File: //usr/lib/python2.7/site-packages/sos/plugins/origin.py
# Copyright (C) 2016 Red Hat, Inc., Pep Turro Mauri <pep@redhat.com>
# This file is part of the sos project: https://github.com/sosreport/sos
#
# This copyrighted material is made available to anyone wishing to use,
# modify, copy, or redistribute it subject to the terms and conditions of
# version 2 of the GNU General Public License.
#
# See the LICENSE file in the source distribution for further information.
from sos.plugins import Plugin, RedHatPlugin
import os.path
# This plugin collects static configuration and runtime information
# about OpenShift Origin based environments, like OpenShift Enterprise 3
# Some clarification on naming:
# OpenShift Origin is the upstream project for OpenShift Enterprise,
# OpenShift Container Platflorm, and Atomic Platform.
#
# However, the name "OpenShift Origin" refers to two different code bases:
#  * Origin M5 and later (https://github.com/openshift/origin)
#    which is upstream for OpenShift 3.x and later.
#    This is what this plugin handles
#  * Origin M4 and earlier (https://github.com/openshift/origin-server)
#    which is upstream for OpenShift 1.x and 2.x.
#    This is handled by the plugin in openshift.py
# Note that this plugin should be used in conjunction with other plugins
# in order to capture relevant data: the Kubernetes plugin for the
# masters, the Docker plugin for the nodes, and also generic
# plugins (e.g. for /etc/sysconfig entries, network setup etc)
class OpenShiftOrigin(Plugin):
    """ OpenShift Origin """
    plugin_name = "origin"
    files = None  # file lists assigned after path setup below
    profiles = ('openshift',)
    option_list = [
        ("diag", "run 'oc adm diagnostics' to collect its output",
         'fast', True),
        ("diag-prevent", "set --prevent-modification on 'oc adm diagnostics'",
         'fast', True),
        ("all-namespaces", "collect dc output for all namespaces", "fast",
         False)
    ]
    master_base_dir = "/etc/origin/master"
    node_base_dir = "/etc/origin/node"
    master_cfg = os.path.join(master_base_dir, "master-config.yaml")
    master_env = os.path.join(master_base_dir, "master.env")
    node_cfg_file = "node-config.yaml"
    node_cfg = os.path.join(node_base_dir, node_cfg_file)
    node_kubeconfig = os.path.join(node_base_dir, "node.kubeconfig")
    static_pod_dir = os.path.join(node_base_dir, "pods")
    files = (master_cfg, node_cfg)
    # Master vs. node
    #
    # OpenShift Origin/3.x cluster members can be a master, a node, or both at
    # the same time: in most deployments masters are also nodes in order to get
    # access to the pod network, which some functionality (e.g. the API proxy)
    # requires. Therefore the following methods may all evaluate True on a
    # single instance (at least one must evaluate True if this is an OpenShift
    # installation)
    def is_master(self):
        """Determine if we are on a master"""
        return os.path.exists(self.master_cfg)
    def is_node(self):
        """Determine if we are on a node"""
        return os.path.exists(self.node_cfg)
    def is_static_etcd(self):
        """Determine if we are on a node running etcd"""
        return os.path.exists(os.path.join(self.static_pod_dir, "etcd.yaml"))
    def is_static_pod_compatible(self):
        """Determine if a node is running static pods"""
        return os.path.exists(self.static_pod_dir)
    def setup(self):
        bstrap_node_cfg = os.path.join(self.node_base_dir,
                                       "bootstrap-" + self.node_cfg_file)
        bstrap_kubeconfig = os.path.join(self.node_base_dir,
                                         "bootstrap.kubeconfig")
        node_certs = os.path.join(self.node_base_dir, "certs", "*")
        node_client_ca = os.path.join(self.node_base_dir, "client-ca.crt")
        admin_cfg = os.path.join(self.master_base_dir, "admin.kubeconfig")
        oc_cmd_admin = "%s --config=%s" % ("oc", admin_cfg)
        static_pod_logs_cmd = "master-logs"
