Create CAD remediation for UpgradeConfigSyncFailureOver4HrSRE (#430)

* Initial working commit that checks if user is banned and gets pull secret from cluster

* working changes.

* Working code that compares OCM and cluster pull secrets.

* working with test.

* Added step by step in readme to integration test OCM vs Cluster pull-secret.

* added better instruction

* removed accidental new line

* fixed error variable naming

* Added better notes and cleanup uneeded lines.

* fixed spacing for linter

Author: Mhodesty

pkg/investigations/registry.go

@@ -7,6 +7,7 @@ import (
 	"github.com/openshift/configuration-anomaly-detection/pkg/investigations/cpd"
 	"github.com/openshift/configuration-anomaly-detection/pkg/investigations/insightsoperatordown"
 	"github.com/openshift/configuration-anomaly-detection/pkg/investigations/investigation"
+	"github.com/openshift/configuration-anomaly-detection/pkg/investigations/upgradeconfigsyncfailureover4hr"
 )
 
 // availableInvestigations holds all Investigation implementations.
@@ -16,6 +17,7 @@ var availableInvestigations = []investigation.Investigation{
 	&clustermonitoringerrorbudgetburn.Investigation{},
 	&cpd.Investigation{},
 	&insightsoperatordown.Investigation{},
+	&upgradeconfigsyncfailureover4hr.Investigation{},
 }
 
 // GetInvestigation returns the first Investigation that applies to the given alert title.

pkg/investigations/upgradeconfigsyncfailureover4hr/README.md

@@ -0,0 +1,28 @@
+# upgradeconfigsyncfailureover4hr Investigation
+
+Package upgradeconfigsyncfailureover4hr contains functionality for the UpgradeConfigSyncFailureOver4HrSRE investigation
+
+### Integration test for Secret Key check
+In order to integration test the logic for checking the pull-secret in OCM vs the pull-secret on your cluster you'll need to do a few things.
+
+ 1. Set up a cluster and test incident in pagerduty as you would for any CAD investigation test. 
+ 2. Get the pull secret from the cluster and output it to a file.
+
+     `oc get secret pull-secret -ojson -n openshift-config --as backplane-cluster-admin > backup_pull_secret.json`
+ 3. Make a copy of the file you just created for easy backup. We'll be making edits later to the copied file.
+     `cp backup_pull_secret.json broken_pull_secret.json
+ 4. Decrypt the .dockerconfigjson entry. The easiest way to do this is to copy the whole part in quotes to your clipboard, echo it in your terminal, and pipe it through `base64 -d` and save the output in a separate file.
+
+     `echo $copied value | base64 -d`
+ 5. Find the entry for registry.connect.redhat.com and copy the encrypted value for the auth entry. Exclude the quotes again. Repeat the process of de-encrypting this value using `base64 -d`
+
+     `echo $copied_value | base64 -d`
+ 6. Edit this value in a text editor and change the value after the colon. Leave the preceeding value before the colon as it is. 
+ 7. Do the encryption process detailed above backwards. First you'll need to encrypt your new pull-secret.dockerconfigjson.registry.connect.redhat.com.auth value (the one we just changed). Simply echo it on your command line and pipe it into base64. Place the whole value in single quotes to avoid any text parsing issues. 
+
+     `echo $changed_value | base64`
+ 8. Replace that value in the registry.connect.redhat.com.auth value in your decrypted .dockerconfigjson you saved in step 4 then base64 encrypt the whole thing. Take that encrypted value and replace the encrypted .dockerconfigjson value in your broken_pull_secret.json file.
+ 9. Apply the newly broken pull-secret json file to your cluster using oc apply.
+ 
+     `oc apply -f broken_pull_secret.json --as backplane-cluster-admin`
+ 10. Re run your test according to the CAD readme. This should return a warning in the logs `⚠️ Pull secret does not match on cluster and in OCM` and apply the same message to the pagerduty incident.

pkg/investigations/upgradeconfigsyncfailureover4hr/upgradeconfigsyncfailureover4hr.go

