Skip to content

OPCT-428: add must-gather-clean to artifacts-collector for sensitive data cleaning#88

Open
bshaw7 wants to merge 8 commits into
redhat-openshift-ecosystem:mainfrom
bshaw7:opct-428-artifacts-collector-cleaning
Open

OPCT-428: add must-gather-clean to artifacts-collector for sensitive data cleaning#88
bshaw7 wants to merge 8 commits into
redhat-openshift-ecosystem:mainfrom
bshaw7:opct-428-artifacts-collector-cleaning

Conversation

@bshaw7

@bshaw7 bshaw7 commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Embed must-gather-clean v0.0.5 in the artifacts-collector plugin image
  • Run it against must-gather directory (omit Secrets/MachineConfig, redact sha256~ tokens and JWTs) before packing
  • Run it against e2e metadata tar.gz archives (redact sha256~ tokens and JWTs) before final packing
  • Falls back to existing sed-based cleaning if must-gather-clean fails

This prevents leaktk-gcs-filter from removing OPCT CI archives from GCS. The bulk of findings (3070 of 3157) are sha256~ OAuth tokens inside artifacts_e2e-metadata-*.tar.gz from openshift-tests output.

Verified locally: must-gather-clean with regex config reduces sha256~ findings in e2e metadata from 1212 to 0.

Related: redhat-openshift-ecosystem/opct#223 (non-nested scanner improvements, defense in depth)

Test plan

  • Build artifacts-collector image with changes
  • Run must-gather-clean against extracted e2e metadata, confirm sha256~ count drops to 0
  • Run must-gather-clean against extracted must-gather, confirm Secrets/MachineConfig omitted
  • Run leaktk scan against cleaned archive, confirm 0 findings
  • Full OPCT run on a cluster to verify no regressions

/cc @mtulio

🤖 Generated with Claude Code

…data cleaning

Embed must-gather-clean (openshift/must-gather-clean) in the artifacts-collector
plugin image to clean sensitive data at source before packing archives to sonobuoy.

This prevents leaktk-gcs-filter from removing OPCT CI archives from GCS due to
sha256~ OAuth tokens and JWTs in e2e metadata and must-gather files.

Changes:
- Containerfile: add must-gather-clean v0.0.5 binary via build stage
- collector.sh: replace sed-only clean_must_gather() with must-gather-clean,
  add clean_e2e_metadata() to unpack/clean/repack e2e metadata tar.gz files
- mgc-config-mustgather.yaml: regex patterns + omit Secret/MachineConfig resources
- mgc-config-e2e.yaml: regex-only patterns for sha256~ tokens and JWTs

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@openshift-ci openshift-ci Bot requested a review from mtulio July 1, 2026 09:20
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 6a3695a1-8877-498a-ad02-07ad6ca71641

📥 Commits

Reviewing files that changed from the base of the PR and between 7eae7ff and ff9311f.

📒 Files selected for processing (3)
  • artifacts-collector/collector.sh
  • artifacts-collector/mgc-config-e2e.yaml
  • artifacts-collector/mgc-config-mustgather.yaml
🚧 Files skipped from review as they are similar to previous changes (2)
  • artifacts-collector/mgc-config-e2e.yaml
  • artifacts-collector/collector.sh

📝 Walkthrough

Summary by CodeRabbit

  • New Features

    • Added sensitive-data cleaning to collected artifacts before packaging.
    • Included new cleanup rules for logs and metadata archives.
    • Added support for filtering out certain machine configuration resources from collection.
  • Bug Fixes

    • Improved handling when cleanup steps fail, so artifact generation can continue where possible.
    • Preserved original outputs if cleaned replacements cannot be safely applied.

Walkthrough

This PR adds must-gather-clean support to the artifacts-collector image and updates collector.sh to sanitize must-gather, metrics, and e2e metadata outputs before final packaging.

Changes

Must-gather-clean Sensitive Data Cleanup

Layer / File(s) Summary
Build and package cleanup tooling
artifacts-collector/Containerfile, artifacts-collector/mgc-config-mustgather.yaml, artifacts-collector/mgc-config-e2e.yaml
Adds a build stage for must-gather-clean, copies the binary into the image, and includes the cleanup config files.
Clean must-gather and metrics outputs
artifacts-collector/collector.sh
Runs must-gather-clean on must-gather output and metrics output, with fallback and directory swap handling around the cleaned artifacts.
Clean e2e archives before packaging
artifacts-collector/collector.sh
Adds e2e archive cleanup and runs it before creating raw-results.tar.gz.

Estimated code review effort: 3 (Moderate) | ~25 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly summarizes adding must-gather-clean for sensitive data cleaning in artifacts-collector.
Description check ✅ Passed The description matches the change set and accurately explains embedding and running must-gather-clean with fallback behavior.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (1)
artifacts-collector/Containerfile (1)

10-14: 🔒 Security & Privacy | 🔵 Trivial | ⚡ Quick win

Verify checksum of downloaded must-gather-clean binary.

The binary is fetched from GitHub releases and piped straight into tar with no integrity check, and without -f/pipefail a failed or tampered download could silently succeed. The upstream project publishes a SHA256_SUM file alongside each release specifically for this purpose.

