MCO-1685: Add mco-sanitize utility main logic

[pablintino]

• What I did

This change adds the missing pieces of the mco-sanitizer to finish its implementation, including encryption and a brief README.

• How to verify it

1. Create an OCP cluster (the version is not relevant) and create a must-gather of it. Preserve a separated copy of it, as to properly test it we need to run the sanitizer twice.
2. Run the tool: ./mco-sanitize --input /path/to/must-gather-directory. Check if the CRs of the MCO directories are properly sanitized and that are safe to push.
3. Restore the content of the must-gather with the backup.
4. Run the tool: ./mco-sanitize --input /path/to/must-gather-directory --output encrypted.tar.gz. Check that the output file is encrypted.

• Description for the changelog

Implements the main functionality of the mco-sanitizer.

[openshift-ci-robot]

@pablintino: This pull request references MCO-1685 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

• What I did

This change adds the main content of the mco-sanitizer, the utility binary that takes a must-gather directory and removes/sanitizes the content based on some given configuration.
This change is is missing the encryption part and a proper README that will come with a follow up PR.

• How to verify it

UT testing is enough to test this PR.

• Description for the changelog

Implements the main functionality of the mco-sanitizer.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[isabella-janssen]

/lgtm

The changes look fair & I see that the unit tests for the new functionality are passing.

[pablintino]

/verified bypass
The content delivered by this PR is tested by UTs. The entire content will be tested by QE when the entire feature is pushed.

[openshift-ci-robot]

@pablintino: The verified label has been added.

In response to this:

/verified bypass
The content delivered by this PR is tested by UTs. The entire content will be tested by QE when the entire feature is pushed.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 4f14943 and 2 for PR HEAD e348dff in total

[openshift-ci-robot]

@pablintino: This pull request references MCO-1685 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

In response to this:

• What I did

This change adds the missing pieces of the mco-sanitizer to finish its implementation, including encryption and a brief README.

• How to verify it

1. Create an OCP cluster (the version is not relevant) and create a must-gather of it. Preserve a separated copy of it, as to properly test it we need to run the sanitizer twice.
2. Run the tool: ./mco-sanitize --input /path/to/must-gather-directory. Check if the CRs of the MCO directories are properly sanitized and that are safe to push.
3. Restore the content of the must-gather with the backup.
4. Run the tool: ./mco-sanitize --input /path/to/must-gather-directory --output encrypted.tar.gz. Check that the output file is encrypted.

• Description for the changelog

Implements the main functionality of the mco-sanitizer.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/retest-required

[ptalgulk01]

Pre-merge tested

Steps to use the tool

• Pull the PR

$ go build -o mco-sanitize ./devex/cmd/mco-sanitize
$ ./mco-sanitize  --help
Removes MCO sensitive information from a must-gather report

Usage:
  mco-sanitize [flags]

Flags:
  -h, --help                           help for mco-sanitize
      --input string                   Path to the must-gather directory.
      --log-flush-frequency duration   Maximum number of seconds between log flushes (default 5s)
      --output string                  Path to where the tar.gz output should be saved.
  -v, --v Level                        number for the log level verbosity
      --vmodule moduleSpec             comma-separated list of pattern=N settings for file-filtered logging (only works for the default text log format)
      --workers int                    Worker count. Defaults to CPU core count. (default 16)

• Passed the must-gather path

$ ./mco-sanitize --input ~/Downloads/kubeconfig/mco-san
I0929 17:02:32.384842  240444 walker.go:133] file quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-481f13f1ad180f6d58021969d12153a4a19072b6328de279ca4a8da10cbcf0d7/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/97-worker-generated-kubelet.yaml redacted
I0929 17:02:32.384990  240444 walker.go:133] file quay-io-openshift-release-dev-ocp-v4-0-art-dev-sha256-481f13f1ad180f6d58021969d12153a4a19072b6328de279ca4a8da10cbcf0d7/cluster-scoped-resources/machineconfiguration.openshift.io/machineconfigs/01-master-container-runtime.yaml redacted
....

