From 7f595de98009a7778de9a2f25c4a2fb5adb9c877 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 18 Sep 2024 10:23:07 -0500 Subject: [PATCH 01/19] add a TLS parameter for cacert --- pkg/apis/troubleshoot/v1beta2/collector_shared.go | 9 +++++---- pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go | 7 ++++--- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/pkg/apis/troubleshoot/v1beta2/collector_shared.go b/pkg/apis/troubleshoot/v1beta2/collector_shared.go index 1cc212f52..900f1f7e1 100644 --- a/pkg/apis/troubleshoot/v1beta2/collector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/collector_shared.go @@ -174,10 +174,11 @@ type Sysctl struct { type HTTP struct { CollectorMeta `json:",inline" yaml:",inline"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Get *Get `json:"get,omitempty" yaml:"get,omitempty"` - Post *Post `json:"post,omitempty" yaml:"post,omitempty"` - Put *Put `json:"put,omitempty" yaml:"put,omitempty"` + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Get *Get `json:"get,omitempty" yaml:"get,omitempty"` + Post *Post `json:"post,omitempty" yaml:"post,omitempty"` + Put *Put `json:"put,omitempty" yaml:"put,omitempty"` + TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` } type Get struct { diff --git a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go index 9d17ee47a..684c06a43 100644 --- a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go @@ -66,9 +66,10 @@ type DiskUsage struct { type HostHTTP struct { HostCollectorMeta `json:",inline" yaml:",inline"` - Get *Get `json:"get,omitempty" yaml:"get,omitempty"` - Post *Post `json:"post,omitempty" yaml:"post,omitempty"` - Put *Put `json:"put,omitempty" yaml:"put,omitempty"` + Get *Get `json:"get,omitempty" yaml:"get,omitempty"` + Post *Post `json:"post,omitempty" yaml:"post,omitempty"` + Put *Put `json:"put,omitempty" yaml:"put,omitempty"` + TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` } type HostCopy struct { From 7ca3483d113c71b59779615df682bb9b293ebf09 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 18 Sep 2024 10:23:45 -0500 Subject: [PATCH 02/19] pass a ca cert into http request --- pkg/collect/host_http.go | 6 +++--- pkg/collect/http.go | 33 +++++++++++++++++++++++++-------- 2 files changed, 28 insertions(+), 11 deletions(-) diff --git a/pkg/collect/host_http.go b/pkg/collect/host_http.go index 06e9685d0..2850a9cc3 100644 --- a/pkg/collect/host_http.go +++ b/pkg/collect/host_http.go @@ -32,15 +32,15 @@ func (c *CollectHostHTTP) Collect(progressChan chan<- interface{}) (map[string][ case httpCollector.Get != nil: response, err = doRequest( "GET", httpCollector.Get.URL, httpCollector.Get.Headers, - "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout) + "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout, httpCollector.TLS.CACert) case httpCollector.Post != nil: response, err = doRequest( "POST", httpCollector.Post.URL, httpCollector.Post.Headers, - httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout) + httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout, httpCollector.TLS.CACert) case httpCollector.Put != nil: response, err = doRequest( "PUT", httpCollector.Put.URL, httpCollector.Put.Headers, - httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout) + httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout, httpCollector.TLS.CACert) default: return nil, errors.New("no supported http request type") } diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 697c30127..4f57a63c7 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -3,6 +3,7 @@ package collect import ( "bytes" "crypto/tls" + "crypto/x509" "encoding/json" "io" "net/http" @@ -53,15 +54,15 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, case c.Collector.Get != nil: response, err = doRequest( "GET", c.Collector.Get.URL, c.Collector.Get.Headers, - "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout) + "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert) case c.Collector.Post != nil: response, err = doRequest( "POST", c.Collector.Post.URL, c.Collector.Post.Headers, - c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout) + c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert) case c.Collector.Put != nil: response, err = doRequest( "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, - c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout) + c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert) default: return nil, errors.New("no supported http request type") } @@ -82,7 +83,7 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, return output, nil } -func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string) (*http.Response, error) { +func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, cacert string) (*http.Response, error) { t, err := parseTimeout(timeout) if err != nil { return nil, err @@ -92,11 +93,27 @@ func doRequest(method, url string, headers map[string]string, body string, insec Timeout: t, } - if insecureSkipVerify { + var tlsConfig *tls.Config + + if cacert != "" { + certPool := x509.NewCertPool() + + if !certPool.AppendCertsFromPEM([]byte(cacert)) { + return nil, errors.New("failed to append certificate to cert pool") + } + + tlsConfig = &tls.Config{ + RootCAs: certPool, + } + } else if insecureSkipVerify { + tlsConfig = &tls.Config{ + InsecureSkipVerify: true, + } + } + + if tlsConfig != nil { httpClient.Transport = &http.Transport{ - TLSClientConfig: &tls.Config{ - InsecureSkipVerify: true, - }, + TLSClientConfig: tlsConfig, } } From 941bfc69a9f05e7b94b2414f58493b75e72c4a07 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 18 Sep 2024 10:23:55 -0500 Subject: [PATCH 03/19] test preflight --- testdata/replicated-app.yaml | 61 ++++++++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 testdata/replicated-app.yaml diff --git a/testdata/replicated-app.yaml b/testdata/replicated-app.yaml new file mode 100644 index 000000000..f68764cf8 --- /dev/null +++ b/testdata/replicated-app.yaml @@ -0,0 +1,61 @@ +apiVersion: troubleshoot.sh/v1beta2 +kind: HostPreflight +metadata: + name: replicated-app +spec: + collectors: + - http: + collectorName: replicated-app + get: + url: https://replicated.app + tls: + cacert: |- + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgGFUX3096w6S0 + XwBU52uLdsqayH5qlrjXu87fxNeQwbX+gOLly5EfvpHQeqIeBFGYBY+UL3RaH7sQ + 72exQDvRlWBSGMlLGLK4TXRAVNJEEDVwVyWwb2jn+vMUOkuoukn7fluXwuxSrcvh + kvDwtNdsy9sATUDNzC/6RTKBb3heA0lDu0xHo93YrJavhY+PXjMnjCRo1C4mCcWE + +pogX2qqcDycSaX5WDpmxfH0CUyqxkr8B1unvMugDlnLbkz8TilCkZCnxm6zjDGD + qV/D9w+n0ci/nWaCEXoWKXrjKdxRH5gdvMUIeBufZ4WILG1Puwlk8lKzEYmcYJQj + hPitghF9AgMBAAECggEAANtAQ4bJcf+KTLfvuSRNTyp+M4LlLI03fyui8kx7OWIG + aY2C89QDZMoTUCBi9lVREj74/FzudFj592ZP2VPCfyAAAI+a1tU5hK3z0WRoSJH/ + BQjbVark1AW5IDWoUbm5+OldaSjuPysIxQhMIVV3XMxBXtvEm0U5J9Zfbq0aSgPl + DgJHrxirW+7D/uayCCMj9zP78RMzgtm3s2M7KFn7d5DNPXX4iR6L2mHJ1en+1+Xm + dE9FuExT3EL8Ltmw7YmxeL+w62VYv4QvEbrcG627XPjoV7UzKUkjgFaAKoz2M6sw + glZBlfWtfAzQLM+IndWIVnbejK8tK2OwJNoMc3lzbwKBgQD3sIFJi0q4/dayY24l + ZMkRLzof8oQ0++1AnH6Nqyke4svag740p1w9e+yzYspXN5lr71awBJHUxWfce8/8 + QPwSv/3UpbECT+zXbeZ8RpHZk2s3Up5twIWPrtK5/NyDsY1tzS6vjxIsJSbYRQVm + re9p6HCOWYcdZeSmbvCC46d+wwKBgQDnnSqQ+BN7c6Nq+uSCT3XqSB/Rc0pwc2Ii + zZ02Wtx2XFTaIKxtaCCBgospOYrygfugdyayprY5bUFYV1YcnaP3aUNWPtDhguVY + azcmyxOdqF0EWkPtjvesNeVQXYC18QVo4OSBbQ/yfIi1jH2YdYK2Rc/45sanT8cC + cR3bRV+qvwKBgGafIaHn7UiiGx8D5THnBQtypsFvyGjvbAgWDrUBkmLykoVxig/k + u2nZ+2MDblQefBllK2R4MDeYpoSKY8ze29Gk7DT7hVAw7y7+oL0iu/EKjCR6vZs5 + Zdz3EOXwJykFGlTA6zPfsibKKcL3Ldqx+/zESkYgP8PlYIu4cTu5uL7jAoGAcbom + kJB/YHrjn0AavDGwQJ2xofLudlDxuw0jSPFMl4G22HR6ti4O6AjltBRhObrBh4V6 + JvbdO01+bJZV3i85t96kBdFKV7EiVEwxBIdq1ls5cU2xVRCCZLkCJHgFH1F9yoXD + LhoTXonvxtV5RkdNK5sUB6+pk7YEjhplAqoJ05kCgYEAri5I5UF5dt9hHVpWAEZU + bspdDwYZtumABnqVk3GaU3er1JfP3IOboUY5crMMMB6m1uX0DGHH6PKVBerF3jWZ + pHocLE5yrVYZlCP4kj6x19qMGdV49Vh/+tPgR5GyRJkgbxEV9lTwB8Eo+4BbobIR + +5uSFuBABnTgvc3ztOfQjy0= + -----END PRIVATE KEY----- + -----BEGIN CERTIFICATE----- + MIIDfTCCAmWgAwIBAgIUStJWsJdkt8D/SmiFUBLkAFqht4owDQYJKoZIhvcNAQEL + BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MTcxNDQ0 + MzVaFw0yNDA5MjQxNDQ0MzVaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgGFUX3096w6S0XwBU + 52uLdsqayH5qlrjXu87fxNeQwbX+gOLly5EfvpHQeqIeBFGYBY+UL3RaH7sQ72ex + QDvRlWBSGMlLGLK4TXRAVNJEEDVwVyWwb2jn+vMUOkuoukn7fluXwuxSrcvhkvDw + tNdsy9sATUDNzC/6RTKBb3heA0lDu0xHo93YrJavhY+PXjMnjCRo1C4mCcWE+pog + X2qqcDycSaX5WDpmxfH0CUyqxkr8B1unvMugDlnLbkz8TilCkZCnxm6zjDGDqV/D + 9w+n0ci/nWaCEXoWKXrjKdxRH5gdvMUIeBufZ4WILG1Puwlk8lKzEYmcYJQjhPit + ghF9AgMBAAGjUzBRMB0GA1UdDgQWBBQot0LK1Vjf4S16SVwwNB2KFWeGgTAfBgNV + HSMEGDAWgBQot0LK1Vjf4S16SVwwNB2KFWeGgTAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBCwUAA4IBAQAMAst1v+nV3P/FLg0rniCJyJHsaTi8W8HipBR6PKT2 + iXA0w8vFP5vSSa3PidFx0wGzIr/QivODBg43gcdatyTqfMDm7RedPjI0mRBbV51o + 6Bs/xCTglr6Ij74LF/rGHibzmF8VuA8d01g6sZ9hggE3ZOc2MGak8r5qd6MVGu2E + KJKk3Z4pjoacAG2pc4r+d9gD0f+t0n4teyhZC22dSk6b3vob4Q8mSoBp3yNCP84W + 4dha7zuPW6YudGzw1unIHssa4iZF3O9liRLtVCrKkTze4KVQujAfoIl3ad/JrsLp + IS1lVuEZUAKJLQeNUwhuNF2+I09OE2tKeODnsIitfAsG + -----END CERTIFICATE----- From 8a3af4d77c5d2e5eb88c153be7b984a006be355f Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 18 Sep 2024 10:26:17 -0500 Subject: [PATCH 04/19] make schemas --- config/crds/troubleshoot.sh_collectors.yaml | 21 ++++++ .../crds/troubleshoot.sh_hostcollectors.yaml | 21 ++++++ .../crds/troubleshoot.sh_hostpreflights.yaml | 21 ++++++ config/crds/troubleshoot.sh_preflights.yaml | 21 ++++++ .../crds/troubleshoot.sh_supportbundles.yaml | 42 ++++++++++++ .../v1beta2/zz_generated.deepcopy.go | 10 +++ schemas/collector-troubleshoot-v1beta2.json | 32 ++++++++++ schemas/preflight-troubleshoot-v1beta2.json | 32 ++++++++++ .../supportbundle-troubleshoot-v1beta2.json | 64 +++++++++++++++++++ 9 files changed, 264 insertions(+) diff --git a/config/crds/troubleshoot.sh_collectors.yaml b/config/crds/troubleshoot.sh_collectors.yaml index 41665245c..f933bf526 100644 --- a/config/crds/troubleshoot.sh_collectors.yaml +++ b/config/crds/troubleshoot.sh_collectors.yaml @@ -460,6 +460,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object logs: properties: diff --git a/config/crds/troubleshoot.sh_hostcollectors.yaml b/config/crds/troubleshoot.sh_hostcollectors.yaml index 61b6907f1..57dec58b0 100644 --- a/config/crds/troubleshoot.sh_hostcollectors.yaml +++ b/config/crds/troubleshoot.sh_hostcollectors.yaml @@ -1450,6 +1450,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object httpLoadBalancer: properties: diff --git a/config/crds/troubleshoot.sh_hostpreflights.yaml b/config/crds/troubleshoot.sh_hostpreflights.yaml index f8c06613c..958995af9 100644 --- a/config/crds/troubleshoot.sh_hostpreflights.yaml +++ b/config/crds/troubleshoot.sh_hostpreflights.yaml @@ -1450,6 +1450,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object httpLoadBalancer: properties: diff --git a/config/crds/troubleshoot.sh_preflights.yaml b/config/crds/troubleshoot.sh_preflights.yaml index d762ce2c6..5dbe47d6e 100644 --- a/config/crds/troubleshoot.sh_preflights.yaml +++ b/config/crds/troubleshoot.sh_preflights.yaml @@ -2189,6 +2189,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object logs: properties: diff --git a/config/crds/troubleshoot.sh_supportbundles.yaml b/config/crds/troubleshoot.sh_supportbundles.yaml index 220bd1c33..d0d5c1562 100644 --- a/config/crds/troubleshoot.sh_supportbundles.yaml +++ b/config/crds/troubleshoot.sh_supportbundles.yaml @@ -2220,6 +2220,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object logs: properties: @@ -20028,6 +20049,27 @@ spec: required: - url type: object + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object type: object httpLoadBalancer: properties: diff --git a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go index 5b40aca8f..22bfcbdf9 100644 --- a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go @@ -1688,6 +1688,11 @@ func (in *HTTP) DeepCopyInto(out *HTTP) { *out = new(Put) (*in).DeepCopyInto(*out) } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSParams) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP. @@ -2333,6 +2338,11 @@ func (in *HostHTTP) DeepCopyInto(out *HostHTTP) { *out = new(Put) (*in).DeepCopyInto(*out) } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSParams) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostHTTP. diff --git a/schemas/collector-troubleshoot-v1beta2.json b/schemas/collector-troubleshoot-v1beta2.json index a539ae297..fecf0d58e 100644 --- a/schemas/collector-troubleshoot-v1beta2.json +++ b/schemas/collector-troubleshoot-v1beta2.json @@ -635,6 +635,38 @@ "type": "string" } } + }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } } } }, diff --git a/schemas/preflight-troubleshoot-v1beta2.json b/schemas/preflight-troubleshoot-v1beta2.json index 7b4ddd0f7..46db5786b 100644 --- a/schemas/preflight-troubleshoot-v1beta2.json +++ b/schemas/preflight-troubleshoot-v1beta2.json @@ -3299,6 +3299,38 @@ "type": "string" } } + }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } } } }, diff --git a/schemas/supportbundle-troubleshoot-v1beta2.json b/schemas/supportbundle-troubleshoot-v1beta2.json index 884ac10f6..6a5cf2579 100644 --- a/schemas/supportbundle-troubleshoot-v1beta2.json +++ b/schemas/supportbundle-troubleshoot-v1beta2.json @@ -3345,6 +3345,38 @@ "type": "string" } } + }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } } } }, @@ -19196,6 +19228,38 @@ "type": "string" } } + }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } } } }, From 943c78cb1ac96b7387eb54d35c7a94f443cc0cd3 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Thu, 19 Sep 2024 10:26:21 -0500 Subject: [PATCH 05/19] log extra information from http request --- pkg/collect/http.go | 69 +++++++++++++++++++++++++++++++----- testdata/replicated-app.yaml | 51 +------------------------- 2 files changed, 62 insertions(+), 58 deletions(-) diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 4f57a63c7..c8d90385b 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -5,8 +5,10 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" + "fmt" "io" "net/http" + "net/http/httputil" "path/filepath" "strings" "time" @@ -89,10 +91,7 @@ func doRequest(method, url string, headers map[string]string, body string, insec return nil, err } - httpClient := &http.Client{ - Timeout: t, - } - + var httpClient *http.Client var tlsConfig *tls.Config if cacert != "" { @@ -105,15 +104,39 @@ func doRequest(method, url string, headers map[string]string, body string, insec tlsConfig = &tls.Config{ RootCAs: certPool, } + + fmt.Printf("Using tlsConfig cert: %v", tlsConfig) + + httpClient = &http.Client{ + Timeout: t, + Transport: &LoggingTransport{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + }, + } + } else if insecureSkipVerify { + tlsConfig = &tls.Config{ InsecureSkipVerify: true, } - } - if tlsConfig != nil { - httpClient.Transport = &http.Transport{ - TLSClientConfig: tlsConfig, + httpClient = &http.Client{ + Timeout: t, + Transport: &LoggingTransport{ + Transport: &http.Transport{ + TLSClientConfig: tlsConfig, + }, + }, + } + + } else { + httpClient = &http.Client{ + Timeout: t, + Transport: &LoggingTransport{ + Transport: &http.Transport{}, + }, } } @@ -129,6 +152,36 @@ func doRequest(method, url string, headers map[string]string, body string, insec return httpClient.Do(req) } +type LoggingTransport struct { + Transport http.RoundTripper +} + +func (t *LoggingTransport) RoundTrip(req *http.Request) (*http.Response, error) { + // Log the request + dumpReq, err := httputil.DumpRequestOut(req, true) + if err != nil { + klog.V(2).Infof("Failed to dump request: %v", err) + } else { + klog.V(2).Infof("Request: %s", dumpReq) + } + + resp, err := t.Transport.RoundTrip(req) + + // Log the response + if err != nil { + klog.V(2).Infof("Request failed: %v", err) + } else { + dumpResp, err := httputil.DumpResponse(resp, true) + if err != nil { + klog.V(2).Infof("Failed to dump response: %v", err) + } else { + klog.V(2).Infof("Response: %s", dumpResp) + } + } + + return resp, err +} + func responseToOutput(response *http.Response, err error) ([]byte, error) { output := make(map[string]interface{}) if err != nil { diff --git a/testdata/replicated-app.yaml b/testdata/replicated-app.yaml index f68764cf8..73824061c 100644 --- a/testdata/replicated-app.yaml +++ b/testdata/replicated-app.yaml @@ -1,5 +1,5 @@ apiVersion: troubleshoot.sh/v1beta2 -kind: HostPreflight +kind: SupportBundle metadata: name: replicated-app spec: @@ -10,52 +10,3 @@ spec: url: https://replicated.app tls: cacert: |- - -----BEGIN PRIVATE KEY----- - MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDgGFUX3096w6S0 - XwBU52uLdsqayH5qlrjXu87fxNeQwbX+gOLly5EfvpHQeqIeBFGYBY+UL3RaH7sQ - 72exQDvRlWBSGMlLGLK4TXRAVNJEEDVwVyWwb2jn+vMUOkuoukn7fluXwuxSrcvh - kvDwtNdsy9sATUDNzC/6RTKBb3heA0lDu0xHo93YrJavhY+PXjMnjCRo1C4mCcWE - +pogX2qqcDycSaX5WDpmxfH0CUyqxkr8B1unvMugDlnLbkz8TilCkZCnxm6zjDGD - qV/D9w+n0ci/nWaCEXoWKXrjKdxRH5gdvMUIeBufZ4WILG1Puwlk8lKzEYmcYJQj - hPitghF9AgMBAAECggEAANtAQ4bJcf+KTLfvuSRNTyp+M4LlLI03fyui8kx7OWIG - aY2C89QDZMoTUCBi9lVREj74/FzudFj592ZP2VPCfyAAAI+a1tU5hK3z0WRoSJH/ - BQjbVark1AW5IDWoUbm5+OldaSjuPysIxQhMIVV3XMxBXtvEm0U5J9Zfbq0aSgPl - DgJHrxirW+7D/uayCCMj9zP78RMzgtm3s2M7KFn7d5DNPXX4iR6L2mHJ1en+1+Xm - dE9FuExT3EL8Ltmw7YmxeL+w62VYv4QvEbrcG627XPjoV7UzKUkjgFaAKoz2M6sw - glZBlfWtfAzQLM+IndWIVnbejK8tK2OwJNoMc3lzbwKBgQD3sIFJi0q4/dayY24l - ZMkRLzof8oQ0++1AnH6Nqyke4svag740p1w9e+yzYspXN5lr71awBJHUxWfce8/8 - QPwSv/3UpbECT+zXbeZ8RpHZk2s3Up5twIWPrtK5/NyDsY1tzS6vjxIsJSbYRQVm - re9p6HCOWYcdZeSmbvCC46d+wwKBgQDnnSqQ+BN7c6Nq+uSCT3XqSB/Rc0pwc2Ii - zZ02Wtx2XFTaIKxtaCCBgospOYrygfugdyayprY5bUFYV1YcnaP3aUNWPtDhguVY - azcmyxOdqF0EWkPtjvesNeVQXYC18QVo4OSBbQ/yfIi1jH2YdYK2Rc/45sanT8cC - cR3bRV+qvwKBgGafIaHn7UiiGx8D5THnBQtypsFvyGjvbAgWDrUBkmLykoVxig/k - u2nZ+2MDblQefBllK2R4MDeYpoSKY8ze29Gk7DT7hVAw7y7+oL0iu/EKjCR6vZs5 - Zdz3EOXwJykFGlTA6zPfsibKKcL3Ldqx+/zESkYgP8PlYIu4cTu5uL7jAoGAcbom - kJB/YHrjn0AavDGwQJ2xofLudlDxuw0jSPFMl4G22HR6ti4O6AjltBRhObrBh4V6 - JvbdO01+bJZV3i85t96kBdFKV7EiVEwxBIdq1ls5cU2xVRCCZLkCJHgFH1F9yoXD - LhoTXonvxtV5RkdNK5sUB6+pk7YEjhplAqoJ05kCgYEAri5I5UF5dt9hHVpWAEZU - bspdDwYZtumABnqVk3GaU3er1JfP3IOboUY5crMMMB6m1uX0DGHH6PKVBerF3jWZ - pHocLE5yrVYZlCP4kj6x19qMGdV49Vh/+tPgR5GyRJkgbxEV9lTwB8Eo+4BbobIR - +5uSFuBABnTgvc3ztOfQjy0= - -----END PRIVATE KEY----- - -----BEGIN CERTIFICATE----- - MIIDfTCCAmWgAwIBAgIUStJWsJdkt8D/SmiFUBLkAFqht4owDQYJKoZIhvcNAQEL - BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 - MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MTcxNDQ0 - MzVaFw0yNDA5MjQxNDQ0MzVaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 - ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC - SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDgGFUX3096w6S0XwBU - 52uLdsqayH5qlrjXu87fxNeQwbX+gOLly5EfvpHQeqIeBFGYBY+UL3RaH7sQ72ex - QDvRlWBSGMlLGLK4TXRAVNJEEDVwVyWwb2jn+vMUOkuoukn7fluXwuxSrcvhkvDw - tNdsy9sATUDNzC/6RTKBb3heA0lDu0xHo93YrJavhY+PXjMnjCRo1C4mCcWE+pog - X2qqcDycSaX5WDpmxfH0CUyqxkr8B1unvMugDlnLbkz8TilCkZCnxm6zjDGDqV/D - 9w+n0ci/nWaCEXoWKXrjKdxRH5gdvMUIeBufZ4WILG1Puwlk8lKzEYmcYJQjhPit - ghF9AgMBAAGjUzBRMB0GA1UdDgQWBBQot0LK1Vjf4S16SVwwNB2KFWeGgTAfBgNV - HSMEGDAWgBQot0LK1Vjf4S16SVwwNB2KFWeGgTAPBgNVHRMBAf8EBTADAQH/MA0G - CSqGSIb3DQEBCwUAA4IBAQAMAst1v+nV3P/FLg0rniCJyJHsaTi8W8HipBR6PKT2 - iXA0w8vFP5vSSa3PidFx0wGzIr/QivODBg43gcdatyTqfMDm7RedPjI0mRBbV51o - 6Bs/xCTglr6Ij74LF/rGHibzmF8VuA8d01g6sZ9hggE3ZOc2MGak8r5qd6MVGu2E - KJKk3Z4pjoacAG2pc4r+d9gD0f+t0n4teyhZC22dSk6b3vob4Q8mSoBp3yNCP84W - 4dha7zuPW6YudGzw1unIHssa4iZF3O9liRLtVCrKkTze4KVQujAfoIl3ad/JrsLp - IS1lVuEZUAKJLQeNUwhuNF2+I09OE2tKeODnsIitfAsG - -----END CERTIFICATE----- From 90814fbd4d9dd4efa2f926627b774872ae5d3e7f Mon Sep 17 00:00:00 2001 From: ada mancini Date: Thu, 19 Sep 2024 17:20:57 -0500 Subject: [PATCH 06/19] pass a proxy into the collector spec --- .../troubleshoot/v1beta2/collector_shared.go | 1 + .../v1beta2/hostcollector_shared.go | 1 + pkg/collect/host_http.go | 6 ++--- pkg/collect/http.go | 21 +++++++++++++----- testdata/replicated-app.yaml | 22 +++++++++++++++++++ 5 files changed, 42 insertions(+), 