*: audit operator actions to hostPath volume

[hasbro17]

Partially addresses #1205

The operator will now audit the following actions for a self-hosted cluster to a hostPath volume:

• Create an etcd pod
• Delete an etcd pod
• A spec update to the cluster

To enable the auditing a hostPath volume must be mounted to the mountPath /var/tmp/ as shown below. The hostPath itself can be anything but should ideally be /var/tmp so that the operator can write to the volume even when running as the user nobody with limited write permissions.

spec:
  containers:
  - name: etcd-operator
     image: quay.io/coreos/etcd-operator:v0.4.2
        command:
        - /usr/local/bin/etcd-operator
        - --debug-logfile-path=/var/tmp/etcd-operator/debug/debug.log
    volumeMounts:
    - mountPath: /var/tmp/etcd-operator/debug
      name: debug-volume
  volumes:
  - name: debug-volume
    hostPath:
      path: /var/tmp/

The debug log file path can be specified by passing the flag debug-logfile-path to the operator.
The path specified by the flag and the mountPath should be the same.

[hongchaodeng]

Any examples what the audit log looks like?

[hongchaodeng]

There is a OperatorRoot

[xiang90]

this will always be mounted. so we need a flag to enable audit logging now.

[xiang90]

actually "audit logging" might be a bad name. probably debug logging is more suitable.

[hasbro17]

@xiang90 Actually the OperatorRoot filepath is not mounted/created before the debug logger is setup.
The OperatorRoot path is created after that by the backup manager during the cluster setup by the backup manager while creating the credentials and config files from the aws secret.
https://github.com/coreos/etcd-operator/blob/master/pkg/cluster/backupstorage/s3.go#L35-L39

Although I agree an explicit flag to enable debugging is better than silently detecting the presence of the mountPath.

My only concern now is that when you mount a hostPath to /var/tmp/etcd-operator/ for debugging, and if you set up S3 backup, the credentials and config files will be written to the hostPath as well now. Even though they are deleted later when the cluster is destroyed successfully, just wondering if this is alright.

[xiang90]

it is OK to put them under the same operator root dir. but we do not want our debug logging to be deleted by any accident.

[hasbro17]

Oh yeah the debug logging won't be deleted. Just the aws credential and config files setup by the backup manager. Alright then, I guess we're good to share the OperatorRoot for debugging.

[xiang90]

that is fine.

[hasbro17]

These logs were generated from a non-self hosted cluster creating the audit logs during testing. It was easier to perform more actions on a non-self hosted cluster to generate the audit.

I'm generating more detailed logs for a self-hosted cluster via bootkube at the moment. Will post them here once I'm done.

[hongchaodeng]

We should make this behavior explicit outside:

if selfhosted != nil {
  c.AuditLogger = NewAuditLogger()
}

[hongchaodeng]

We should provide an AuditLogger object instead of coupling it as Cluster methods.

[xiang90]

use path.join

[xiang90]

PodSpecToPrettyJSON

[hasbro17]

@xiang90 @hongchaodeng Made the changes requested. The debug logger is now a separate object that appends to a log file for the cluster.
To turn on the debug logging the following need to be true:

• The cluster must be self hosted
• A volume must be mounted at the path /var/tmp/etcd-operator/debug
• The etcd-operator flag debug must be set to true

The pod spec is not printed for pods added/deleted because that makes the output too verbose.
An update in the cluster spec is logged since that helps make sense of the other actions(pod creation/deletion) that the etcd-operator logs. However that can be removed if not neeeded.

Logs for a 4 master node self hosted cluster. The following actions were performed:

• Resize the cluster from 1->4 pods after its creation
• Delete one pod manually
• Resize the cluster from 4->3 pods
  The messages prepended with ########## were added by me to indicate certain events like the operator restarting.

[xiang90]

The pod spec is not printed for pods added/deleted because that makes the output too verbose.

i think it is still worth to add even though it can be verbose.

[xiang90]

enable-debug-file (also you can make this arg to take a actual file path. default can be /var/tmp/etcd-operator/debug.log)

operator probably should not know about hostpath thing. it just writes logs to somewhere.

[xiang90]

well, actually enable-selfhosted-debug-log is better.

[xiang90]

we can remove this. operator does not have to know anything about the host path mount.

it just logs to what is configured by the deployment when selfhosted-debug-log is enabled.

[xiang90]

call createDirAll instead here.

[hasbro17]

More verbose logs which print pod spec for every pod created.

The operator will now write the debug logs to a default path /var/tmp/etcd-operator/debug/debug.log or to a custom path specified by the user via the flag debug-logfile-path

[xiang90]

lgtm after addressing the flag merge issue discussed offline. thanks!

[hasbro17]

@hongchaodeng please take a final look. I've tested it manually on a self hosted cluster.
The debug logging will now be enabled if:

• Cluster is self-hosted
• And the flag debug-logfile-path is set

[xiang90]

mention that it is only for self hosted cluster?

[hongchaodeng]

lgtm

[xiang90]

can you enable/disable the logger during the initialization? then we do not need to check this everywhere.

[hongchaodeng]

Or just make it a function?
Like isDebugLoggerEnabled() ?

[hongchaodeng]

Why is this public?