content
content copied to clipboard
ComplianceAsCode
OCPBUGS-47485: Only list CLO output urls when they exist
Description:
- This changes the jq filter to grab on the maps that have a url key.
Rationale:
- When the output had more than one map, it would try to list the url of all them.
- Fixes: https://issues.redhat.com/browse/OCPBUGS-47485
Code Climate has analyzed commit ebfe7184 and detected 0 issues on this pull request.
The test coverage on the diff in this pull request is 100.0% (50% is the threshold).
This pull request will bring the total coverage in the repository to 62.1% (0.0% change).
View more on Code Climate.
![qlty-cloud-legacy[bot] avatar](https://avatars.githubusercontent.com/in/9403?v=4 "Published by a pub.dev verified publisher"){kind=small}
@rhmdnd: The /test command needs one or more targets.
The following commands are available to trigger required jobs:
/test 4.12-e2e-aws-ocp4-cis
/test 4.12-e2e-aws-ocp4-cis-node
/test 4.12-e2e-aws-ocp4-e8
/test 4.12-e2e-aws-ocp4-high
/test 4.12-e2e-aws-ocp4-high-node
/test 4.12-e2e-aws-ocp4-moderate
/test 4.12-e2e-aws-ocp4-moderate-node
/test 4.12-e2e-aws-ocp4-pci-dss
/test 4.12-e2e-aws-ocp4-pci-dss-4-0
/test 4.12-e2e-aws-ocp4-pci-dss-node
/test 4.12-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.12-e2e-aws-ocp4-stig
/test 4.12-e2e-aws-ocp4-stig-node
/test 4.12-e2e-aws-rhcos4-e8
/test 4.12-e2e-aws-rhcos4-high
/test 4.12-e2e-aws-rhcos4-moderate
/test 4.12-e2e-aws-rhcos4-stig
/test 4.12-images
/test 4.13-e2e-aws-ocp4-bsi
/test 4.13-e2e-aws-ocp4-bsi-node
/test 4.13-e2e-aws-ocp4-cis
/test 4.13-e2e-aws-ocp4-cis-node
/test 4.13-e2e-aws-ocp4-e8
/test 4.13-e2e-aws-ocp4-high
/test 4.13-e2e-aws-ocp4-high-node
/test 4.13-e2e-aws-ocp4-moderate
/test 4.13-e2e-aws-ocp4-moderate-node
/test 4.13-e2e-aws-ocp4-pci-dss
/test 4.13-e2e-aws-ocp4-pci-dss-4-0
/test 4.13-e2e-aws-ocp4-pci-dss-node
/test 4.13-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.13-e2e-aws-ocp4-stig
/test 4.13-e2e-aws-ocp4-stig-node
/test 4.13-e2e-aws-rhcos4-bsi
/test 4.13-e2e-aws-rhcos4-e8
/test 4.13-e2e-aws-rhcos4-high
/test 4.13-e2e-aws-rhcos4-moderate
/test 4.13-e2e-aws-rhcos4-stig
/test 4.13-images
/test 4.14-e2e-aws-ocp4-bsi
/test 4.14-e2e-aws-ocp4-bsi-node
/test 4.14-e2e-aws-ocp4-pci-dss-4-0
/test 4.14-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.14-e2e-aws-rhcos4-bsi
/test 4.14-images
/test 4.15-e2e-aws-ocp4-bsi
/test 4.15-e2e-aws-ocp4-bsi-node
/test 4.15-e2e-aws-ocp4-cis
/test 4.15-e2e-aws-ocp4-cis-node
/test 4.15-e2e-aws-ocp4-e8
/test 4.15-e2e-aws-ocp4-high
/test 4.15-e2e-aws-ocp4-high-node
/test 4.15-e2e-aws-ocp4-moderate
/test 4.15-e2e-aws-ocp4-moderate-node
/test 4.15-e2e-aws-ocp4-pci-dss
/test 4.15-e2e-aws-ocp4-pci-dss-4-0
/test 4.15-e2e-aws-ocp4-pci-dss-node
/test 4.15-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.15-e2e-aws-ocp4-stig
/test 4.15-e2e-aws-ocp4-stig-node
/test 4.15-e2e-aws-rhcos4-bsi
/test 4.15-e2e-aws-rhcos4-e8
/test 4.15-e2e-aws-rhcos4-high
/test 4.15-e2e-aws-rhcos4-moderate
/test 4.15-e2e-aws-rhcos4-stig
/test 4.15-e2e-rosa-ocp4-cis-node
/test 4.15-e2e-rosa-ocp4-pci-dss-node
/test 4.15-images
/test 4.16-e2e-aws-ocp4-bsi