WITH REDACTED

$ omc get mc 98-master-generated-kubelet -o yaml
spec:
 ...
    storage:
      files:
      - contents:
          _REDACTED: This field has been redacted
          length: 6502

WITHOUT REDACTED

$ omc get mc 98-master-generated-kubelet -o yaml
spec:
 ...
    storage:
      files:
      - contents:
          compression: ""
          source: data:text/plain;charset=utf-8;base64,YXBpVmVyc2lvbjoga3ViZWxldC5jb25maWcuazhzLm

• To get the encrypted tar file and to decrypt the tar file

$ gpg --full-generate-key # generate your gpg-key
$  gpg --armour --export ,email.id> public-key.asc
$ export MCO_MUST_GATHER_SANITIZER_KEY="$(base64 -w 0 < public-key.asc )"
$  echo $MCO_MUST_GATHER_SANITIZER_KEY   
$ ./mco-sanitize --input mco-san --output encrypted.tar.gz
$ gpg --decrypt encrypted.tar.gz > decrypted.tar.gz    
$ tar -xvf  decrypted.tar.gz

/qe-approved

[isabella-janssen]

/lgtm

Thanks for adding a readme!

[pablintino]

/verified bypass
Tested by QE at #5303 (comment)

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD adb087c and 1 for PR HEAD 018d259 in total

[yuqi-zhang]

ah, looks like we have a conflict. Can override the failing tests once that's been resolved.

[pablintino]

@yuqi-zhang how inconvenient :(. Fixed

[isabella-janssen]

/lgtm

Tagged was removed with a rebase, so I'm adding it back.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: isabella-janssen, pablintino

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [isabella-janssen,pablintino]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[isabella-janssen]

/retest-required

[isabella-janssen]

@pablintino I think your verified label was stripped in the rebase.

[pablintino]

/verified by QE at #5303 (comment)

[openshift-ci-robot]

@pablintino: This PR has been marked as verified by QE at https://github.com/openshift/machine-config-operator/pull/5303#issuecomment-3352336245.

In response to this:

/verified by QE at #5303 (comment)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[pablintino]

/retest-required

[openshift-ci-robot]

/retest-required

Remaining retests: 0 against base HEAD 1c25a90 and 2 for PR HEAD 2e453ab in total

[pablintino]

/retest-required

[pablintino]

/retest

[pablintino]

/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn

[openshift-ci]

@pablintino: Overrode contexts on behalf of pablintino: ci/prow/e2e-aws-ovn, ci/prow/e2e-aws-ovn-upgrade

In response to this:

/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[djoshy]

/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn

overriding again as another PR merged, causing reruns

[openshift-ci]

@djoshy: Overrode contexts on behalf of djoshy: ci/prow/e2e-aws-ovn, ci/prow/e2e-aws-ovn-upgrade

In response to this:

/override ci/prow/e2e-aws-ovn-upgrade
/override ci/prow/e2e-aws-ovn

overriding again as another PR merged, causing reruns

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

@pablintino: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-mco-disruptive	2e453ab	link	false	/test e2e-aws-mco-disruptive
ci/prow/e2e-gcp-op-ocl	2e453ab	link	false	/test e2e-gcp-op-ocl
ci/prow/e2e-azure-ovn-upgrade-out-of-change	2e453ab	link	false	/test e2e-azure-ovn-upgrade-out-of-change
ci/prow/bootstrap-unit	2e453ab	link	false	/test bootstrap-unit
ci/prow/e2e-aws-ovn-upgrade-out-of-change	2e453ab	link	false	/test e2e-aws-ovn-upgrade-out-of-change
ci/prow/e2e-gcp-mco-disruptive	2e453ab	link	false	/test e2e-gcp-mco-disruptive

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.