        # Note that a system can run both a master and a node.
        # See "Master vs. node" above.
        if self.is_master():
            self.add_copy_spec([
                self.master_cfg,
                self.master_env,
                os.path.join(self.master_base_dir, "*.crt"),
            ])
            if self.is_static_pod_compatible():
                self.add_copy_spec(os.path.join(self.static_pod_dir, "*.yaml"))
                self.add_cmd_output([
                    "%s api api" % static_pod_logs_cmd,
                    "%s controllers controllers" % static_pod_logs_cmd,
                ])
            # TODO: some thoughts about information that might also be useful
            # to collect. However, these are maybe not needed in general
            # and/or present some challenges (scale, sensitive, ...) and need
            # some more thought. For now just leaving this comment here until
            # we decide if it's worth collecting:
            #
            # General project status:
            #   oc status --all-namespaces   (introduced in OSE 3.2)
            #      -> deemed as not worthy in BZ#1394527
            # Metrics deployment configurations
            #   oc get -o json dc -n openshift-infra
            # Logging stack deployment configurations
            #   oc get -o json dc -n logging
            #
            # Note: Information about nodes, events, pods, and services
            # is already collected by the Kubernetes plugin
            subcmds = [
                "describe projects",
                "adm top images",
                "adm top imagestreams"
            ]
            self.add_cmd_output([
                '%s %s' % (oc_cmd_admin, subcmd) for subcmd in subcmds
            ])
            jcmds = [
                "hostsubnet",
                "clusternetwork",
                "netnamespaces"
            ]
            self.add_cmd_output([
                '%s get -o json %s' % (oc_cmd_admin, jcmd) for jcmd in jcmds
            ])
            if self.get_option('all-namespaces'):
                ocn = self.exec_cmd('%s get namespaces' % oc_cmd_admin)
                ns_output = ocn['output'].splitlines()[1:]
                nmsps = [n.split()[0] for n in ns_output if n]
            else:
                nmsps = [
                    'default',
                    'openshift-web-console',
                    'openshift-ansible-service-broker'
                ]
            self.add_cmd_output([
                '%s get -o json dc -n %s' % (oc_cmd_admin, n) for n in nmsps
            ])
            if self.get_option('diag'):
                diag_cmd = "%s adm diagnostics -l 0" % oc_cmd_admin
                if self.get_option('diag-prevent'):
                    diag_cmd += " --prevent-modification=true"
                self.add_cmd_output(diag_cmd)
            self.add_journal(units=["atomic-openshift-master",
                                    "atomic-openshift-master-api",
                                    "atomic-openshift-master-controllers"])
            # get logs from the infrastruture pods running in the default ns
            pods = self.exec_cmd("%s get pod -o name -n default"
                                 % oc_cmd_admin)
            for pod in pods['output'].splitlines():
                self.add_cmd_output("%s logs -n default %s"
                                    % (oc_cmd_admin, pod))
        # Note that a system can run both a master and a node.
        # See "Master vs. node" above.
        if self.is_node():
            self.add_copy_spec([
                self.node_cfg,
                self.node_kubeconfig,
                node_certs,
                node_client_ca,
                bstrap_node_cfg,
                bstrap_kubeconfig,
                os.path.join(self.node_base_dir, "*.crt"),
                os.path.join(self.node_base_dir, "resolv.conf"),
                os.path.join(self.node_base_dir, "node-dnsmasq.conf"),
            ])
            self.add_journal(units="atomic-openshift-node")
        if self.is_static_etcd():
            self.add_cmd_output("%s etcd etcd" % static_pod_logs_cmd)
    def postproc(self):
        # Clear env values from objects that can contain sensitive data
        # Sample JSON content:
        #           {
        #              "name": "MYSQL_PASSWORD",
        #              "value": "mypassword"
        #           },
        # This will mask values when the "name" looks susceptible of
        # values worth obfuscating, i.e. if the name contains strings
        # like "pass", "pwd", "key" or "token".
        env_regexp = r'(?P<var>{\s*"name":\s*[^,]*' \
                     r'(pass|pwd|key|token|cred|secret' \
                     r'|PASS|PWD|KEY|TOKEN|CRED|SECRET)[^,]*,' \
                     r'\s*"value":)[^}]*'
        self.do_cmd_output_sub('oc*json', env_regexp, r'\g<var> "********"')
        # LDAP identity provider
        self.do_file_sub(self.master_cfg,
                         r"(bindPassword:\s*)(.*)",
                         r'\1"********"')
        # github/google/OpenID identity providers
        self.do_file_sub(self.master_cfg,
                         r"(clientSecret:\s*)(.*)",
                         r'\1"********"')
class AtomicOpenShift(OpenShiftOrigin, RedHatPlugin):
    """ OpenShift Enterprise / OpenShift Container Platform
    """
    packages = ('atomic-openshift',)
# vim: set et ts=4 sw=4 :