9 deletions(-) diff --git a/pkg/apis/troubleshoot/v1beta2/collector_shared.go b/pkg/apis/troubleshoot/v1beta2/collector_shared.go index 900f1f7e1..96c1b6987 100644 --- a/pkg/apis/troubleshoot/v1beta2/collector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/collector_shared.go @@ -179,6 +179,7 @@ type HTTP struct { Post *Post `json:"post,omitempty" yaml:"post,omitempty"` Put *Put `json:"put,omitempty" yaml:"put,omitempty"` TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` + Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` } type Get struct { diff --git a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go index 684c06a43..cc1f11ab8 100644 --- a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go @@ -70,6 +70,7 @@ type HostHTTP struct { Post *Post `json:"post,omitempty" yaml:"post,omitempty"` Put *Put `json:"put,omitempty" yaml:"put,omitempty"` TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` + Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` } type HostCopy struct { diff --git a/pkg/collect/host_http.go b/pkg/collect/host_http.go index 2850a9cc3..22f64d56b 100644 --- a/pkg/collect/host_http.go +++ b/pkg/collect/host_http.go @@ -32,15 +32,15 @@ func (c *CollectHostHTTP) Collect(progressChan chan<- interface{}) (map[string][ case httpCollector.Get != nil: response, err = doRequest( "GET", httpCollector.Get.URL, httpCollector.Get.Headers, - "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout, httpCollector.TLS.CACert) + "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) case httpCollector.Post != nil: response, err = doRequest( "POST", httpCollector.Post.URL, httpCollector.Post.Headers, - httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout, httpCollector.TLS.CACert) + httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) case httpCollector.Put != nil: response, err = doRequest( "PUT", httpCollector.Put.URL, httpCollector.Put.Headers, - httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout, httpCollector.TLS.CACert) + httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) default: return nil, errors.New("no supported http request type") } diff --git a/pkg/collect/http.go b/pkg/collect/http.go index c8d90385b..72732d611 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -9,6 +9,7 @@ import ( "io" "net/http" "net/http/httputil" + neturl "net/url" "path/filepath" "strings" "time" @@ -56,15 +57,15 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, case c.Collector.Get != nil: response, err = doRequest( "GET", c.Collector.Get.URL, c.Collector.Get.Headers, - "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert) + "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) case c.Collector.Post != nil: response, err = doRequest( "POST", c.Collector.Post.URL, c.Collector.Post.Headers, - c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert) + c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) case c.Collector.Put != nil: response, err = doRequest( "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, - c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert) + c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) default: return nil, errors.New("no supported http request type") } @@ -85,7 +86,7 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, return output, nil } -func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, cacert string) (*http.Response, error) { +func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, cacert string, proxy string) (*http.Response, error) { t, err := parseTimeout(timeout) if err != nil { return nil, err @@ -102,15 +103,21 @@ func doRequest(method, url string, headers map[string]string, body string, insec } tlsConfig = &tls.Config{ - RootCAs: certPool, + RootCAs: certPool, + InsecureSkipVerify: true, } - fmt.Printf("Using tlsConfig cert: %v", tlsConfig) + fmt.Printf("Using tlsConfig cert: %+v", tlsConfig) + + fn := func(req *http.Request) (*neturl.URL, error) { + return neturl.Parse(proxy) + } httpClient = &http.Client{ Timeout: t, Transport: &LoggingTransport{ Transport: &http.Transport{ + Proxy: fn, TLSClientConfig: tlsConfig, }, }, @@ -167,6 +174,8 @@ func (t *LoggingTransport) RoundTrip(req *http.Request) (*http.Response, error) resp, err := t.Transport.RoundTrip(req) + fmt.Printf("Response: %v", resp) + // Log the response if err != nil { klog.V(2).Infof("Request failed: %v", err) diff --git a/testdata/replicated-app.yaml b/testdata/replicated-app.yaml index 73824061c..bb58b7fd5 100644 --- a/testdata/replicated-app.yaml +++ b/testdata/replicated-app.yaml @@ -10,3 +10,25 @@ spec: url: https://replicated.app tls: cacert: |- + -----BEGIN CERTIFICATE----- + MIIDfTCCAmWgAwIBAgIUZcB/nVtn9Om4jnZ53IFyF9OStTwwDQYJKoZIhvcNAQEL + BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MTkyMTMz + MzNaFw0yNDA5MjYyMTMzMzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBytrLuzK/OxhhADS0 + Sz7VbC1+4N2Bz0/jj6VCVAmsd2iSKW1FdPm859dzZyjydSHeZMLHz/F8KoQhMUSD + XrVvagURmuXsNBO30FHEWxWh3xZxUcW21nGHrDOroMWxRlYBUEBd5V/OQHTkKSSp + pTcp4dwPr1ABonFzHvCYeUNTA+HrbO52IdSlHQQfafDqFFRtQgzTskB2lOquIIfM + A17Y59eLp1aVfmtPbEkL+RWOYkgDo8BbitwotqZSNBCulz/iyzh8NRFLSe4jC6tw + mtPwQMYzM47et4MDuuuHZQ38tt+3Z4LJeLmDR75dfHlM47YLGYsInH8wLevIqY09 + Gm/3AgMBAAGjUzBRMB0GA1UdDgQWBBS+iYJGdI4ukoj2V6UGczfX9qqVnjAfBgNV + HSMEGDAWgBS+iYJGdI4ukoj2V6UGczfX9qqVnjAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBCwUAA4IBAQCd2TU1Ov/uIfe+/j7KBjLev0DMGvDCC3sD87clfVkl + oh2URXq7q/6h+CGx6ClsY1Gl8rmuA1m7p6TKutRlBMsyd7ohtwwrAoWhep3d3bJW + MTe/OJ41OHnRYSXCTZCmhGun/YuhWvNZCvgBuVyzw9JZvSMLPHzICez5Hspd3/IP + Exs4AubDoTXTqsRe8zNHCP/J7Oq+EU1A2IlIpMefb4Q8096acYdTn87fi5N3MUKA + 5dSaVPMH/afHI/opEMCYeZRqk6bCstCwUY+807YJi4fkREcmUp+Kqp+5ZDGqR/54 + VyUuq6pnw3zD4ijfZfB/16yV8KXuosdrD7ZLJsAQl9oV + -----END CERTIFICATE----- + proxy: https://10.128.0.40:3130 From 00006842d1edc93b176b78e19908d5e55b28d549 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Tue, 24 Sep 2024 14:46:58 -0400 Subject: [PATCH 07/19] hitting a segfault; breakpoint --- pkg/collect/http.go | 22 +++++------ testdata/replicated-app.yaml | 72 ++++++++++++++++++++++++++---------- 2 files changed, 64 insertions(+), 30 deletions(-) diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 72732d611..2c90d6c8f 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -56,16 +56,13 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, switch { case c.Collector.Get != nil: response, err = doRequest( - "GET", c.Collector.Get.URL, c.Collector.Get.Headers, - "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "GET", c.Collector.Get.URL, c.Collector.Get.Headers, "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) case c.Collector.Post != nil: response, err = doRequest( - "POST", c.Collector.Post.URL, c.Collector.Post.Headers, - c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "POST", c.Collector.Post.URL, c.Collector.Post.Headers, c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) case c.Collector.Put != nil: response, err = doRequest( - "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, - c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) default: return nil, errors.New("no supported http request type") } @@ -96,15 +93,18 @@ func doRequest(method, url string, headers map[string]string, body string, insec var tlsConfig *tls.Config if cacert != "" { - certPool := x509.NewCertPool() + certPool, err := x509.SystemCertPool() - if !certPool.AppendCertsFromPEM([]byte(cacert)) { - return nil, errors.New("failed to append certificate to cert pool") + if err != nil { + if !certPool.AppendCertsFromPEM([]byte(cacert)) { + return nil, errors.New("failed to append certificate to cert pool") + } + } else { + return nil, errors.New("failed to get system cert pool") } tlsConfig = &tls.Config{ - RootCAs: certPool, - InsecureSkipVerify: true, + RootCAs: certPool, } fmt.Printf("Using tlsConfig cert: %+v", tlsConfig) diff --git a/testdata/replicated-app.yaml b/testdata/replicated-app.yaml index bb58b7fd5..906ee6239 100644 --- a/testdata/replicated-app.yaml +++ b/testdata/replicated-app.yaml @@ -5,30 +5,64 @@ metadata: spec: collectors: - http: - collectorName: replicated-app + collectorName: https-replicated-proxy get: url: https://replicated.app tls: cacert: |- -----BEGIN CERTIFICATE----- - MIIDfTCCAmWgAwIBAgIUZcB/nVtn9Om4jnZ53IFyF9OStTwwDQYJKoZIhvcNAQEL + MIIDfTCCAmWgAwIBAgIUWXcWMApcJqjf/tKlJVWaV6GzbVUwDQYJKoZIhvcNAQEL BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 - MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MTkyMTMz - MzNaFw0yNDA5MjYyMTMzMzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjQxNzA3 + MzNaFw0yNDEwMDExNzA3MzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC - SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDBytrLuzK/OxhhADS0 - Sz7VbC1+4N2Bz0/jj6VCVAmsd2iSKW1FdPm859dzZyjydSHeZMLHz/F8KoQhMUSD - XrVvagURmuXsNBO30FHEWxWh3xZxUcW21nGHrDOroMWxRlYBUEBd5V/OQHTkKSSp - pTcp4dwPr1ABonFzHvCYeUNTA+HrbO52IdSlHQQfafDqFFRtQgzTskB2lOquIIfM - A17Y59eLp1aVfmtPbEkL+RWOYkgDo8BbitwotqZSNBCulz/iyzh8NRFLSe4jC6tw - mtPwQMYzM47et4MDuuuHZQ38tt+3Z4LJeLmDR75dfHlM47YLGYsInH8wLevIqY09 - Gm/3AgMBAAGjUzBRMB0GA1UdDgQWBBS+iYJGdI4ukoj2V6UGczfX9qqVnjAfBgNV - HSMEGDAWgBS+iYJGdI4ukoj2V6UGczfX9qqVnjAPBgNVHRMBAf8EBTADAQH/MA0G - CSqGSIb3DQEBCwUAA4IBAQCd2TU1Ov/uIfe+/j7KBjLev0DMGvDCC3sD87clfVkl - oh2URXq7q/6h+CGx6ClsY1Gl8rmuA1m7p6TKutRlBMsyd7ohtwwrAoWhep3d3bJW - MTe/OJ41OHnRYSXCTZCmhGun/YuhWvNZCvgBuVyzw9JZvSMLPHzICez5Hspd3/IP - Exs4AubDoTXTqsRe8zNHCP/J7Oq+EU1A2IlIpMefb4Q8096acYdTn87fi5N3MUKA - 5dSaVPMH/afHI/opEMCYeZRqk6bCstCwUY+807YJi4fkREcmUp+Kqp+5ZDGqR/54 - VyUuq6pnw3zD4ijfZfB/16yV8KXuosdrD7ZLJsAQl9oV - -----END CERTIFICATE----- + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeaa5l1O10B6G75nL + e1raPAdrG7xuLx7qUb2eXjThJybZs5RApeuTaOIuwpElmqDUnpY6MY+kOeumbfl1 + 4oltTSy0Pzd8G/u9EIuSX5dH2oNET5ipj0wssJoekIEA6Mg5jAi9+emaFXOfOh++ + +Uqm5WH3MCFCqb+IHaypZjgZSBwn9oS1uCt9mAgKmyQcQiRhqsXEdgqsMsHNmYvQ + dm6+8tr7/LT9qPJmGeu/GMs32UkxtQ0PLLx3SyhRSe7PVvNWWMlDBRF7Vj3gkK9f + vih8rAmUWkg+kZORdVME637RlN6oevorWPq+NL4h+iBqYw4U5EikC8ZOqYhwqKSt + +A7hAgMBAAGjUzBRMB0GA1UdDgQWBBRapyoz7HfKJAHYeinJyeCEvsU4WTAfBgNV + HSMEGDAWgBRapyoz7HfKJAHYeinJyeCEvsU4WTAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBCwUAA4IBAQDAuR/Pme0UYPycjf0p0LmI8xJE8RtuEMoumxpukpoG + PYmr8Z1G0AUUkqSGqTx/bED2IgFKj+xt50vpbduQwmrit1BP7IdXbHquToq7Ey10 + lfhMq3RY4kJ86+LYVRFCLBg9RMaK2YfMl0NpaSMXqaWO74gDYVq3oqeSWik3ltGq + 5lhMo5eD2WpqJaw9qqI2Vt48E69yg3ImqJh3NvTILLnDXLNpeQIk/MjJBgbSMAaf + oSs9fZui4oP9mPaatQ1qzRZCiP8NU+03iIDl9j1/tHufejVHFMYeZ5dy0Ipau/6E + UjfXm9Be3Ap5ZvXUSz+6KNpmd6vvOGNNv6nALb6bI33k proxy: https://10.128.0.40:3130 + - http: + collectorName: http-replicated-proxy + get: + url: http://replicated.app + proxy: https://10.128.0.40:3130 + - http: + collectorName: https-replicated-noproxy + get: + url: http://replicated.app + tls: + cacert: |- + -----BEGIN CERTIFICATE----- + MIIDfTCCAmWgAwIBAgIUWXcWMApcJqjf/tKlJVWaV6GzbVUwDQYJKoZIhvcNAQEL + BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjQxNzA3 + MzNaFw0yNDEwMDExNzA3MzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeaa5l1O10B6G75nL + e1raPAdrG7xuLx7qUb2eXjThJybZs5RApeuTaOIuwpElmqDUnpY6MY+kOeumbfl1 + 4oltTSy0Pzd8G/u9EIuSX5dH2oNET5ipj0wssJoekIEA6Mg5jAi9+emaFXOfOh++ + +Uqm5WH3MCFCqb+IHaypZjgZSBwn9oS1uCt9mAgKmyQcQiRhqsXEdgqsMsHNmYvQ + dm6+8tr7/LT9qPJmGeu/GMs32UkxtQ0PLLx3SyhRSe7PVvNWWMlDBRF7Vj3gkK9f + vih8rAmUWkg+kZORdVME637RlN6oevorWPq+NL4h+iBqYw4U5EikC8ZOqYhwqKSt + +A7hAgMBAAGjUzBRMB0GA1UdDgQWBBRapyoz7HfKJAHYeinJyeCEvsU4WTAfBgNV + HSMEGDAWgBRapyoz7HfKJAHYeinJyeCEvsU4WTAPBgNVHRMBAf8EBTADAQH/MA0G + CSqGSIb3DQEBCwUAA4IBAQDAuR/Pme0UYPycjf0p0LmI8xJE8RtuEMoumxpukpoG + PYmr8Z1G0AUUkqSGqTx/bED2IgFKj+xt50vpbduQwmrit1BP7IdXbHquToq7Ey10 + lfhMq3RY4kJ86+LYVRFCLBg9RMaK2YfMl0NpaSMXqaWO74gDYVq3oqeSWik3ltGq + 5lhMo5eD2WpqJaw9qqI2Vt48E69yg3ImqJh3NvTILLnDXLNpeQIk/MjJBgbSMAaf + oSs9fZui4oP9mPaatQ1qzRZCiP8NU+03iIDl9j1/tHufejVHFMYeZ5dy0Ipau/6E + UjfXm9Be3Ap5ZvXUSz+6KNpmd6vvOGNNv6nALb6bI33k + - http: + collectorName: http-replicated-noproxy + get: + url: http://replicated.app From e8148da37b0658b31fae31fa1200ccff877419d0 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 25 Sep 2024 14:16:31 -0400 Subject: [PATCH 08/19] accept a dir, file, or a string-literal as CA --- pkg/collect/http.go | 113 ++++++++++++----------- testdata/https-proxy-replicated-app.yaml | 53 +++++++++++ testdata/replicated-app.yaml | 68 -------------- 3 files changed, 111 insertions(+), 123 deletions(-) create mode 100644 testdata/https-proxy-replicated-app.yaml delete mode 100644 testdata/replicated-app.yaml diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 2c90d6c8f..5d69dcc67 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -5,11 +5,11 @@ import ( "crypto/tls" "crypto/x509" "encoding/json" - "fmt" "io" "net/http" "net/http/httputil" neturl "net/url" + "os" "path/filepath" "strings" "time" @@ -83,68 +83,69 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, return output, nil } +func handleFileOrDir(path string) (bool, error) { + f, err := os.Stat(path) + if err != nil { + klog.V(2).Infof("Failed to stat file path: %s\n", err) + return false, err + } + if f.IsDir() { + os.Setenv("SSL_CERT_DIR", path) + klog.V(2).Infof("Using SSL_CERT_DIR: %s\n", path) + } else if f.Mode().IsRegular() { + os.Setenv("SSL_CERT_FILE", path) + klog.V(2).Infof("Using SSL_CERT_FILE: %s\n", path) + } + return true, nil +} + +func isPEMCertificate(s string) bool { + return strings.Contains(s, "BEGIN CERTIFICATE") || strings.Contains(s, "BEGIN RSA PRIVATE KEY") +} + func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, cacert string, proxy string) (*http.Response, error) { + t, err := parseTimeout(timeout) if err != nil { return nil, err } - var httpClient *http.Client - var tlsConfig *tls.Config + tlsConfig := &tls.Config{} + httpTransport := &http.Transport{} if cacert != "" { - certPool, err := x509.SystemCertPool() - - if err != nil { + if isPEMCertificate(cacert) { + klog.V(2).Infof("Using PEM certificate from spec\n") + certPool, err := x509.SystemCertPool() + if err != nil { + return nil, errors.Wrap(err, "failed to get system cert pool") + } if !certPool.AppendCertsFromPEM([]byte(cacert)) { return nil, errors.New("failed to append certificate to cert pool") } - } else { - return nil, errors.New("failed to get system cert pool") + tlsConfig.RootCAs = certPool + } else if _, err := handleFileOrDir(cacert); err != nil { + return nil, errors.Wrap(err, "failed to handle cacert file path") } + } - tlsConfig = &tls.Config{ - RootCAs: certPool, - } + if insecureSkipVerify { + tlsConfig.InsecureSkipVerify = true + } - fmt.Printf("Using tlsConfig cert: %+v", tlsConfig) + httpTransport.TLSClientConfig = tlsConfig - fn := func(req *http.Request) (*neturl.URL, error) { + if proxy != "" { + httpTransport.Proxy = func(req *http.Request) (*neturl.URL, error) { return neturl.Parse(proxy) } + } - httpClient = &http.Client{ - Timeout: t, - Transport: &LoggingTransport{ - Transport: &http.Transport{ - Proxy: fn, - TLSClientConfig: tlsConfig, - }, - }, - } - - } else if insecureSkipVerify { - - tlsConfig = &tls.Config{ - InsecureSkipVerify: true, - } - - httpClient = &http.Client{ - Timeout: t, - Transport: &LoggingTransport{ - Transport: &http.Transport{ - TLSClientConfig: tlsConfig, - }, - }, - } - - } else { - httpClient = &http.Client{ - Timeout: t, - Transport: &LoggingTransport{ - Transport: &http.Transport{}, - }, - } + httpClient := &http.Client{ + Timeout: t, + Transport: &LoggingTransport{ + Transport: httpTransport, + }, } req, err := http.NewRequest(method, url, strings.NewReader(body)) @@ -167,24 +168,22 @@ func (t *LoggingTransport) RoundTrip(req *http.Request) (*http.Response, error) // Log the request dumpReq, err := httputil.DumpRequestOut(req, true) if err != nil { - klog.V(2).Infof("Failed to dump request: %v", err) + klog.V(2).Infof("Failed to dump request: %+v\n", err) } else { - klog.V(2).Infof("Request: %s", dumpReq) + klog.V(2).Infof("Request: %s\n", dumpReq) } resp, err := t.Transport.RoundTrip(req) - fmt.Printf("Response: %v", resp) - // Log the response if err != nil { - klog.V(2).Infof("Request failed: %v", err) + klog.V(2).Infof("Request failed: %+v\n", err) } else { dumpResp, err := httputil.DumpResponse(resp, true) if err != nil { - klog.V(2).Infof("Failed to dump response: %v", err) + klog.V(2).Infof("Failed to dump response: %v+\n", err) } else { - klog.V(2).Infof("Response: %s", dumpResp) + klog.V(2).Infof("Response: %s\n", dumpResp) } } @@ -209,11 +208,15 @@ func responseToOutput(response *http.Response, err error) ([]byte, error) { } var rawJSON json.RawMessage - if err := json.Unmarshal(body, &rawJSON); err != nil { - klog.Infof("failed to unmarshal response body as JSON: %v", err) + if len(body) > 0 { + if err := json.Unmarshal(body, &rawJSON); err != nil { + klog.Infof("failed to unmarshal response body as JSON: %+v", err) + rawJSON = json.RawMessage{} + } + } else { rawJSON = json.RawMessage{} + klog.V(2).Infof("empty response body\n") } - output["response"] = HTTPResponse{ Status: response.StatusCode, Body: string(body), diff --git a/testdata/https-proxy-replicated-app.yaml b/testdata/https-proxy-replicated-app.yaml new file mode 100644 index 000000000..e692ba985 --- /dev/null +++ b/testdata/https-proxy-replicated-app.yaml @@ -0,0 +1,53 @@ +apiVersion: troubleshoot.sh/v1beta2 +kind: SupportBundle +metadata: + name: replicated-app +spec: + collectors: + - http: + collectorName: https-google-proxy + get: + url: https://www.google.com + proxy: https://10.128.0.4:3130 + - http: + collectorName: https-replicated-proxy-cert-dir + get: + url: https://replicated.app + tls: + cacert: /usr/local/share/ca-certificates/replicated.app + proxy: https://10.128.0.4:3130 + - http: + collectorName: https-replicated-proxy-file + get: + url: https://replicated.app + tls: + cacert: /usr/local/share/ca-certificates/replicated.app/replicated.crt + proxy: https://10.128.0.4:3130 + - http: + collectorName: https-replicated-proxy-literal + get: + url: https://replicated.app + tls: + cacert: |- + -----BEGIN CERTIFICATE----- + MIIDajCCAlKgAwIBAgIUZJdSAOMxiY3cKU34KCtpK2ztkhUwDQYJKoZIhvcNAQEL + BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjUxNDI0 + NTVaFw0yNDEwMDIxNDI0NTVaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFaoJSv18TVLGFq2WC + q6KOmlwfZpBXdgU1CYtg1HDwKUZ4/+WIcoHo+7yp+tt5TRA55r5d9YTlHWvQ+efh + pRbIxmi7aTI9JyV9/jw3lDdVjShiNmdlNEGW7PYAihQkWLErMVcLspiZqmWB2Ar5 + bvkRGoLV8Mf7QdAIEPZzK3RxL9oQSk0F5T+n/TxEOlN3XCJxWvgZUFNslnTNkx9d + ABeMBfoB22gJtcRqJ2Rsp3HrkNzOu4i5xHQtj3f4UdEkxBAUZwME1SK3qFVOfI4i + Gon4jFW0y0NYRuzYTypBuLbGoQ3RcOmpLfOSzhZL/aEE95QXHNH3L6QzVF4kZUin + 7sIRAgMBAAGjQDA+MA8GA1UdEQQIMAaHBAqAAAQwDAYDVR0TBAUwAwEB/zAdBgNV + HQ4EFgQUqJTkHiOkT65YvZelWCn/JziGN5AwDQYJKoZIhvcNAQELBQADggEBADPt + pdL++z00Ix75MVmjxU7QeLorpSeiU1j4z26VgomkuiC6iJrMKrYOGBsn7uMmALO8 + lVHDUCfAHs0Jv1vijkczT6I+fJiRYz0gnXYfMlPTH3Z082wVB5i0/ZZzv2hbO/cH + Z8nmQvX3S+vOH5t9s/af1lxYzRno4Bo5CRzV5yoWHJT0dkAL8Xq16PWl+KUp6hel + pVoo6uhBGcaJK5HY0WczyUY6ecMJ2BEwc0jNyYBKdkLAB3110axgFvtdBweHsEQv + ISeaclwXuzYuVFr0BawyUSjenl0t8ybbKFfNrLyv6FHTNiqRup6SxORr3eLSv4dZ + 6Qg1Og0ne2dGJrebKy0= + -----END CERTIFICATE----- + proxy: https://10.128.0.4:3130 diff --git a/testdata/replicated-app.yaml b/testdata/replicated-app.yaml deleted file mode 100644 index 906ee6239..000000000 --- a/testdata/replicated-app.yaml +++ /dev/null @@ -1,68 +0,0 @@ -apiVersion: troubleshoot.sh/v1beta2 -kind: SupportBundle -metadata: - name: replicated-app -spec: - collectors: - - http: - collectorName: https-replicated-proxy - get: - url: https://replicated.app - tls: - cacert: |- - -----BEGIN CERTIFICATE----- - MIIDfTCCAmWgAwIBAgIUWXcWMApcJqjf/tKlJVWaV6GzbVUwDQYJKoZIhvcNAQEL - BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 - MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjQxNzA3 - MzNaFw0yNDEwMDExNzA3MzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 - ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC - SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeaa5l1O10B6G75nL - e1raPAdrG7xuLx7qUb2eXjThJybZs5RApeuTaOIuwpElmqDUnpY6MY+kOeumbfl1 - 4oltTSy0Pzd8G/u9EIuSX5dH2oNET5ipj0wssJoekIEA6Mg5jAi9+emaFXOfOh++ - +Uqm5WH3MCFCqb+IHaypZjgZSBwn9oS1uCt9mAgKmyQcQiRhqsXEdgqsMsHNmYvQ - dm6+8tr7/LT9qPJmGeu/GMs32UkxtQ0PLLx3SyhRSe7PVvNWWMlDBRF7Vj3gkK9f - vih8rAmUWkg+kZORdVME637RlN6oevorWPq+NL4h+iBqYw4U5EikC8ZOqYhwqKSt - +A7hAgMBAAGjUzBRMB0GA1UdDgQWBBRapyoz7HfKJAHYeinJyeCEvsU4WTAfBgNV - HSMEGDAWgBRapyoz7HfKJAHYeinJyeCEvsU4WTAPBgNVHRMBAf8EBTADAQH/MA0G - CSqGSIb3DQEBCwUAA4IBAQDAuR/Pme0UYPycjf0p0LmI8xJE8RtuEMoumxpukpoG - PYmr8Z1G0AUUkqSGqTx/bED2IgFKj+xt50vpbduQwmrit1BP7IdXbHquToq7Ey10 - lfhMq3RY4kJ86+LYVRFCLBg9RMaK2YfMl0NpaSMXqaWO74gDYVq3oqeSWik3ltGq - 5lhMo5eD2WpqJaw9qqI2Vt48E69yg3ImqJh3NvTILLnDXLNpeQIk/MjJBgbSMAaf - oSs9fZui4oP9mPaatQ1qzRZCiP8NU+03iIDl9j1/tHufejVHFMYeZ5dy0Ipau/6E - UjfXm9Be3Ap5ZvXUSz+6KNpmd6vvOGNNv6nALb6bI33k - proxy: https://10.128.0.40:3130 - - http: - collectorName: http-replicated-proxy - get: - url: http://replicated.app - proxy: https://10.128.0.40:3130 - - http: - collectorName: https-replicated-noproxy - get: - url: http://replicated.app - tls: - cacert: |- - -----BEGIN CERTIFICATE----- - MIIDfTCCAmWgAwIBAgIUWXcWMApcJqjf/tKlJVWaV6GzbVUwDQYJKoZIhvcNAQEL - BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 - MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjQxNzA3 - MzNaFw0yNDEwMDExNzA3MzNaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 - ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC - SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLeaa5l1O10B6G75nL - e1raPAdrG7xuLx7qUb2eXjThJybZs5RApeuTaOIuwpElmqDUnpY6MY+kOeumbfl1 - 4oltTSy0Pzd8G/u9EIuSX5dH2oNET5ipj0wssJoekIEA6Mg5jAi9+emaFXOfOh++ - +Uqm5WH3MCFCqb+IHaypZjgZSBwn9oS1uCt9mAgKmyQcQiRhqsXEdgqsMsHNmYvQ - dm6+8tr7/LT9qPJmGeu/GMs32UkxtQ0PLLx3SyhRSe7PVvNWWMlDBRF7Vj3gkK9f - vih8rAmUWkg+kZORdVME637RlN6oevorWPq+NL4h+iBqYw4U5EikC8ZOqYhwqKSt - +A7hAgMBAAGjUzBRMB0GA1UdDgQWBBRapyoz7HfKJAHYeinJyeCEvsU4WTAfBgNV - HSMEGDAWgBRapyoz7HfKJAHYeinJyeCEvsU4WTAPBgNVHRMBAf8EBTADAQH/MA0G - CSqGSIb3DQEBCwUAA4IBAQDAuR/Pme0UYPycjf0p0LmI8xJE8RtuEMoumxpukpoG - PYmr8Z1G0AUUkqSGqTx/bED2IgFKj+xt50vpbduQwmrit1BP7IdXbHquToq7Ey10 - lfhMq3RY4kJ86+LYVRFCLBg9RMaK2YfMl0NpaSMXqaWO74gDYVq3oqeSWik3ltGq - 5lhMo5eD2WpqJaw9qqI2Vt48E69yg3ImqJh3NvTILLnDXLNpeQIk/MjJBgbSMAaf - oSs9fZui4oP9mPaatQ1qzRZCiP8NU+03iIDl9j1/tHufejVHFMYeZ5dy0Ipau/6E - UjfXm9Be3Ap5ZvXUSz+6KNpmd6vvOGNNv6nALb6bI33k - - http: - collectorName: http-replicated-noproxy - get: - url: http://replicated.app From 5258c724f71a630b2f199645412044de882daab7 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Fri, 27 Sep 2024 14:17:55 -0400 Subject: [PATCH 09/19] move tls params into get, put, post methods --- .../troubleshoot/v1beta2/collector_shared.go | 22 +++-- .../v1beta2/zz_generated.deepcopy.go | 20 +++-- .../v1beta2/fake/fake_supportbundle.go | 5 +- pkg/collect/host_http.go | 6 +- pkg/collect/http.go | 28 +++--- testdata/https-proxy-replicated-app.yaml | 90 ++++++++++--------- 6 files changed, 100 insertions(+), 71 deletions(-) diff --git a/pkg/apis/troubleshoot/v1beta2/collector_shared.go b/pkg/apis/troubleshoot/v1beta2/collector_shared.go index 96c1b6987..554f732e4 100644 --- a/pkg/apis/troubleshoot/v1beta2/collector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/collector_shared.go @@ -174,12 +174,10 @@ type Sysctl struct { type HTTP struct { CollectorMeta `json:",inline" yaml:",inline"` - Name string `json:"name,omitempty" yaml:"name,omitempty"` - Get *Get `json:"get,omitempty" yaml:"get,omitempty"` - Post *Post `json:"post,omitempty" yaml:"post,omitempty"` - Put *Put `json:"put,omitempty" yaml:"put,omitempty"` - TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` - Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` + Name string `json:"name,omitempty" yaml:"name,omitempty"` + Get *Get `json:"get,omitempty" yaml:"get,omitempty"` + Post *Post `json:"post,omitempty" yaml:"post,omitempty"` + Put *Put `json:"put,omitempty" yaml:"put,omitempty"` } type Get struct { @@ -188,7 +186,9 @@ type Get struct { Headers map[string]string `json:"headers,omitempty" yaml:"headers,omitempty"` // Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. // Missing value or empty string or means no timeout. - Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` + Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` } type Post struct { @@ -198,7 +198,9 @@ type Post struct { Body string `json:"body,omitempty" yaml:"body,omitempty"` // Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. // Missing value or empty string or means no timeout. - Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` + Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` } type Put struct { @@ -208,7 +210,9 @@ type Put struct { Body string `json:"body,omitempty" yaml:"body,omitempty"` // Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. // Missing value or empty string or means no timeout. - Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + Timeout string `json:"timeout,omitempty" yaml:"timeout,omitempty"` + TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` + Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` } type Database struct { diff --git a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go index 22bfcbdf9..796c6ae36 100644 --- a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go @@ -1609,6 +1609,11 @@ func (in *Get) DeepCopyInto(out *Get) { (*out)[key] = val } } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSParams) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Get. @@ -1688,11 +1693,6 @@ func (in *HTTP) DeepCopyInto(out *HTTP) { *out = new(Put) (*in).DeepCopyInto(*out) } - if in.TLS != nil { - in, out := &in.TLS, &out.TLS - *out = new(TLSParams) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTP. @@ -3415,6 +3415,11 @@ func (in *Post) DeepCopyInto(out *Post) { (*out)[key] = val } } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSParams) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Post. @@ -3559,6 +3564,11 @@ func (in *Put) DeepCopyInto(out *Put) { (*out)[key] = val } } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(TLSParams) + (*in).DeepCopyInto(*out) + } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Put. diff --git a/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go b/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go index b28fc4025..11eb15dc0 100644 --- a/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go +++ b/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go @@ -22,7 +22,6 @@ import ( v1beta2 "github.com/replicatedhq/troubleshoot/pkg/apis/troubleshoot/v1beta2" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" types "k8s.io/apimachinery/pkg/types" watch "k8s.io/apimachinery/pkg/watch" testing "k8s.io/client-go/testing" @@ -57,6 +56,7 @@ func (c *FakeSupportBundles) List(ctx context.Context, opts v1.ListOptions) (res if obj == nil { return nil, err } +<<<<<<< HEAD label, _, _ := testing.ExtractFromListOptions(opts) if label == nil { @@ -69,6 +69,9 @@ func (c *FakeSupportBundles) List(ctx context.Context, opts v1.ListOptions) (res } } return list, err +======= + return obj.(*v1beta2.SupportBundleList), err +>>>>>>> 8dd96e2 (move tls params into get, put, post methods) } // Watch returns a watch.Interface that watches the requested supportBundles. diff --git a/pkg/collect/host_http.go b/pkg/collect/host_http.go index 22f64d56b..6bf2b194c 100644 --- a/pkg/collect/host_http.go +++ b/pkg/collect/host_http.go @@ -32,15 +32,15 @@ func (c *CollectHostHTTP) Collect(progressChan chan<- interface{}) (map[string][ case httpCollector.Get != nil: response, err = doRequest( "GET", httpCollector.Get.URL, httpCollector.Get.Headers, - "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) + "", httpCollector.Get.InsecureSkipVerify, httpCollector.Get.Timeout, httpCollector.Get.TLS, httpCollector.Get.Proxy) case httpCollector.Post != nil: response, err = doRequest( "POST", httpCollector.Post.URL, httpCollector.Post.Headers, - httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) + httpCollector.Post.Body, httpCollector.Post.InsecureSkipVerify, httpCollector.Post.Timeout, httpCollector.Post.TLS, httpCollector.Post.Proxy) case httpCollector.Put != nil: response, err = doRequest( "PUT", httpCollector.Put.URL, httpCollector.Put.Headers, - httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout, httpCollector.TLS.CACert, httpCollector.Proxy) + httpCollector.Put.Body, httpCollector.Put.InsecureSkipVerify, httpCollector.Put.Timeout, httpCollector.Put.TLS, httpCollector.Put.Proxy) default: return nil, errors.New("no supported http request type") } diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 5d69dcc67..28f3a91d5 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -56,13 +56,13 @@ func (c *CollectHTTP) Collect(progressChan chan<- interface{}) (CollectorResult, switch { case c.Collector.Get != nil: response, err = doRequest( - "GET", c.Collector.Get.URL, c.Collector.Get.Headers, "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "GET", c.Collector.Get.URL, c.Collector.Get.Headers, "", c.Collector.Get.InsecureSkipVerify, c.Collector.Get.Timeout, c.Collector.Get.TLS, c.Collector.Get.Proxy) case c.Collector.Post != nil: response, err = doRequest( - "POST", c.Collector.Post.URL, c.Collector.Post.Headers, c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "POST", c.Collector.Post.URL, c.Collector.Post.Headers, c.Collector.Post.Body, c.Collector.Post.InsecureSkipVerify, c.Collector.Post.Timeout, c.Collector.Post.TLS, c.Collector.Post.Proxy) case c.Collector.Put != nil: response, err = doRequest( - "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.TLS.CACert, c.Collector.Proxy) + "PUT", c.Collector.Put.URL, c.Collector.Put.Headers, c.Collector.Put.Body, c.Collector.Put.InsecureSkipVerify, c.Collector.Put.Timeout, c.Collector.Put.TLS, c.Collector.Put.Proxy) default: return nil, errors.New("no supported http request type") } @@ -103,7 +103,7 @@ func isPEMCertificate(s string) bool { return strings.Contains(s, "BEGIN CERTIFICATE") || strings.Contains(s, "BEGIN RSA PRIVATE