[release-0.3] Improved Scripts and Logs (#131)

* improve scripts, silent logs

* improve scripts, silent logs

* improve scripts, silent logs

Co-authored-by: David Hadas <david.hadas@gmail.com>

Author: knative-prow-robot

cmd/guard-service/main.go

@@ -245,6 +245,12 @@ func main() {
 	// start a mainLoop
 	go l.mainEventLoop(quit)
 
+	if env.GuardServiceAuth {
+		pi.Log.Infof("Token turned on - clients identity is confirmed")
+	} else {
+		pi.Log.Infof("Token turned off - clients identity is not confirmed")
+	}
+
 	if env.GuardServiceTls {
 		pi.Log.Infof("TLS turned on")
 		srv := &http.Server{
@@ -269,6 +275,7 @@ func main() {
 		pi.Log.Infof("TLS turned off")
 		err = http.ListenAndServe(target, mux)
 	}
+
 	pi.Log.Infof("Using target: %s - Failed to start %v", target, err)
 	quit <- "ListenAndServe failed"
 }

config/deploy/guard-service.yaml

@@ -37,7 +37,7 @@ spec:
           - name: GUARD_SERVICE_AUTH
             value: "false"
           - name: GUARD_SERVICE_LOG_LEVEL
-            value: "debug"
+            value: "info"
 ---
 apiVersion: v1
 kind: Service

hack/installUsingOperatorWithTLS.sh

@@ -14,9 +14,6 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-
-# Set the ROOT_CA and token audiences
-
 echo "Copy the certificate to file"
 ROOTCA="$(mktemp)"
 FILENAME=`basename $ROOTCA`
@@ -28,6 +25,7 @@ CERT=`kubectl create cm config-deployment --from-file $ROOTCA -o json --dry-run=
 echo "cleanup"
 rm $ROOTCA
 
+echo "Apply new Knative Operator configuration"
 kubectl apply --filename - <<EOF
 apiVersion: v1
 kind: Namespace

hack/installUsingOperatorWithoutTLS.sh

@@ -1,3 +1,20 @@
+#!/usr/bin/env bash
+
+# Copyright 2022 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+echo "Apply new Knative Operator configuration"
 kubectl apply --filename - <<EOF
 apiVersion: v1
 kind: Namespace

hack/setTLS.sh

@@ -17,31 +17,23 @@
 
 # Set the ROOT_CA and token audiences
 
-echo "Copy the certificate to file"
+echo "Add TLS and Tokens to guard-service"
+kubectl patch deployment guard-service -n knative-serving -p '{"spec":{"template":{"spec":{"containers":[{"name":"guard-service","env":[{"name": "GUARD_SERVICE_TLS", "value": "true"}, {"name": "GUARD_SERVICE_AUTH", "value": "true"}]}]}}}}'
+
+echo "Copy the certificate to a temporary file"
 ROOTCA="$(mktemp)"
 FILENAME=`basename $ROOTCA`
 kubectl get secret -n knative-serving knative-serving-certs -o json| jq -r '.data."ca-cert.pem"' | base64 -d >  $ROOTCA
 
-echo "Create a temporary config-deployment configmap with the certificate"
+echo "Get the certificate in a configmap friendly form"
 CERT=`kubectl create cm config-deployment --from-file $ROOTCA -o json --dry-run=client |jq .data.\"$FILENAME\"`
 
-echo "Get the current config-deployment configmap"
-CURRENT="$(mktemp)"
-kubectl get cm config-deployment -n knative-serving -o json | jq 'del(.data, .binaryData | ."queue-sidecar-token-audiences", ."queue-sidecar-rootca" )' > $CURRENT
-
-echo "Add queue-sidecar-token-audiences"
-AUDIENCES="$(mktemp)"
-jq '.data |= . + { "queue-sidecar-token-audiences": "guard-service"}' $CURRENT > $AUDIENCES
-
-echo "Join the two config-deployment configmaps into one"
-MERGED="$(mktemp)"
-jq  --arg cert "${CERT}" '.data  |= . + { "queue-sidecar-rootca": $cert}' $AUDIENCES > $MERGED
-
-echo "Apply the joined config-deployment configmap"
-kubectl apply -f $MERGED -n knative-serving
+echo "Add TLS and Tokens to config-deployment configmap"
+kubectl patch cm config-deployment -n knative-serving -p '{"data":{"queue-sidecar-token-audiences": "guard-service", "queue-sidecar-rootca": '"$CERT"'}}'
 
