk, dv := range cms.Items[i].BinaryData {
+					records = append(records, record.Record{Name: fmt.Sprintf("config/configmaps/%s/%s", cms.Items[i].Name, dk), Item: ConfigMapAnonymizer{v: dv, encodeBase64: true}})
+				}
+			}
+
+			return records, nil
+		},
 		func() ([]record.Record, []error) {
 			config, err := i.client.ClusterVersions().Get("version", metav1.GetOptions{})
 			if errors.IsNotFound(err) {
@@ -543,3 +563,43 @@ func (i *Gatherer) ClusterVersion() *configv1.ClusterVersion {
 	defer i.lock.Unlock()
 	return i.lastVersion
 }
+
+// ConfigMapAnonymizer implements serialization of configmap
+// and potentially anonymizes if it is a certificate
+type ConfigMapAnonymizer struct {
+	v            []byte
+	encodeBase64 bool
+}
+
+// Marshal implements serialization of Node with anonymization
+func (a ConfigMapAnonymizer) Marshal(_ context.Context) ([]byte, error) {
+	c := []byte(anonymizeConfigMap(a.v))
+	if a.encodeBase64 {
+		buff := make([]byte, base64.StdEncoding.EncodedLen(len(c)))
+		base64.StdEncoding.Encode(buff, []byte(c))
+		c = buff
+	}
+	return c, nil
+}
+
+func anonymizeConfigMap(dv []byte) string {
+	anonymizedPemBlock := `-----BEGIN CERTIFICATE-----
+ANONYMIZED
+-----END CERTIFICATE-----
+`
+	var sb strings.Builder
+	r := dv
+	for {
+		var block *pem.Block
+		block, r = pem.Decode(r)
+		if block == nil {
+			// cannot be extracted
+			return string(dv)
+		}
+		sb.WriteString(anonymizedPemBlock)
+		if len(r) == 0 {
+			break
+		}
+	}
+	return sb.String()
+}

pkg/gather/clusterconfig/clusterconfig_test.go

@@ -0,0 +1,106 @@
+package clusterconfig
+
+import (
+	"context"
+	"encoding/json"
+	"io/ioutil"
+	"os"
+	"testing"
+
+	"github.com/openshift/insights-operator/pkg/record"
+	"github.com/openshift/insights-operator/pkg/utils"
+	v1 "k8s.io/api/core/v1"
+	"k8s.io/klog"
+)
+
+func TestConfigMapAnonymizer(t *testing.T) {
+	klog.SetOutput(utils.NewTestLog(t).Writer())
+
+	var cases = []struct {
+		testName               string
+		configMapName          string
+		expectedAnonymizedJSON string
+	}{
+		{
+			"ConfigMap Non PEM data",
+			"openshift-install",
+			`{
+				"invoker":"codeReadyContainers",
+				"version":"unreleased-master-2205-g2055609f95b19322ee6cfdd0bea73399297c4a3e"
+			}`,
+		},
+		{
+			"ConfigMap PEM is anonymized",
+			"initial-kube-apiserver-server-ca",
+			`{
+				"ca-bundle.crt": "-----BEGIN CERTIFICATE-----\nANONYMIZED\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nANONYMIZED\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nANONYMIZED\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nANONYMIZED\n-----END CERTIFICATE-----\n-----BEGIN CERTIFICATE-----\nANONYMIZED\n-----END CERTIFICATE-----\n"
+			}`,
+		},
+		{
+			"ConfigMap BinaryData non anonymized",
+			"test-binary",
+			`{
+				"ls": "z/rt/gcAAAEDAA=="
+			}`,
+		},
+	}
+
+	for _, tt := range cases {
+		t.Run(tt.testName, func(t *testing.T) {
+			f, err := os.Open("testdata/configmaps.json")
+			mustNotFail(t, err, "error opening test data file. %+v")
+			defer f.Close()
+			bts, err := ioutil.ReadAll(f)
+			mustNotFail(t, err, "error reading test data file. %+v")
+			var cml *v1.ConfigMapList
+			mustNotFail(t, json.Unmarshal([]byte(bts), &cml), "error unmarshalling json %+v")
+			cm := findMap(cml, tt.configMapName)
+			mustNotFail(t, cm != nil, "haven't found a ConfigMap %+v")
+			var res []byte
+			cmdata := map[string]string{}
+			addAnonymized := func(cmdata map[string]string, dn string, encodebase64 bool, d []byte) {
+				m := record.Marshalable(ConfigMapAnonymizer{v: d, encodeBase64: encodebase64})
+
+				res, err = m.Marshal(context.TODO())
+				cmdata[dn] = string(res)
+				mustNotFail(t, err, "serialization failed %+v")
+			}
+			for dn, dv := range cm.Data {
+				addAnonymized(cmdata, dn, false, []byte(dv))
+			}
+			for dn, dv := range cm.BinaryData {
+				addAnonymized(cmdata, dn, true, dv)
+			}
+			var md []byte
+			md, err = json.Marshal(cmdata)
+			mustNotFail(t, err, "marshaling failed %+v")
+			d := map[string]string{}
+			err = json.Unmarshal([]byte(tt.expectedAnonymizedJSON), &d)
+			mustNotFail(t, err, "unmarshaling of expected failed %+v")
+			exp, err := json.Marshal(d)
+			mustNotFail(t, err, "marshaling of expected failed %+v")
+			if string(exp) != string(md) {
+				t.Fatalf("The test %s result is unexpected. Result: \n%s \nExpected \n%s", tt.testName, string(md), string(exp))
+			}
+		})
+	}
+
+}
+
+func mustNotFail(t *testing.T, err interface{}, fmtstr string) {
+	if e, ok := err.(error); ok && e != nil {
+		t.Fatalf(fmtstr, e)
+	}
+	if e, ok := err.(bool); ok && !e {
+		t.Fatalf(fmtstr, e)
+	}
+}
+
+func findMap(cml *v1.ConfigMapList, name string) *v1.ConfigMap {
+	for _, it := range cml.Items {
+		if it.Name == name {
+			return &it
+		}
+	}
+	return nil
+}