@@ -0,0 +1,125 @@
+// Package upgradeconfigsyncfailureover4hr contains functionality for the UpgradeConfigSyncFailureOver4HrSRE investigation
+package upgradeconfigsyncfailureover4hr
+
+import (
+	"context"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"strings"
+
+	v1 "github.com/openshift-online/ocm-sdk-go/accountsmgmt/v1"
+	"github.com/openshift/configuration-anomaly-detection/pkg/investigations/investigation"
+	k8sclient "github.com/openshift/configuration-anomaly-detection/pkg/k8s"
+	"github.com/openshift/configuration-anomaly-detection/pkg/logging"
+	"github.com/openshift/configuration-anomaly-detection/pkg/notewriter"
+	ocm "github.com/openshift/configuration-anomaly-detection/pkg/ocm"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+type Investigation struct{}
+
+const (
+	alertname       = "UpgradeConfigSyncFailureOver4HrSRE"
+	remediationName = "upgradeconfigsyncfailureover4hr"
+)
+
+func (c *Investigation) Run(r *investigation.Resources) (investigation.InvestigationResult, error) {
+	result := investigation.InvestigationResult{}
+	notes := notewriter.New("UpgradeConfigSyncFailureOver4Hr", logging.RawLogger)
+	k8scli, err := k8sclient.New(r.Cluster.ID(), r.OcmClient, remediationName)
+	if err != nil {
+		return result, fmt.Errorf("unable to initialize k8s cli: %w", err)
+	}
+	defer func() {
+		deferErr := k8sclient.Cleanup(r.Cluster.ID(), r.OcmClient, remediationName)
+		if deferErr != nil {
+			logging.Error(deferErr)
+			err = errors.Join(err, deferErr)
+		}
+	}()
+	logging.Infof("Checking if user is Banned.")
+	userBannedStatus, userBannedNotes, err := ocm.CheckIfUserBanned(r.OcmClient, r.Cluster)
+	if err != nil {
+		notes.AppendWarning("encountered an issue when checking if the cluster owner is banned: %s\nPlease investigate.", err)
+		return result, r.PdClient.EscalateIncidentWithNote(notes.String())
+	}
+	if userBannedStatus {
+		notes.AppendWarning(userBannedNotes)
+	} else {
+		notes.AppendSuccess("User is not banned.")
+	}
+	user, err := ocm.GetCreatorFromCluster(r.OcmClient.GetConnection(), r.Cluster)
+	logging.Infof("User ID is: %v", user.ID())
+	clusterSecretToken, note, err := getClusterPullSecret(k8scli)
+	if err != nil {
+		notes.AppendWarning("Failre getting ClusterSecret: %s", err)
+		return result, r.PdClient.EscalateIncidentWithNote(notes.String())
+	}
+	if note != "" {
+		notes.AppendWarning(note)
+	}
+	registryCredential, err := ocm.GetOCMPullSecret(r.OcmClient.GetConnection(), user.ID())
+	if err != nil {
+		notes.AppendWarning("Error getting OCMPullSecret: %s", err)
+		return result, r.PdClient.EscalateIncidentWithNote(notes.String())
+	}
+	if clusterSecretToken == registryCredential {
+		notes.AppendSuccess("Pull Secret matches on cluster and in OCM. Please continue investigation.")
+	} else {
+		notes.AppendWarning("Pull secret does not match on cluster and in OCM.")
+	}
+	return result, r.PdClient.EscalateIncidentWithNote(notes.String())
+}
+
+func getClusterPullSecret(k8scli client.Client) (secretToken string, note string, err error) {
+	secret := &corev1.Secret{}
+	err = k8scli.Get(context.TODO(), types.NamespacedName{
+		Namespace: "openshift-config",
+		Name:      "pull-secret",
+	}, secret)
+	if err != nil {
+		return "", "", err
+	}
+	if secret.Data == nil {
+		return "", "Cluster pull secret Data is empty.", err
+	}
+	secretValue, exists := secret.Data[".dockerconfigjson"]
+	if !exists {
+		return "", "Cluster pull secret does not contain the necessary .dockerconfigjson", err
+	}
+
+	dockerConfigJson, err := v1.UnmarshalAccessToken(secretValue)
+	if err != nil {
+		return "", "", err
+	}
+	_, exists = dockerConfigJson.Auths()["cloud.openshift.com"]
+	if !exists {
+		return "", "cloud.openshift.com value not found in clusterPullSecret. This means there is an issue with the pull secret on the cluster.", err
+	}
+
+	value, err := base64.StdEncoding.DecodeString(dockerConfigJson.Auths()["registry.connect.redhat.com"].Auth())
+	if err != nil {
+		return "", "", err
+	}
+	_, splitValue, _ := strings.Cut(string(value), ":")
+	return splitValue, "", nil
+}
+
+func (c *Investigation) Name() string {
+	return "UpgradeConfigSyncFailureOver4hr"
+}
+
+func (c *Investigation) Description() string {
+	return "Investigates the UpgradeConfigSyncFailureOver4hr alert"
+}
+
+func (c *Investigation) ShouldInvestigateAlert(alert string) bool {
+	return strings.Contains(alert, "UpgradeConfigSyncFailureOver4HrSRE")
+}
+
+func (c *Investigation) IsExperimental() bool {
+	return false
+}