 echo "cleanup"
-rm $MERGED $AUDIENCES $ROOTCA $CURRENT
+rm  $ROOTCA
 
 echo "Results:"
 kubectl get cm config-deployment -n knative-serving -o json|jq '.data'
+kubectl get deployment guard-service -n knative-serving -o json|jq .spec.template.spec.containers[0].env

hack/unsetTLS.sh

@@ -17,15 +17,12 @@
 
 # Unset the ROOT_CA and token audiences
 
-echo "Get the current config-deployment configmap"
-CURRENT="$(mktemp)"
-kubectl get cm config-deployment -n knative-serving -o json | jq 'del(.data, .binaryData | ."queue-sidecar-token-audiences", ."queue-sidecar-rootca" )' > $CURRENT
+echo "Remove TLS and Tokens from  guard-service"
+kubectl patch deployment guard-service -n knative-serving -p '{"spec":{"template":{"spec":{"containers":[{"name":"guard-service","env":[{"name": "GUARD_SERVICE_TLS", "value": "false"}, {"name": "GUARD_SERVICE_AUTH", "value": "false"}]}]}}}}'
 
-echo "Apply the joined config-deployment configmap"
-kubectl apply -f $CURRENT -n knative-serving
-
-echo "cleanup"
-rm $CURRENT
+echo "Remove TLS and Tokens from config-deployment configmap"
+kubectl patch cm config-deployment -n knative-serving -p '{"data":{"queue-sidecar-token-audiences": "", "queue-sidecar-rootca": ""}}'
 
 echo "Results:"
 kubectl get cm config-deployment -n knative-serving -o json|jq '.data'
+kubectl get deployment guard-service -n knative-serving -o json|jq .spec.template.spec.containers[0].env

pkg/guard-gate/client.go

@@ -71,7 +71,7 @@ func (hc *httpClient) ReadToken(audience string) {
 	b, err := os.ReadFile(path.Join("/var/run/secrets/tokens", audience))
 
 	if err != nil {
-		pi.Log.Infof("Token %s is missing - working without token", audience)
+		pi.Log.Debugf("Token %s is missing - working without token", audience)
 		hc.missingToken = true
 		return
 	}
@@ -112,7 +112,6 @@ func (srv *gateClient) initKubeMgr() {
 
 func (srv *gateClient) initHttpClient(certPool *x509.CertPool) {
 	client := new(httpClient)
-	pi.Log.Infof("initHttpClient using ServerName %s\n", certificates.FakeDnsName)
 	client.client.Transport = &http.Transport{
 		MaxConnsPerHost:     0,
 		MaxIdleConns:        0,
@@ -158,7 +157,7 @@ func (srv *gateClient) reportPile() {
 		query.Add("cm", "true")
 	}
 	req.URL.RawQuery = query.Encode()
-	pi.Log.Infof("Reporting a pile with pileCount %d records to guard-service", srv.pile.Count)
+	pi.Log.Debugf("Reporting a pile with pileCount %d records to guard-service", srv.pile.Count)
 
 	res, postErr := srv.httpClient.Do(req)
 	if postErr != nil {

pkg/guard-gate/gate.go

@@ -54,7 +54,7 @@ type plug struct {
 }
 
 func (p *plug) Shutdown() {
-	pi.Log.Infof("%s: Shutdown", p.name)
+	pi.Log.Debugf("%s: Shutdown", p.name)
 	p.gateState.flushPile()
 }
 
@@ -124,8 +124,7 @@ func (p *plug) guardMainEventLoop(ctx context.Context) {
 		p.reportPileTicker.Stop()
 		p.podMonitorTicker.Stop()
 		p.gateState.flushPile()
-		pi.Log.Infof("Statistics: %s", p.gateState.stat.Log())
-		pi.Log.Infof("%s Done!", plugName)
+		pi.Log.Infof("%s: Done with the following statistics: %s", plugName, p.gateState.stat.Log())
 	}()
 
 	for {
@@ -151,6 +150,7 @@ func (p *plug) guardMainEventLoop(ctx context.Context) {
 func (p *plug) preInit(ctx context.Context, c map[string]string, sid string, ns string, logger pi.Logger) (context.Context, context.CancelFunc) {
 	var ok bool
 	var v string
+	var loadInterval, pileInterval, monitorInterval string
 
 	ctx, cancelFunction := context.WithCancel(ctx)
 