/test 4.16-e2e-aws-ocp4-bsi-node
/test 4.16-e2e-aws-ocp4-cis
/test 4.16-e2e-aws-ocp4-cis-node
/test 4.16-e2e-aws-ocp4-e8
/test 4.16-e2e-aws-ocp4-high
/test 4.16-e2e-aws-ocp4-high-node
/test 4.16-e2e-aws-ocp4-moderate
/test 4.16-e2e-aws-ocp4-moderate-node
/test 4.16-e2e-aws-ocp4-pci-dss
/test 4.16-e2e-aws-ocp4-pci-dss-4-0
/test 4.16-e2e-aws-ocp4-pci-dss-node
/test 4.16-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.16-e2e-aws-ocp4-stig
/test 4.16-e2e-aws-ocp4-stig-node
/test 4.16-e2e-aws-rhcos4-bsi
/test 4.16-e2e-aws-rhcos4-e8
/test 4.16-e2e-aws-rhcos4-high
/test 4.16-e2e-aws-rhcos4-moderate
/test 4.16-e2e-aws-rhcos4-stig
/test 4.16-images
/test 4.17-e2e-aws-ocp4-bsi
/test 4.17-e2e-aws-ocp4-bsi-node
/test 4.17-e2e-aws-ocp4-cis
/test 4.17-e2e-aws-ocp4-cis-node
/test 4.17-e2e-aws-ocp4-e8
/test 4.17-e2e-aws-ocp4-high
/test 4.17-e2e-aws-ocp4-high-node
/test 4.17-e2e-aws-ocp4-moderate
/test 4.17-e2e-aws-ocp4-moderate-node
/test 4.17-e2e-aws-ocp4-pci-dss
/test 4.17-e2e-aws-ocp4-pci-dss-4-0
/test 4.17-e2e-aws-ocp4-pci-dss-node
/test 4.17-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.17-e2e-aws-ocp4-stig
/test 4.17-e2e-aws-ocp4-stig-node
/test 4.17-e2e-aws-rhcos4-bsi
/test 4.17-e2e-aws-rhcos4-e8
/test 4.17-e2e-aws-rhcos4-high
/test 4.17-e2e-aws-rhcos4-moderate
/test 4.17-e2e-aws-rhcos4-stig
/test 4.17-images
/test 4.18-e2e-aws-ocp4-bsi
/test 4.18-e2e-aws-ocp4-bsi-node
/test 4.18-e2e-aws-ocp4-cis
/test 4.18-e2e-aws-ocp4-cis-node
/test 4.18-e2e-aws-ocp4-e8
/test 4.18-e2e-aws-ocp4-high
/test 4.18-e2e-aws-ocp4-high-node
/test 4.18-e2e-aws-ocp4-moderate
/test 4.18-e2e-aws-ocp4-moderate-node
/test 4.18-e2e-aws-ocp4-pci-dss
/test 4.18-e2e-aws-ocp4-pci-dss-4-0
/test 4.18-e2e-aws-ocp4-pci-dss-node
/test 4.18-e2e-aws-ocp4-pci-dss-node-4-0
/test 4.18-e2e-aws-ocp4-stig
/test 4.18-e2e-aws-ocp4-stig-node
/test 4.18-e2e-aws-rhcos4-bsi
/test 4.18-e2e-aws-rhcos4-e8
/test 4.18-e2e-aws-rhcos4-high
/test 4.18-e2e-aws-rhcos4-moderate
/test 4.18-e2e-aws-rhcos4-stig
/test 4.18-images
/test e2e-aws-ocp4-bsi
/test e2e-aws-ocp4-bsi-node
/test e2e-aws-ocp4-cis
/test e2e-aws-ocp4-cis-node
/test e2e-aws-ocp4-e8
/test e2e-aws-ocp4-high
/test e2e-aws-ocp4-high-node
/test e2e-aws-ocp4-moderate
/test e2e-aws-ocp4-moderate-node
/test e2e-aws-ocp4-pci-dss
/test e2e-aws-ocp4-pci-dss-4-0
/test e2e-aws-ocp4-pci-dss-node
/test e2e-aws-ocp4-pci-dss-node-4-0
/test e2e-aws-ocp4-stig
/test e2e-aws-ocp4-stig-node
/test e2e-aws-rhcos4-bsi
/test e2e-aws-rhcos4-e8
/test e2e-aws-rhcos4-high
/test e2e-aws-rhcos4-moderate
/test e2e-aws-rhcos4-stig
/test images
Use /test all to run the following jobs that were automatically triggered:
pull-ci-ComplianceAsCode-content-master-4.12-images
pull-ci-ComplianceAsCode-content-master-4.13-images
pull-ci-ComplianceAsCode-content-master-4.14-images
pull-ci-ComplianceAsCode-content-master-4.15-images
pull-ci-ComplianceAsCode-content-master-4.16-images
pull-ci-ComplianceAsCode-content-master-4.17-images
pull-ci-ComplianceAsCode-content-master-4.18-images
pull-ci-ComplianceAsCode-content-master-images
In response to this:
/test
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.