KEY") } -func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, cacert string, proxy string) (*http.Response, error) { +func doRequest(method, url string, headers map[string]string, body string, insecureSkipVerify bool, timeout string, tlsParams *troubleshootv1beta2.TLSParams, proxy string) (*http.Response, error) { t, err := parseTimeout(timeout) if err != nil { @@ -113,18 +113,18 @@ func doRequest(method, url string, headers map[string]string, body string, insec tlsConfig := &tls.Config{} httpTransport := &http.Transport{} - if cacert != "" { - if isPEMCertificate(cacert) { + if tlsParams != nil && tlsParams.CACert != "" { + if isPEMCertificate(tlsParams.CACert) { klog.V(2).Infof("Using PEM certificate from spec\n") certPool, err := x509.SystemCertPool() if err != nil { return nil, errors.Wrap(err, "failed to get system cert pool") } - if !certPool.AppendCertsFromPEM([]byte(cacert)) { + if !certPool.AppendCertsFromPEM([]byte(tlsParams.CACert)) { return nil, errors.New("failed to append certificate to cert pool") } tlsConfig.RootCAs = certPool - } else if _, err := handleFileOrDir(cacert); err != nil { + } else if _, err := handleFileOrDir(tlsParams.CACert); err != nil { return nil, errors.Wrap(err, "failed to handle cacert file path") } } @@ -135,9 +135,15 @@ func doRequest(method, url string, headers map[string]string, body string, insec httpTransport.TLSClientConfig = tlsConfig - if proxy != "" { - httpTransport.Proxy = func(req *http.Request) (*neturl.URL, error) { - return neturl.Parse(proxy) + if proxy != "" || os.Getenv("HTTPS_PROXY") != "" { + if proxy != "" { + klog.V(2).Infof("Using proxy from spec: %s\n", proxy) + httpTransport.Proxy = func(req *http.Request) (*neturl.URL, error) { + return neturl.Parse(proxy) + } + } else { + klog.V(2).Infof("Using proxy from environment: %s\n", os.Getenv("HTTPS_PROXY")) + httpTransport.Proxy = http.ProxyFromEnvironment } } diff --git a/testdata/https-proxy-replicated-app.yaml b/testdata/https-proxy-replicated-app.yaml index e692ba985..e7e524386 100644 --- a/testdata/https-proxy-replicated-app.yaml +++ b/testdata/https-proxy-replicated-app.yaml @@ -1,53 +1,59 @@ apiVersion: troubleshoot.sh/v1beta2 -kind: SupportBundle +kind: HostPreflight metadata: - name: replicated-app + name: mitm-proxy spec: collectors: - http: - collectorName: https-google-proxy - get: - url: https://www.google.com - proxy: https://10.128.0.4:3130 - - http: - collectorName: https-replicated-proxy-cert-dir + collectorName: https-proxy get: url: https://replicated.app - tls: - cacert: /usr/local/share/ca-certificates/replicated.app - proxy: https://10.128.0.4:3130 + tls: + cacert: &ca |- + -----BEGIN CERTIFICATE----- + MIIDajCCAlKgAwIBAgIUFlUns1qeD6ss4cdXz52287KtPQswDQYJKoZIhvcNAQEL + BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 + MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjcxNTU5 + MDJaFw0yNDEwMDQxNTU5MDJaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 + ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC + SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLe7PlgdPiApQzZzkY + 0dN/NDBib72Y5TAEhNguPVDY1Rj4PLiKjUXvHbVsRLpP8DrKJAeK/kJqeR4xr1O5 + dQenCoTZTHX24TLFx0D1SKfdUtpxzKta8jd+O5TwaY/tLsi9YcJ6mz8n7+giJH1r + ZH5Isa9JkZ3fb2+VoX054I/C88MfsvdZahL7/RHLvolRiLeV7X86Zx2EJ3hUFWoZ + kYeIggbt2BeikeDlHQDBmxzpIaP1IMl3LHOjZhj7TiNuSYtDiE8OQIV34c9IZ1yi + lcUjrwKQCfzaE9lZK5UbS3KRD1XFSrSP4tWVsUmesYeFD+nc5/wku/J+PXDM1QAu + B8q9AgMBAAGjQDA+MA8GA1UdEQQIMAaHBAoKHskwDAYDVR0TBAUwAwEB/zAdBgNV + HQ4EFgQUuwXZYrzbdQVGCS5O0sdlCJo761cwDQYJKoZIhvcNAQELBQADggEBAH3G + 9C6sJ+uR9ZAOnFyCQEdBVaw02NMOY0ajc8gMrmgl9btx1rLnS8r+zLf9Jev0YxiG + Pq6HbkceQNa6Rl6l6JH4O0sV0KUXe5r7kPPYv9pMsy+JZYH9H1ppUr0a13s4vrgA + 4YbFE3TispC6WXFng4w85ODc9nmXGDvjPX6mzZxcsxooDX5+PPAo+WueKutOZMvT + yvB2hUgb4hy6CT6OvJJFb9Lh1Hl5aE/9FKgF3u/Tq2U3SSzMHMZiWzUVfAO0J1Ev + jcr8Mb5t3iQwH3t2eT07K2fouPa70vbOfj1kSiexUoUllHgoOXUeOpGv4Aykly7m + C/XdeJyP1tnZ3j2ozPo= + -----END CERTIFICATE----- + proxy: &proxy https://10.10.30.201:3130 - http: - collectorName: https-replicated-proxy-file + collectorName: https-proxy-failed get: url: https://replicated.app - tls: - cacert: /usr/local/share/ca-certificates/replicated.app/replicated.crt - proxy: https://10.128.0.4:3130 + proxy: *proxy + + analyzers: - http: - collectorName: https-replicated-proxy-literal - get: - url: https://replicated.app - tls: - cacert: |- - -----BEGIN CERTIFICATE----- - MIIDajCCAlKgAwIBAgIUZJdSAOMxiY3cKU34KCtpK2ztkhUwDQYJKoZIhvcNAQEL - BQAwTjELMAkGA1UEBhMCVVMxDjAMBgNVBAgMBVN0YXRlMQ0wCwYDVQQHDARDaXR5 - MRMwEQYDVQQKDApSZXBsaWNhdGVkMQswCQYDVQQLDAJJVDAeFw0yNDA5MjUxNDI0 - NTVaFw0yNDEwMDIxNDI0NTVaME4xCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVTdGF0 - ZTENMAsGA1UEBwwEQ2l0eTETMBEGA1UECgwKUmVwbGljYXRlZDELMAkGA1UECwwC - SVQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDFaoJSv18TVLGFq2WC - q6KOmlwfZpBXdgU1CYtg1HDwKUZ4/+WIcoHo+7yp+tt5TRA55r5d9YTlHWvQ+efh - pRbIxmi7aTI9JyV9/jw3lDdVjShiNmdlNEGW7PYAihQkWLErMVcLspiZqmWB2Ar5 - bvkRGoLV8Mf7QdAIEPZzK3RxL9oQSk0F5T+n/TxEOlN3XCJxWvgZUFNslnTNkx9d - ABeMBfoB22gJtcRqJ2Rsp3HrkNzOu4i5xHQtj3f4UdEkxBAUZwME1SK3qFVOfI4i - Gon4jFW0y0NYRuzYTypBuLbGoQ3RcOmpLfOSzhZL/aEE95QXHNH3L6QzVF4kZUin - 7sIRAgMBAAGjQDA+MA8GA1UdEQQIMAaHBAqAAAQwDAYDVR0TBAUwAwEB/zAdBgNV - HQ4EFgQUqJTkHiOkT65YvZelWCn/JziGN5AwDQYJKoZIhvcNAQELBQADggEBADPt - pdL++z00Ix75MVmjxU7QeLorpSeiU1j4z26VgomkuiC6iJrMKrYOGBsn7uMmALO8 - lVHDUCfAHs0Jv1vijkczT6I+fJiRYz0gnXYfMlPTH3Z082wVB5i0/ZZzv2hbO/cH - Z8nmQvX3S+vOH5t9s/af1lxYzRno4Bo5CRzV5yoWHJT0dkAL8Xq16PWl+KUp6hel - pVoo6uhBGcaJK5HY0WczyUY6ecMJ2BEwc0jNyYBKdkLAB3110axgFvtdBweHsEQv - ISeaclwXuzYuVFr0BawyUSjenl0t8ybbKFfNrLyv6FHTNiqRup6SxORr3eLSv4dZ - 6Qg1Og0ne2dGJrebKy0= - -----END CERTIFICATE----- - proxy: https://10.128.0.4:3130 + checkName: https-proxy + collectorName: https-proxy + outcomes: + - pass: + when: "statusCode == 200" + message: checking https://replicated.app passed + - fail: + message: checking https://replicated.app failed + - http: + checkName: https-proxy-failed + collectorName: https-proxy-failed + outcomes: + - pass: + when: "statusCode == 200" + message: checking https://replicated.app passed + - fail: + message: checking https://replicated.app failed From 75c5263281535ca63563a5aa0c1cf2597df92f3d Mon Sep 17 00:00:00 2001 From: ada mancini Date: Fri, 27 Sep 2024 14:44:48 -0400 Subject: [PATCH 10/19] test for cert untrusted response --- pkg/collect/http_test.go | 38 ++++++++++++++++++++++++++++++++++++-- 1 file changed, 36 insertions(+), 2 deletions(-) diff --git a/pkg/collect/http_test.go b/pkg/collect/http_test.go index b558765a0..46fd216e5 100644 --- a/pkg/collect/http_test.go +++ b/pkg/collect/http_test.go @@ -83,6 +83,13 @@ func TestCollectHTTP_Collect(t *testing.T) { res.WriteHeader(http.StatusInternalServerError) res.Write([]byte("{\"error\": { \"message\": \"context deadline exceeded\"}}")) }) + mux.HandleFunc("/certificate-mismatch", func(res http.ResponseWriter, req *http.Request) { + time.Sleep(1 * time.Millisecond) + fmt.Println("Sleeping for 2 seconds on /error call") + res.Header().Set("Content-Type", "application/json; charset=utf-8") + res.WriteHeader(http.StatusInternalServerError) + res.Write([]byte("{\"error\": { \"message\": \"Request failed: proxyconnect tcp: tls: failed to verify certificate: x509: \"10.0.0.254\" certificate is not trusted\"}}")) + }) sample_get_response := &ResponseData{ Response: Response{ @@ -125,9 +132,15 @@ func TestCollectHTTP_Collect(t *testing.T) { Message: "context deadline exceeded", }, } - sample_error_bytes, _ := sample_error_response.ToJSONbytes() + sample_certificate_untrusted := &ErrorResponse{ + Error: HTTPError{ + Message: "Request failed: proxyconnect tcp: tls: failed to verify certificate: x509: \"10.0.0.254\" certificate is not trusted", + }, + } + sample_certificate_untrusted_bytes, _ := sample_certificate_untrusted.ToJSONbytes() + tests := []CollectorTest{ { // check valid file path when CollectorName is not supplied @@ -250,7 +263,25 @@ func TestCollectHTTP_Collect(t *testing.T) { checkTimeout: true, wantErr: false, }, - // TODO: add TLS cert case + { + name: "TLS: certificate is not trusted", + Collector: &troubleshootv1beta2.HTTP{ + CollectorMeta: troubleshootv1beta2.CollectorMeta{ + CollectorName: "", + }, + Get: &troubleshootv1beta2.Get{ + Timeout: "300ms", + }, + }, + args: args{ + progressChan: nil, + }, + want: CollectorResult{ + "result.json": sample_certificate_untrusted_bytes, + }, + checkTimeout: true, + wantErr: true, + }, } for _, tt := range tests { var ts *httptest.Server @@ -273,6 +304,9 @@ func TestCollectHTTP_Collect(t *testing.T) { c.Collector.Get.URL = fmt.Sprintf("%s%s", url, "/error") response_data := sample_error_response response_data.testCollectHTTP(t, &tt, c) + c.Collector.Get.URL = fmt.Sprintf("%s%s", url, "/certificate-mismatch") + response_data = sample_certificate_untrusted + response_data.testCollectHTTP(t, &tt, c) } else { c.Collector.Get.URL = fmt.Sprintf("%s%s", url, "/get") response_data := sample_get_response From 3f05d5ee95843e044138210783c5ab511816ab4e Mon Sep 17 00:00:00 2001 From: ada mancini Date: Fri, 27 Sep 2024 15:13:13 -0400 Subject: [PATCH 11/19] make generate --- pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go | 8 +++----- pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go | 5 ----- 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go index cc1f11ab8..9d17ee47a 100644 --- a/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go +++ b/pkg/apis/troubleshoot/v1beta2/hostcollector_shared.go @@ -66,11 +66,9 @@ type DiskUsage struct { type HostHTTP struct { HostCollectorMeta `json:",inline" yaml:",inline"` - Get *Get `json:"get,omitempty" yaml:"get,omitempty"` - Post *Post `json:"post,omitempty" yaml:"post,omitempty"` - Put *Put `json:"put,omitempty" yaml:"put,omitempty"` - TLS *TLSParams `json:"tls,omitempty" yaml:"tls,omitempty"` - Proxy string `json:"proxy,omitempty" yaml:"proxy,omitempty"` + Get *Get `json:"get,omitempty" yaml:"get,omitempty"` + Post *Post `json:"post,omitempty" yaml:"post,omitempty"` + Put *Put `json:"put,omitempty" yaml:"put,omitempty"` } type HostCopy struct { diff --git a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go index 796c6ae36..e7a5c090c 100644 --- a/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go +++ b/pkg/apis/troubleshoot/v1beta2/zz_generated.deepcopy.go @@ -2338,11 +2338,6 @@ func (in *HostHTTP) DeepCopyInto(out *HostHTTP) { *out = new(Put) (*in).DeepCopyInto(*out) } - if in.TLS != nil { - in, out := &in.TLS, &out.TLS - *out = new(TLSParams) - (*in).DeepCopyInto(*out) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostHTTP. From b1395e02b328c6c653e994fe86966858089544bd Mon Sep 17 00:00:00 2001 From: ada mancini Date: Thu, 10 Oct 2024 09:14:18 -0400 Subject: [PATCH 12/19] make schemas --- .../typed/troubleshoot/v1beta2/fake/fake_supportbundle.go | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go b/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go index 11eb15dc0..b28fc4025 100644 --- a/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go +++ b/pkg/client/troubleshootclientset/typed/troubleshoot/v1beta2/fake/fake_supportbundle.go @@ -22,6 +22,7 @@ import ( v1beta2 "github.com/replicatedhq/troubleshoot/pkg/apis/troubleshoot/v1beta2" v1 "k8s.io/apimachinery/pkg/apis/meta/v1" + labels "k8s.io/apimachinery/pkg/labels" types "k8s.io/apimachinery/pkg/types" watch "k8s.io/apimachinery/pkg/watch" testing "k8s.io/client-go/testing" @@ -56,7 +57,6 @@ func (c *FakeSupportBundles) List(ctx context.Context, opts v1.ListOptions) (res if obj == nil { return nil, err } -<<<<<<< HEAD label, _, _ := testing.ExtractFromListOptions(opts) if label == nil { @@ -69,9 +69,6 @@ func (c *FakeSupportBundles) List(ctx context.Context, opts v1.ListOptions) (res } } return list, err -======= - return obj.(*v1beta2.SupportBundleList), err ->>>>>>> 8dd96e2 (move tls params into get, put, post methods) } // Watch returns a watch.Interface that watches the requested supportBundles. From 754a731fadd652e0304a14e18bab8f63b7051a78 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Thu, 10 Oct 2024 15:28:23 -0400 Subject: [PATCH 13/19] more test cases --- testdata/https-proxy-replicated-app.yaml | 43 ++++++++++++++++-------- 1 file changed, 29 insertions(+), 14 deletions(-) diff --git a/testdata/https-proxy-replicated-app.yaml b/testdata/https-proxy-replicated-app.yaml index e7e524386..675c1001c 100644 --- a/testdata/https-proxy-replicated-app.yaml +++ b/testdata/https-proxy-replicated-app.yaml @@ -5,9 +5,9 @@ metadata: spec: collectors: - http: - collectorName: https-proxy + collectorName: &https https get: - url: https://replicated.app + url: &url https://replicated.app tls: cacert: &ca |- -----BEGIN CERTIFICATE----- @@ -31,29 +31,44 @@ spec: jcr8Mb5t3iQwH3t2eT07K2fouPa70vbOfj1kSiexUoUllHgoOXUeOpGv4Aykly7m C/XdeJyP1tnZ3j2ozPo= -----END CERTIFICATE----- + - http: + collectorName: &https-proxy https-proxy + get: + url: *url + tls: + cacert: *ca proxy: &proxy https://10.10.30.201:3130 - http: - collectorName: https-proxy-failed + collectorName: &https-proxy-nocert https-proxy-nocert get: - url: https://replicated.app + url: *url proxy: *proxy analyzers: - http: - checkName: https-proxy - collectorName: https-proxy + checkName: *https-proxy + collectorName: *https-proxy + outcomes: + - pass: + when: &200 "statusCode == 200" + message: &passed checking https://replicated.app passed + - fail: + message: &failed checking https://replicated.app failed + - http: + checkName: *https-proxy-nocert + collectorName: *https-proxy-nocert outcomes: - pass: - when: "statusCode == 200" - message: checking https://replicated.app passed + when: *200 + message: *passed - fail: - message: checking https://replicated.app failed + message: *failed - http: - checkName: https-proxy-failed - collectorName: https-proxy-failed + checkName: *https + collectorName: *https outcomes: - pass: - when: "statusCode == 200" - message: checking https://replicated.app passed + when: *200 + message: *passed - fail: - message: checking https://replicated.app failed + message: *failed From 24b5ccce02f2f1ccaf0c7620eae41d5f36d2287b Mon Sep 17 00:00:00 2001 From: ada mancini Date: Thu, 10 Oct 2024 15:33:28 -0400 Subject: [PATCH 14/19] make schemas --- config/crds/troubleshoot.sh_collectors.yaml | 90 +++++-- .../crds/troubleshoot.sh_hostcollectors.yaml | 90 +++++-- .../crds/troubleshoot.sh_hostpreflights.yaml | 159 +++++++++-- config/crds/troubleshoot.sh_preflights.yaml | 159 +++++++++-- .../troubleshoot.sh_remotecollectors.yaml | 69 +++++ .../crds/troubleshoot.sh_supportbundles.yaml | 180 ++++++++++--- schemas/collector-troubleshoot-v1beta2.json | 125 +++++++-- schemas/preflight-troubleshoot-v1beta2.json | 230 ++++++++++++++-- .../supportbundle-troubleshoot-v1beta2.json | 250 ++++++++++++++---- 9 files changed, 1122 insertions(+), 230 deletions(-) diff --git a/config/crds/troubleshoot.sh_collectors.yaml b/config/crds/troubleshoot.sh_collectors.yaml index f933bf526..dfca59085 100644 --- a/config/crds/troubleshoot.sh_collectors.yaml +++ b/config/crds/troubleshoot.sh_collectors.yaml @@ -408,11 +408,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -430,11 +453,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -450,36 +496,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: type: string - namespace: + clientCert: type: string - required: - - name - - namespace + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object logs: diff --git a/config/crds/troubleshoot.sh_hostcollectors.yaml b/config/crds/troubleshoot.sh_hostcollectors.yaml index 57dec58b0..14414a0b3 100644 --- a/config/crds/troubleshoot.sh_hostcollectors.yaml +++ b/config/crds/troubleshoot.sh_hostcollectors.yaml @@ -1400,11 +1400,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1420,11 +1443,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1440,36 +1486,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: + type: string + clientCert: type: string - namespace: + clientKey: type: string - required: - - name - - namespace + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object httpLoadBalancer: diff --git a/config/crds/troubleshoot.sh_hostpreflights.yaml b/config/crds/troubleshoot.sh_hostpreflights.yaml index 958995af9..1b1bf828b 100644 --- a/config/crds/troubleshoot.sh_hostpreflights.yaml +++ b/config/crds/troubleshoot.sh_hostpreflights.yaml @@ -1400,11 +1400,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1420,11 +1443,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1440,36 +1486,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: + type: string + clientCert: type: string - namespace: + clientKey: type: string - required: - - name - - namespace + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object httpLoadBalancer: @@ -1909,11 +1957,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1929,11 +2000,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -1949,11 +2043,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: diff --git a/config/crds/troubleshoot.sh_preflights.yaml b/config/crds/troubleshoot.sh_preflights.yaml index 5dbe47d6e..27eef2914 100644 --- a/config/crds/troubleshoot.sh_preflights.yaml +++ b/config/crds/troubleshoot.sh_preflights.yaml @@ -2137,11 +2137,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -2159,11 +2182,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -2179,36 +2225,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: type: string - namespace: + clientCert: type: string - required: - - name - - namespace + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object logs: @@ -18758,11 +18806,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -18778,11 +18849,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -18798,11 +18892,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: diff --git a/config/crds/troubleshoot.sh_remotecollectors.yaml b/config/crds/troubleshoot.sh_remotecollectors.yaml index e408a2c18..c4b8765cc 100644 --- a/config/crds/troubleshoot.sh_remotecollectors.yaml +++ b/config/crds/troubleshoot.sh_remotecollectors.yaml @@ -221,11 +221,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -241,11 +264,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -261,11 +307,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: diff --git a/config/crds/troubleshoot.sh_supportbundles.yaml b/config/crds/troubleshoot.sh_supportbundles.yaml index d0d5c1562..2c8c5c2ed 100644 --- a/config/crds/troubleshoot.sh_supportbundles.yaml +++ b/config/crds/troubleshoot.sh_supportbundles.yaml @@ -2168,11 +2168,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -2190,11 +2213,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -2210,36 +2256,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: type: string - namespace: + clientCert: type: string - required: - - name - - namespace + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object logs: @@ -19999,11 +20047,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -20019,11 +20090,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -20039,36 +20133,38 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string - url: - type: string - required: - - url - type: object - tls: - properties: - cacert: - type: string - clientCert: - type: string - clientKey: - type: string - secret: + tls: properties: - name: + cacert: type: string - namespace: + clientCert: type: string - required: - - name - - namespace + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean type: object - skipVerify: - type: boolean + url: + type: string + required: + - url type: object type: object httpLoadBalancer: diff --git a/schemas/collector-troubleshoot-v1beta2.json b/schemas/collector-troubleshoot-v1beta2.json index fecf0d58e..f924cfa6e 100644 --- a/schemas/collector-troubleshoot-v1beta2.json +++ b/schemas/collector-troubleshoot-v1beta2.json @@ -570,10 +570,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -600,10 +635,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -627,44 +697,47 @@ "insecureSkipVerify": { "type": "boolean" }, - "timeout": { - "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", + "proxy": { "type": "string" }, - "url": { - "type": "string" - } - } - }, - "tls": { - "type": "object", - "properties": { - "cacert": { - "type": "string" - }, - "clientCert": { - "type": "string" - }, - "clientKey": { + "timeout": { + "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, - "secret": { + "tls": { "type": "object", - "required": [ - "name", - "namespace" - ], "properties": { - "name": { + "cacert": { "type": "string" }, - "namespace": { + "clientCert": { + "type": "string" + }, + "clientKey": { "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" } } }, - "skipVerify": { - "type": "boolean" + "url": { + "type": "string" } } } diff --git a/schemas/preflight-troubleshoot-v1beta2.json b/schemas/preflight-troubleshoot-v1beta2.json index 46db5786b..02e7687e8 100644 --- a/schemas/preflight-troubleshoot-v1beta2.json +++ b/schemas/preflight-troubleshoot-v1beta2.json @@ -3234,10 +3234,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -3264,10 +3299,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -3291,44 +3361,47 @@ "insecureSkipVerify": { "type": "boolean" }, - "timeout": { - "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", + "proxy": { "type": "string" }, - "url": { - "type": "string" - } - } - }, - "tls": { - "type": "object", - "properties": { - "cacert": { - "type": "string" - }, - "clientCert": { - "type": "string" - }, - "clientKey": { + "timeout": { + "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, - "secret": { + "tls": { "type": "object", - "required": [ - "name", - "namespace" - ], "properties": { - "name": { + "cacert": { "type": "string" }, - "namespace": { + "clientCert": { "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" } } }, - "skipVerify": { - "type": "boolean" + "url": { + "type": "string" } } } @@ -17247,10 +17320,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -17274,10 +17382,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -17301,10 +17444,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } diff --git a/schemas/supportbundle-troubleshoot-v1beta2.json b/schemas/supportbundle-troubleshoot-v1beta2.json index 6a5cf2579..2c1ac4ff7 100644 --- a/schemas/supportbundle-troubleshoot-v1beta2.json +++ b/schemas/supportbundle-troubleshoot-v1beta2.json @@ -3280,10 +3280,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -3310,10 +3345,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -3337,44 +3407,47 @@ "insecureSkipVerify": { "type": "boolean" }, - "timeout": { - "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", + "proxy": { "type": "string" }, - "url": { - "type": "string" - } - } - }, - "tls": { - "type": "object", - "properties": { - "cacert": { - "type": "string" - }, - "clientCert": { - "type": "string" - }, - "clientKey": { + "timeout": { + "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, - "secret": { + "tls": { "type": "object", - "required": [ - "name", - "namespace" - ], "properties": { - "name": { + "cacert": { "type": "string" }, - "namespace": { + "clientCert": { + "type": "string" + }, + "clientKey": { "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" } } }, - "skipVerify": { - "type": "boolean" + "url": { + "type": "string" } } } @@ -19166,10 +19239,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -19193,10 +19301,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -19220,44 +19363,47 @@ "insecureSkipVerify": { "type": "boolean" }, - "timeout": { - "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", + "proxy": { "type": "string" }, - "url": { - "type": "string" - } - } - }, - "tls": { - "type": "object", - "properties": { - "cacert": { - "type": "string" - }, - "clientCert": { - "type": "string" - }, - "clientKey": { + "timeout": { + "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, - "secret": { + "tls": { "type": "object", - "required": [ - "name", - "namespace" - ], "properties": { - "name": { + "cacert": { "type": "string" }, - "namespace": { + "clientCert": { + "type": "string" + }, + "clientKey": { "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" } } }, - "skipVerify": { - "type": "boolean" + "url": { + "type": "string" } } } From 51cd3a2351d28ea00344f79eef06821949cb84b6 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Mon, 21 Oct 2024 10:30:15 -0400 Subject: [PATCH 15/19] dont include system certs --- pkg/collect/http.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 28f3a91d5..e5f24e05b 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -116,7 +116,7 @@ func doRequest(method, url string, headers map[string]string, body string, insec if tlsParams != nil && tlsParams.CACert != "" { if isPEMCertificate(tlsParams.CACert) { klog.V(2).Infof("Using PEM certificate from spec\n") - certPool, err := x509.SystemCertPool() + certPool := x509.NewCertPool() if err != nil { return nil, errors.Wrap(err, "failed to get system cert pool") } From bdb32cc579259c981237b3ebd90d21f8391f1cb8 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 23 Oct 2024 16:53:21 -0400 Subject: [PATCH 16/19] make generate && make schemas --- config/crds/troubleshoot.sh_collectors.yaml | 69 +++++++++++++ go.mod | 2 +- schemas/collector-troubleshoot-v1beta2.json | 105 ++++++++++++++++++++ 3 files changed, 175 insertions(+), 1 deletion(-) diff --git a/config/crds/troubleshoot.sh_collectors.yaml b/config/crds/troubleshoot.sh_collectors.yaml index 8921605dc..ed5222823 100644 --- a/config/crds/troubleshoot.sh_collectors.yaml +++ b/config/crds/troubleshoot.sh_collectors.yaml @@ -17123,11 +17123,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -17143,11 +17166,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: @@ -17163,11 +17209,34 @@ spec: type: object insecureSkipVerify: type: boolean + proxy: + type: string timeout: description: |- Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m. Missing value or empty string or means no timeout. type: string + tls: + properties: + cacert: + type: string + clientCert: + type: string + clientKey: + type: string + secret: + properties: + name: + type: string + namespace: + type: string + required: + - name + - namespace + type: object + skipVerify: + type: boolean + type: object url: type: string required: diff --git a/go.mod b/go.mod index c504a25cf..409f7ff63 100644 --- a/go.mod +++ b/go.mod @@ -41,7 +41,6 @@ require ( github.com/vmware-tanzu/velero v1.14.1 go.opentelemetry.io/otel v1.31.0 go.opentelemetry.io/otel/sdk v1.31.0 - go.opentelemetry.io/otel/trace v1.31.0 golang.org/x/exp v0.0.0-20240613232115-7f521ea00fb8 golang.org/x/mod v0.21.0 golang.org/x/sync v0.8.0 @@ -124,6 +123,7 @@ require ( go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.53.0 // indirect go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.53.0 // indirect go.opentelemetry.io/otel/metric v1.31.0 // indirect + go.opentelemetry.io/otel/trace v1.31.0 // indirect go.uber.org/multierr v1.11.0 // indirect golang.org/x/tools v0.22.0 // indirect google.golang.org/genproto/googleapis/api v0.0.0-20240528184218-531527333157 // indirect diff --git a/schemas/collector-troubleshoot-v1beta2.json b/schemas/collector-troubleshoot-v1beta2.json index 536fbb4c6..d54ff65a6 100644 --- a/schemas/collector-troubleshoot-v1beta2.json +++ b/schemas/collector-troubleshoot-v1beta2.json @@ -14727,10 +14727,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -14754,10 +14789,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } @@ -14781,10 +14851,45 @@ "insecureSkipVerify": { "type": "boolean" }, + "proxy": { + "type": "string" + }, "timeout": { "description": "Timeout is the time to wait for a server's response. Its a duration e.g 15s, 2h30m.\nMissing value or empty string or means no timeout.", "type": "string" }, + "tls": { + "type": "object", + "properties": { + "cacert": { + "type": "string" + }, + "clientCert": { + "type": "string" + }, + "clientKey": { + "type": "string" + }, + "secret": { + "type": "object", + "required": [ + "name", + "namespace" + ], + "properties": { + "name": { + "type": "string" + }, + "namespace": { + "type": "string" + } + } + }, + "skipVerify": { + "type": "boolean" + } + } + }, "url": { "type": "string" } From e545bc2e8bb250c45b5ab6c3768dbfc55e333916 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 23 Oct 2024 17:01:52 -0400 Subject: [PATCH 17/19] resolve gosec G402 warning --- pkg/collect/http.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/collect/http.go b/pkg/collect/http.go index e5f24e05b..2c066aa8a 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -110,7 +110,7 @@ func doRequest(method, url string, headers map[string]string, body string, insec return nil, err } - tlsConfig := &tls.Config{} + tlsConfig := &tls.Config{MinVersion: tls.VersionTLS12} httpTransport := &http.Transport{} if tlsParams != nil && tlsParams.CACert != "" { From a8b44c80ee568ab92e7c3468cf9f60a751c82443 Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 23 Oct 2024 17:02:56 -0400 Subject: [PATCH 18/19] remove old check for system certs --- pkg/collect/http.go | 3 --- 1 file changed, 3 deletions(-) diff --git a/pkg/collect/http.go b/pkg/collect/http.go index 2c066aa8a..05fcd93a4 100644 --- a/pkg/collect/http.go +++ b/pkg/collect/http.go @@ -117,9 +117,6 @@ func doRequest(method, url string, headers map[string]string, body string, insec if isPEMCertificate(tlsParams.CACert) { klog.V(2).Infof("Using PEM certificate from spec\n") certPool := x509.NewCertPool() - if err != nil { - return nil, errors.Wrap(err, "failed to get system cert pool") - } if !certPool.AppendCertsFromPEM([]byte(tlsParams.CACert)) { return nil, errors.New("failed to append certificate to cert pool") } From f6abfc6f349a12582d8210bc87f311b4aa82c7ae Mon Sep 17 00:00:00 2001 From: ada mancini Date: Wed, 23 Oct 2024 17:06:59 -0400 Subject: [PATCH 19/19] ignore errcheck "return value not checked" linter errors --- .golangci.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.golangci.yaml b/.golangci.yaml index a80b6564c..9dcd6b279 100644 --- a/.golangci.yaml +++ b/.golangci.yaml @@ -11,3 +11,5 @@ linters: - gofmt - gosec - govet + disable: + - errcheck