@@ -176,21 +176,22 @@ func (p *plug) preInit(ctx context.Context, c map[string]string, sid string, ns
 		if v, ok = c["monitor-pod"]; ok && !strings.EqualFold(v, "true") {
 			monitorPod = false
 		}
-		p.guardianLoadTicker = utils.NewTicker(utils.MinimumInterval)
-		p.reportPileTicker = utils.NewTicker(utils.MinimumInterval)
-		p.podMonitorTicker = utils.NewTicker(utils.MinimumInterval)
-		p.guardianLoadTicker.Parse(c["guardian-load-interval"], guardianLoadIntervalDefault)
-		p.reportPileTicker.Parse(c["report-pile-interval"], reportPileIntervalDefault)
-		p.podMonitorTicker.Parse(c["pod-monitor-interval"], podMonitorIntervalDefault)
-
-		pi.Log.Debugf("guard-gate configuration: sid=%s, ns=%s, useCm=%t, guardUrl=%s, p.monitorPod=%t, guardian-load-interval %v, report-pile-interval %v, pod-monitor-interval %v",
-			sid, ns, useCm, guardServiceUrl, monitorPod, c["guardian-load-interval"], c["report-pile-interval"], c["pod-monitor-interval"])
-	} else {
-		p.guardianLoadTicker.Parse("", guardianLoadIntervalDefault)
-		p.reportPileTicker.Parse("", reportPileIntervalDefault)
-		p.podMonitorTicker.Parse("", podMonitorIntervalDefault)
+		loadInterval = c["guardian-load-interval"]
+		pileInterval = c["report-pile-interval"]
+		monitorInterval = c["pod-monitor-interval"]
 	}
 
+	p.guardianLoadTicker = utils.NewTicker(utils.MinimumInterval)
+	p.reportPileTicker = utils.NewTicker(utils.MinimumInterval)
+	p.podMonitorTicker = utils.NewTicker(utils.MinimumInterval)
+
+	p.guardianLoadTicker.Parse(loadInterval, guardianLoadIntervalDefault)
+	p.reportPileTicker.Parse(pileInterval, reportPileIntervalDefault)
+	p.podMonitorTicker.Parse(monitorInterval, podMonitorIntervalDefault)
+
+	pi.Log.Debugf("guard-gate configuration: sid=%s, ns=%s, useCm=%t, guardUrl=%s, p.monitorPod=%t, guardian-load-interval %v, report-pile-interval %v, pod-monitor-interval %v",
+		sid, ns, useCm, guardServiceUrl, monitorPod, loadInterval, pileInterval, monitorInterval)
+
 	// serviceName should never be "ns.{namespace}" as this is a reserved name
 	if strings.HasPrefix(sid, "ns.") {
 		// mandatory
@@ -199,7 +200,6 @@ func (p *plug) preInit(ctx context.Context, c map[string]string, sid string, ns
 
 	p.gateState = new(gateState)
 	p.gateState.init(cancelFunction, monitorPod, guardServiceUrl, sid, ns, useCm)
-	pi.Log.Infof("guardServiceUrl %s", guardServiceUrl)
 	return ctx, cancelFunction
 }
 

pkg/guard-gate/state.go

@@ -56,7 +56,7 @@ func (gs *gateState) init(cancelFunc context.CancelFunc, monitorPod bool, guardS
 
 	if rootCA := os.Getenv("ROOT_CA"); rootCA != "" {
 		if ok := gs.certPool.AppendCertsFromPEM([]byte(rootCA)); ok {
-			pi.Log.Infof("TLS: Success adding ROOT_CA")
+			pi.Log.Debugf("TLS: Success adding ROOT_CA")
 		} else {
 			pi.Log.Infof("TLS: Failed to AppendCertsFromPEM from ROOT_CA")
 		}

pkg/guard-kubemgr/watcher.go

@@ -126,7 +126,7 @@ func (k *KubeMgr) WatchOnce(ns string, cmFlag bool, set func(ns string, sid stri
 				gdata := []byte(cm.Data["Guardian"])
 				jsonErr := json.Unmarshal(gdata, g)
 				if jsonErr != nil {
-					pi.Log.Infof("wsgate getConfig: unmarshel error %v\n", jsonErr)
+					pi.Log.Infof("wsgate getConfig sid=%s, ns=%s: unmarshel error %v\n", sid, ns, jsonErr)
 					set(ns, sid, cmFlag, nil)
 					continue
 				}