![openshift-ci[bot] avatar](https://avatars.githubusercontent.com/in/91280?v=4 "Published by a pub.dev verified publisher"){kind=small}
/test 4.12-e2e-aws-ocp4-stig /test 4.13-e2e-aws-ocp4-stig /test 4.15-e2e-aws-ocp4-stig /test 4.16-e2e-aws-ocp4-stig /test 4.17-e2e-aws-ocp4-stig
The rule is working as expected. However, the command in the instruction doesn't work:
% oc get -n openshift-logging clusterlogforwarders -o json | jq 'try [.items[].spec.outputs[][]|objects|selece(.url != null).url] catch []'
jq: error: selece/1 is not defined at <top-level>, line 1:
try [.items[].spec.outputs[][]|objects|selece(.url != null).url] catch []
jq: 1 compile error
More details seen from below:
1. Install logging 6.3 and enable logging forwarding with tls:
% oc get csv -n openshift-logging
NAME DISPLAY VERSION REPLACES PHASE
cluster-logging.v6.3.0 Red Hat OpenShift Logging 6.3.0 cluster-logging.v6.2.0 Succeeded
$ oc get -n openshift-logging clusterlogforwarders -o=jsonpath='{.items[*].spec.outputs}' | jq -r
[
{
"name": "external-syslog",
"syslog": {
"facility": "local0",
"rfc": "RFC5424",
"severity": "informational",
"url": "tls://rsyslog.e2e-test-vector-syslog-xpc9h.svc:6514"
},
"tls": {
"ca": {
"key": "ca-bundle.crt",
"secretName": "rsyslog-tls"
}
},
"type": "syslog"
}
]
% oc get ccr | grep audit-log-forwarding
upstream-ocp4-stig-audit-log-forwarding-enabled PASS medium
upstream-ocp4-stig-audit-log-forwarding-uses-tls PASS medium
% oc get rule upstream-ocp4-audit-log-forwarding-uses-tls -o=jsonpath={.instructions}
Run the following command:
$ oc get -n openshift-logging clusterlogforwarders -o json | jq 'try [.items[].spec.outputs[][]|objects|selece(.url != null).url] catch []'
The output should return a list of URL entries with https:// or tls:// transport.
Is it the case that Logs are not forwarded outside the cluster using TLS?%
% oc get -n openshift-logging clusterlogforwarders -o json | jq 'try [.items[].spec.outputs[][]|objects|selece(.url != null).url] catch []'
jq: error: selece/1 is not defined at <top-level>, line 1:
try [.items[].spec.outputs[][]|objects|selece(.url != null).url] catch []
jq: 1 compile error
@xiaojiey was the issue the typo? ('selece' to 'select') Or was there something else?
@xiaojiey was the issue the typo? ('selece' to 'select') Or was there something else?
@yuumasato I didn't remember clearly for the details. Can you update the typo and I can trigger a retest tomorrow? Thanks.
verification pass. The rule works and the instructions also work.
% oc get ccr | grep audit-log-forwarding
upstream-ocp4-moderate-audit-log-forwarding-enabled PASS medium
upstream-ocp4-moderate-audit-log-forwarding-uses-tls PASS medium
% oc get ccr upstream-ocp4-moderate-audit-log-forwarding-uses-tls -o=jsonpath={.instructions}
Run the following command:
$ oc get -n openshift-logging clusterlogforwarders -o json | jq 'try [.items[].spec.outputs[][]|objects|select(.url != null).url] catch []'
The output should return a list of URL entries with https:// or tls:// transport.
Is it the case that Logs are not forwarded outside the cluster using TLS?%
% oc get -n openshift-logging clusterlogforwarders -o json | jq 'try [.items[].spec.outputs[][]|objects|select(.url != null).url] catch []'
[
"tls://rsyslog.e2e-test-vector-syslog-j6vcp.svc:6514"
]