Add sops file flag to diagnostics script

[anders-elastisys]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• kind/adr

What does this PR do / why do we need this PR?

Want to simplify the usage of the diagnostics script, the script will now by default import GPG keys from a file $CK8S_CONFIG_PATH/diagnostics_receiver.gpg and use their fingerprints if CK8S_PGP_FP is not already set.

• Follow up of https://github.com/elastisys/ck8s-issue-tracker/issues/258

Information to reviewers

I am planning to update the public docs to reflect this change.

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
  • The change upgrades CRDs
  • The change updates the config and the schema
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
  • The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
• Logs checks:
  • The logs do not show any errors after the change
• Pod Security Policy checks:
  • Any changed pod is covered by Pod Security Admission
  • Any changed pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any pods to be blocked by Pod Security Admission or Policies
• Network Policy checks:
  • Any changed pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[cristiklein]

@anders-elastisys I guess you wanted some early feedback on your proposal.

Overall, I think this is a good idea. It would be great if we could bring the script to the point where the on-call person only needs to type:

./bin/ck8s diagnostics sc
./bin/ck8s diagnostics wc

The expression convention over configuration comes to my mind. The on-call person should be provided with "sensible defaults".

[anders-elastisys]

@anders-elastisys I guess you wanted some early feedback on your proposal.

Overall, I think this is a good idea. It would be great if we could bring the script to the point where the on-call person only needs to type:

./bin/ck8s diagnostics sc
./bin/ck8s diagnostics wc

The expression convention over configuration comes to my mind. The on-call person should be provided with "sensible defaults".

Maybe 13414e1 is more in line with what we want? I removed the sops-config file flag and instead added so that by default the script will look for the file ${CK8S_CONFIG_PATH}/diagnostics_receiver.gpg containing GPG keys that are then imported to the operators keys and used by SOPS later in the script. It is still possible to set CK8S_PGP_FP manually, but I removed the support for using .sops.yaml file as I deemed it not necessary for what we want this command to achieve. Let me know what you think.

[cristiklein]

I like the transparency of the error message and that we provide the platform administrator with sane defaults.

[salehsedghpour]

Shouldn't our customer contact sme-support@elastisys.com?

[simonklb]

This is not appropriate for this repository since it is open source. We should not assume that Elastisys is owning the platform.

[anders-elastisys]

The notice was added when the script was first created, see the discussion here. Maybe @cristiklein can chip in regarding this?

[simonklb]

This is not appropriate for this repository since it is open source. We should not assume that Elastisys is owning the platform.