pkg/gather/clusterconfig/csr.go

@@ -8,7 +8,6 @@ import (
 	"fmt"
 	"time"
 
-	"github.com/openshift/insights-operator/pkg/utils"
 	"k8s.io/api/certificates/v1beta1"
 	certificatesv1b1api "k8s.io/api/certificates/v1beta1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -130,18 +129,18 @@ func anonymizeCSRRequest(r *certificatesv1b1api.CertificateSigningRequest, c *CS
 
 	c.Spec.Request.SignatureAlgorithm = csr.SignatureAlgorithm.String()
 	c.Spec.Request.PublicKeyAlgorithm = csr.PublicKeyAlgorithm.String()
-	c.Spec.Request.DNSNames = utils.Map(csr.DNSNames, anonymizeURL)
-	c.Spec.Request.EmailAddresses = utils.Map(csr.EmailAddresses, anonymizeURL)
+	c.Spec.Request.DNSNames = Map(csr.DNSNames, anonymizeURL)
+	c.Spec.Request.EmailAddresses = Map(csr.EmailAddresses, anonymizeURL)
 	ipsl := make([]string, len(csr.IPAddresses))
 	for i, ip := range csr.IPAddresses {
 		ipsl[i] = ip.String()
 	}
-	c.Spec.Request.IPAddresses = utils.Map(ipsl, anonymizeURL)
+	c.Spec.Request.IPAddresses = Map(ipsl, anonymizeURL)
 	urlsl := make([]string, len(csr.URIs))
 	for i, u := range csr.URIs {
 		urlsl[i] = u.String()
 	}
-	c.Spec.Request.URIs = utils.Map(urlsl, anonymizeURL)
+	c.Spec.Request.URIs = Map(urlsl, anonymizeURL)
 }
 
 func anonymizePkxName(s pkix.Name) (a pkix.Name) {
@@ -166,7 +165,7 @@ func anonymizePkxName(s pkix.Name) (a pkix.Name) {
 		case *string:
 			*(dst[i].(*string)) = anonymizeString(*s)
 		case *[]string:
-			*(dst[i].(*[]string)) = utils.Map(*s, anonymizeString)
+			*(dst[i].(*[]string)) = Map(*s, anonymizeString)
 		default:
 			panic(fmt.Sprintf("unknown type %T", s))
 		}
@@ -223,6 +222,15 @@ func anonymizeCSR(r *certificatesv1b1api.CertificateSigningRequest) *CSRAnonymiz
 	return c
 }
 
+// Map applies each of functions to passed slice
+func Map(it []string, fn func(string) string) []string {
+	outSlice := []string{}
+	for _, str := range it {
+		outSlice = append(outSlice, fn(str))
+	}
+	return outSlice
+}
+
 type CSRAnonymizedFeatures struct {
 	TypeMeta   metav1.TypeMeta
 	ObjectMeta metav1.ObjectMeta