pkg/investigations/upgradeconfigsyncfailureover4hr/upgradeconfigsyncfailureover4hr_test.go

@@ -0,0 +1,65 @@
+package upgradeconfigsyncfailureover4hr
+
+import (
+	"strings"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+)
+
+func TestGetClusterPullSecret(t *testing.T) {
+	tests := []struct {
+		name         string
+		data         string
+		secretToken  string
+		expectError  bool
+		expectedNote string
+	}{
+		{
+			name:        "happy path",
+			data:        "{\"auths\":{\"950916221866.dkr.ecr.us-east-1.amazonaws.com\":{\"auth\":\"testTokenValue\",\"email\":\"\"},\"cloud.openshift.com\":{\"auth\":\"TestAuthValue\",\"email\":\"[email protected]\"},\"pull.q1w2.quay.rhcloud.com\":{\"auth\":\"TestQuayAuthValue\"},\"quay.io\":{\"auth\":\"TestPersonalAuthValue\",\"email\":\"[email protected]\"},\"registry.ci.openshift.org\":{\"auth\":\"TestRegistry-connect-redhat-com-value\"},\"registry.connect.redhat.com\":{\"auth\":\"dWhjLXBvb2wtdGVzdC1wb29sLXZhbHVlLWhlcmU6Q29ycmVjdFZhbHVlCg==\"},\"registry.redhat.io\":{\"auth\":\"TestPersonalTokenTwo\",\"email\":\"[email protected]\"}}}",
+			secretToken: "CorrectValue\n",
+			expectError: false,
+		},
+		{
+			name:        "Value mismatch",
+			data:        "{\"auths\":{\"950916221866.dkr.ecr.us-east-1.amazonaws.com\":{\"auth\":\"testTokenValue\",\"email\":\"\"},\"cloud.openshift.com\":{\"auth\":\"TestAuthValue\",\"email\":\"[email protected]\"},\"pull.q1w2.quay.rhcloud.com\":{\"auth\":\"TestQuayAuthValue\"},\"quay.io\":{\"auth\":\"TestPersonalAuthValue\",\"email\":\"[email protected]\"},\"registry.ci.openshift.org\":{\"auth\":\"TestRegistry-connect-redhat-com-value\"},\"registry.connect.redhat.com\":{\"auth\":\"dWhjLXBvb2wtdGVzdC1wb29sLXZhbHVlLWhlcmU6Q29ycmVjdFZhbHVlCg==\"},\"registry.redhat.io\":{\"auth\":\"TestPersonalTokenTwo\",\"email\":\"[email protected]\"}}}",
+			secretToken: "IncorrectValue\n",
+			expectError: true,
+		},
+		{
+			name:         "No entry for cloud.openshift.com",
+			data:         "{\"auths\":{\"950916221866.dkr.ecr.us-east-1.amazonaws.com\":{\"auth\":\"testTokenValue\",\"email\":\"\"},\"MissingValue\":{\"auth\":\"TestAuthValue\",\"email\":\"[email protected]\"},\"pull.q1w2.quay.rhcloud.com\":{\"auth\":\"TestQuayAuthValue\"},\"quay.io\":{\"auth\":\"TestPersonalAuthValue\",\"email\":\"[email protected]\"},\"registry.ci.openshift.org\":{\"auth\":\"TestRegistry-connect-redhat-com-value\"},\"registry.connect.redhat.com\":{\"auth\":\"dWhjLXBvb2wtdGVzdC1wb29sLXZhbHVlLWhlcmU6Q29ycmVjdFZhbHVlCg==\"},\"registry.redhat.io\":{\"auth\":\"TestPersonalTokenTwo\",\"email\":\"[email protected]\"}}}",
+			secretToken:  "IncorrectValue\n",
+			expectError:  true,
+			expectedNote: "cloud.openshift.com value not found in clusterPullSecret",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			secretTest := &corev1.Secret{
+				ObjectMeta: v1.ObjectMeta{
+					Name:      "pull-secret",
+					Namespace: "openshift-config",
+				},
+				Type: corev1.DockerConfigJsonKey,
+				Data: map[string][]byte{
+					".dockerconfigjson": []byte(tt.data),
+				},
+			}
+			k8scli := fake.NewClientBuilder().WithObjects(secretTest).Build()
+			result, note, _ := getClusterPullSecret(k8scli)
+			if result != tt.secretToken {
+				if !strings.Contains(note, tt.expectedNote) {
+					t.Errorf("Expected note message: %s. Got %s", tt.expectedNote, note)
+				}
+				if !tt.expectError {
+					t.Errorf("expected token %s to match %s", result, tt.secretToken)
+				}
+			}
+		})
+	}
+}

