Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add SPIRE entries to sysdump
Browse files Browse the repository at this point in the history
This adds an export of the SPIRE server entries to the sysdump.
This can be used to detect any initial Cilium access entry issues
as well as any sync issues with the operator.

Signed-off-by: Maartje Eyskens <maartje.eyskens@isovalent.com>
meyskens committed Oct 23, 2023

Verified

This commit was signed with the committer’s verified signature.
meyskens Maartje Eyskens
1 parent 75c850c commit e831f26
Showing 2 changed files with 52 additions and 0 deletions.
2 changes: 2 additions & 0 deletions sysdump/constants.go
Original file line number Diff line number Diff line change
@@ -33,6 +33,7 @@ const (
hubbleRelayContainerName = defaults.RelayContainerName
hubbleRelayDeploymentName = defaults.RelayDeploymentName
hubbleUIDeploymentName = defaults.HubbleUIDeploymentName
spireServerContainerName = "spire-server"
redacted = "XXXXXX"
)

@@ -51,6 +52,7 @@ const (
ciliumSPIREAgentConfigMapFileName = "cilium-spire-agent-configmap-<ts>.yaml"
ciliumSPIREServerStatefulSetFileName = "cilium-spire-server-statefulset-<ts>.yaml"
ciliumSPIREServerConfigMapFileName = "cilium-spire-server-configmap-<ts>.yaml"
ciliumSPIREServerEntriesFileName = "cilium-spire-server-entries-%s-<ts>.json"
ciliumIngressesFileName = "ciliumingresses-<ts>.yaml"
ciliumEgressNATPoliciesFileName = "ciliumegressnatpolicies-<ts>.yaml"
ciliumEgressGatewayPoliciesFileName = "ciliumegressgatewaypolicies-<ts>.yaml"
50 changes: 50 additions & 0 deletions sysdump/sysdump.go
Original file line number Diff line number Diff line change
@@ -1590,6 +1590,23 @@ func (c *Collector) getSPIRETasks() []Task {
return nil
},
},
{
CreatesSubtasks: true,
Description: "Collecting the Cilium SPIRE server identity entries",
Quick: false,
Task: func(ctx context.Context) error {
p, err := c.Client.ListPods(ctx, c.Options.CiliumSPIRENamespace, metav1.ListOptions{
LabelSelector: c.Options.CiliumSPIREServerLabelSelector,
})
if err != nil {
return fmt.Errorf("failed to get identity entries from Cilium SPIRE server pods")
}
if err := c.submitSpireEntriesTasks(FilterPods(p, c.NodeList)); err != nil {
return fmt.Errorf("failed to collect identity entries from Cilium SPIRE server pods")
}
return nil
},
},
}
}

@@ -1908,6 +1925,39 @@ func (c *Collector) submitHubbleFlowsTasks(_ context.Context, pods []*corev1.Pod
return nil
}

func (c *Collector) submitSpireEntriesTasks(pods []*corev1.Pod) error {
for _, p := range pods {
p := p
if err := c.Pool.Submit(fmt.Sprintf("spire-entries-"+p.Name), func(ctx context.Context) error {
p, containerName, cleanupFunc, err := c.ensureExecTarget(ctx, p, spireServerContainerName)
if err != nil {
return fmt.Errorf("failed to pick exec target: %w", err)
}
defer func() {
err := cleanupFunc(ctx)
if err != nil {
c.logWarn("Failed to clean up exec target: %v", err)
}
}()

command := []string{"/opt/spire/bin/spire-server", "entry", "show", "-output", "json"}
o, err := c.Client.ExecInPod(ctx, p.Namespace, p.Name, containerName, command)
if err != nil {
return fmt.Errorf("failed to collect 'spire-server' output for %q in namespace %q: %w", p.Name, p.Namespace, err)
}

if err := c.WriteBytes(fmt.Sprintf(ciliumSPIREServerEntriesFileName, p.Name), o.Bytes()); err != nil {
return fmt.Errorf("failed to write spireserver stdout for %q in namespace %q: %w", p.Name, p.Namespace, err)
}

return nil
}); err != nil {
return fmt.Errorf("failed to submit SPIRE entries task for %q: %w", p.Name, err)
}
}
return nil
}

func extractGopsPID(output string) (string, error) {
entries := strings.Split(output, "\n")
for _, entry := range entries {

0 comments on commit e831f26

Please sign in to comment.