api_server_encryption_provider_cipher rule.yml has bad jsonpath

[prb112]

Description:

• api_server_encryption_provider_cipher rule.yml has bad jsonpath

Rationale:

• The jsonpath returns nothing, with the update, it processes the write results.

Review Hints:

as-is

❯ oc get openshiftapiserver -o=jsonpath='{range.items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'

with fix:

❯ oc get openshiftapiserver -o=jsonpath='{range .items[0]}{.status.conditions[?(@.type=="Encrypted")].status}{"\n"}{end}'
False

@rhmdnd This might be you or @Vincent056 to review.

[openshift-ci]

Hi @prb112. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[github-actions]

Start a new ephemeral environment with changes proposed in this pull request:

Fedora Environment

Oracle Linux 8 Environment

[yuumasato]

@prb112 Hi,

The jsonpath itself is not wrong, but it doesn't show anything meaningful when etcd encryption is not configured.

Soon after encryption is configured it outputs the following:

oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'                                                                                                                                    
EncryptionInProgress
Resource routes.route.openshift.io is not encrypted

And when it is completed:

oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
EncryptionCompleted
All resources encrypted: routes.route.openshift.io

How about adding .status to the original jsonpath?

Suggested change

	$ oc get openshiftapiserver -o=jsonpath='{range .items[0]}{.status.conditions[?(@.type=="Encrypted")].status}{"\n"}{end}'
	$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}

[yuumasato]

I made the change on a4c0420

[qlty-cloud-legacy]

Code Climate has analyzed commit a4c0420 and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 58.5%.

View more on Code Climate.

[BhargaviGudi]

/hold for test

[BhargaviGudi]

Verification passed with 4.14.7 + compliance-operator from ComplianceAsCode

$ oc get rules upstream-ocp4-api-server-encryption-provider-cipher -ojsonpath={.instructions}
OpenShift supports encryption of data at rest of etcd datastore, but it is up to the
customer to configure. The asecbc cipher is used. No other ciphers are supported. Keys
are stored on the filesystem of the master and automatically rotated.
Run the following command to review the Encrypted status condition for the OpenShift
API server to verify that its resources were successfully encrypted:

# encrypt the etcd datastore
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'

The output shows EncryptionCompleted upon successful encryption.
If the output shows EncryptionInProgress this means that encryption is still in
progress. Wait a few minutes and try again.
To display the encryption configured, run the following command:
$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq [.spec.encryption.type] 
If the output does not list aescbc, the encryption is not configured correctly.
$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.status}{"\n"}{.reason}{"\n"}{.message}{"\n"}{end}'
False


$ oc get --raw /apis/config.openshift.io/v1/apiservers/cluster | jq [.spec.encryption.type] 
[
  null
]

[BhargaviGudi]

/unhold

[BhargaviGudi]

label /qe-approved

[yuumasato]

Thanks @rhmdnd .
I re-run the failing testing-farm test and this time it passed.
Merging.