pkg/ocm/ocm.go

@@ -310,6 +310,20 @@ func (c *SdkClient) IsAccessProtected(cluster *cmv1.Cluster) (bool, error) {
 	return enabled, nil
 }
 
+func CheckIfUserBanned(ocmClient Client, cluster *cmv1.Cluster) (bool, string, error) {
+	user, err := GetCreatorFromCluster(ocmClient.GetConnection(), cluster)
+	if err != nil {
+		return false, "encountered an issue when checking if the cluster owner is banned. Please investigate.", err
+	}
+
+	if user.Banned() {
+		noteMessage := fmt.Sprintf("User is banned %s. Ban description %s.\n Please open a proactive case, so that MCS can resolve the ban or organize a ownership transfer.", user.BanCode(), user.BanDescription())
+		logging.Warnf(noteMessage)
+		return true, noteMessage, nil
+	}
+	return false, "User is not banned.", nil
+}
+
 func GetCreatorFromCluster(ocmConn *sdk.Connection, cluster *cmv1.Cluster) (*amv1.Account, error) {
 	logging.Debugf("Getting subscription from cluster: %s", cluster.ID())
 	cmv1Subscription, ok := cluster.GetSubscription()
@@ -336,3 +350,21 @@ func GetCreatorFromCluster(ocmConn *sdk.Connection, cluster *cmv1.Cluster) (*amv
 	}
 	return creator, nil
 }
+
+func GetOCMPullSecret(ocmConn *sdk.Connection, userID string) (string, error) {
+	searchString := fmt.Sprintf("account_id = '%s'", userID)
+	var registryCredentialToken string
+	registryCredentials, err := ocmConn.AccountsMgmt().V1().RegistryCredentials().List().Search(searchString).Send()
+	if err != nil {
+		return "", err
+	}
+	for _, tempToken := range registryCredentials.Items().Items() {
+		if tempToken.Registry().ID() == "Redhat_registry.redhat.io" {
+			registryCredentialToken = tempToken.Token()
+		}
+	}
+	if registryCredentialToken == "" {
+		return "", errors.New("failed to parse pull secret from OCM")
+	}
+	return registryCredentialToken, nil
+}