elastisys
Add sops file flag to diagnostics script
[!warning] This is a public repository, ensure not to disclose:
- [x] personal data beyond what is necessary for interacting with this pull request, nor
- [x] business confidential information, such as customer names.
What kind of PR is this?
Required: Mark one of the following that is applicable:
- [ ] kind/feature
- [x] kind/improvement
- [ ] kind/deprecation
- [ ] kind/documentation
- [ ] kind/clean-up
- [ ] kind/bug
- [ ] kind/other
Optional: Mark one or more of the following that are applicable:
[!important] Breaking changes should be marked
kind/admin-changeorkind/dev-changedepending on type Critical security fixes should be marked withkind/security
- [ ] kind/admin-change
- [ ] kind/dev-change
- [ ] kind/security
- [ ] kind/adr
What does this PR do / why do we need this PR?
Want to simplify the usage of the diagnostics script, the script will now by default import GPG keys from a file $CK8S_CONFIG_PATH/diagnostics_receiver.gpg and use their fingerprints if CK8S_PGP_FP is not already set.
- Follow up of https://github.com/elastisys/ck8s-issue-tracker/issues/258
Information to reviewers
I am planning to update the public docs to reflect this change.
Checklist
- [x] Proper commit message prefix on all commits
- Change checks:
- [ ] The change is transparent
- [ ] The change is disruptive
- [ ] The change requires no migration steps
- [ ] The change requires migration steps
- [ ] The change upgrades CRDs
- [ ] The change updates the config and the schema
- Metrics checks:
- [ ] The metrics are still exposed and present in Grafana after the change
- [ ] The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
- [ ] The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
- Logs checks:
- [ ] The logs do not show any errors after the change
- Pod Security Policy checks:
- [ ] Any changed pod is covered by Pod Security Admission
- [ ] Any changed pod is covered by Gatekeeper Pod Security Policies
- [ ] The change does not cause any pods to be blocked by Pod Security Admission or Policies
- Network Policy checks:
- [ ] Any changed pod is covered by Network Policies
- [ ] The change does not cause any dropped packets in the
NetworkPolicy Dashboard
- Audit checks:
- [ ] The change does not cause any unnecessary Kubernetes audit events
- [ ] The change requires changes to Kubernetes audit policy
- Falco checks:
- [ ] The change does not cause any alerts to be generated by Falco
- Bug checks:
- [ ] The bug fix is covered by regression tests
@anders-elastisys I guess you wanted some early feedback on your proposal.
Overall, I think this is a good idea. It would be great if we could bring the script to the point where the on-call person only needs to type:
./bin/ck8s diagnostics sc
./bin/ck8s diagnostics wc
The expression convention over configuration comes to my mind. The on-call person should be provided with "sensible defaults".
@anders-elastisys I guess you wanted some early feedback on your proposal.
Overall, I think this is a good idea. It would be great if we could bring the script to the point where the on-call person only needs to type:
./bin/ck8s diagnostics sc ./bin/ck8s diagnostics wcThe expression convention over configuration comes to my mind. The on-call person should be provided with "sensible defaults".
Maybe https://github.com/elastisys/compliantkubernetes-apps/pull/2250/commits/13414e179fe9f740586312bc50cf4648f1fdf4a1 is more in line with what we want? I removed the sops-config file flag and instead added so that by default the script will look for the file ${CK8S_CONFIG_PATH}/diagnostics_receiver.gpg containing GPG keys that are then imported to the operators keys and used by SOPS later in the script. It is still possible to set CK8S_PGP_FP manually, but I removed the support for using .sops.yaml file as I deemed it not necessary for what we want this command to achieve. Let me know what you think.