🔒 Proposed fix to add checksum verification
 FROM quay.io/fedora/fedora-minimal:41 AS mgc
 ARG MGC_VERSION=0.0.5
-RUN curl -sL https://github.com/openshift/must-gather-clean/releases/download/v${MGC_VERSION}/must-gather-clean-linux-amd64.tar.gz \
-    | tar xz -C /usr/local/bin must-gather-clean
+RUN set -euo pipefail && \
+    curl -sSLf -o /tmp/mgc.tar.gz https://github.com/openshift/must-gather-clean/releases/download/v${MGC_VERSION}/must-gather-clean-linux-amd64.tar.gz && \
+    curl -sSLf -o /tmp/mgc.sha256 https://github.com/openshift/must-gather-clean/releases/download/v${MGC_VERSION}/SHA256_SUM && \
+    echo "$(cat /tmp/mgc.sha256 | grep must-gather-clean-linux-amd64.tar.gz) /tmp/mgc.tar.gz" | sha256sum --check --strict - && \
+    tar xz -C /usr/local/bin -f /tmp/mgc.tar.gz must-gather-clean

Please confirm the exact checksum asset filename on the release page before adopting this diff.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@artifacts-collector/Containerfile` around lines 10 - 14, The
must-gather-clean download in the Containerfile is extracted without any
integrity verification. Update the build step around the mgc stage to fetch the
release checksum asset first, verify the downloaded tarball against the upstream
SHA256_SUM file, and only then extract it into /usr/local/bin; also make the
shell fail on download errors so a broken or tampered fetch cannot pass
silently.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@artifacts-collector/collector.sh`:
- Around line 50-64: The clean_e2e_metadata workflow is leaving either a
corrupted archive or an unredacted archive behind. Update clean_e2e_metadata to
repack through a temporary output file instead of overwriting "${archive}" in
place, check the tar czf exit status before replacing the original, and always
clean up temp dirs on failure. Also add a fallback redaction path in the
must-gather-clean failure branch, similar to clean_must_gather, so
artifacts_e2e-metadata archives still get sanitized when must-gather-clean
cannot run.
- Around line 38-48: The directory swap in collector.sh can lose data because rm
-rf on MUST_GATHER_DIR happens before the cleaned mv succeeds. Update the
must-gather cleanup flow so the original MUST_GATHER_DIR is only removed after
mv "${mg_clean_dir}" "${MUST_GATHER_DIR}" completes successfully, and keep the
existing must-gather-clean fallback path intact; use the must-gather-clean, rm,
and mv steps in collector.sh as the place to adjust the order.

---

Nitpick comments:
In `@artifacts-collector/Containerfile`:
- Around line 10-14: The must-gather-clean download in the Containerfile is
extracted without any integrity verification. Update the build step around the
mgc stage to fetch the release checksum asset first, verify the downloaded
tarball against the upstream SHA256_SUM file, and only then extract it into
/usr/local/bin; also make the shell fail on download errors so a broken or
tampered fetch cannot pass silently.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7003bdea-dcc3-4e11-9f82-4f2da3d392d3

📥 Commits

Reviewing files that changed from the base of the PR and between 6fe7b74 and 6b6bc8a.

📒 Files selected for processing (4)
  • artifacts-collector/Containerfile
  • artifacts-collector/collector.sh
  • artifacts-collector/mgc-config-e2e.yaml
  • artifacts-collector/mgc-config-mustgather.yaml

Comment thread artifacts-collector/collector.sh
Comment thread artifacts-collector/collector.sh
bshaw7 and others added 3 commits July 1, 2026 15:22
- Containerfile: add SHA256 checksum verification for must-gather-clean download
- collector.sh: safe directory swap in clean_must_gather (mv before rm)
- collector.sh: write to temp file in clean_e2e_metadata, replace only on success

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
fedora-minimal:41 does not include tar by default, causing the
must-gather-clean download stage to fail during image build.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…tterns

Integration test showed 9 remaining findings after initial configs:
- 5 in controllerconfigs (JWTs and registry pull secret)
- 2 in e2e metadata (Authorization: Basic headers)
- 1 in imageregistry config (httpSecret)
- 1 in oauthclients (secret field)

Fixed by adding:
- ControllerConfig omit rule in mustgather config
- Authorization header regex in both configs
- Generic secret/httpSecret regex in mustgather config

Verified locally: 9 remaining findings reduced to 0.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@artifacts-collector/mgc-config-e2e.yaml`:
- Around line 9-11: Update the Authorization redaction regex in the FileContents
rule to be case-insensitive so lowercase and mixed-case authorization headers
are also matched; apply the same change to the corresponding regex entry in the
mustgather config. Keep the existing token-matching portion intact and add the
case-insensitive flag directly in the pattern so the redaction covers common log
and curl output variants.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: f7a0c25f-7dcd-4871-9559-794fb2109b81

📥 Commits

Reviewing files that changed from the base of the PR and between fd03262 and 824db01.

📒 Files selected for processing (2)
  • artifacts-collector/mgc-config-e2e.yaml
  • artifacts-collector/mgc-config-mustgather.yaml
✅ Files skipped from review due to trivial changes (1)
  • artifacts-collector/mgc-config-mustgather.yaml

Comment thread artifacts-collector/mgc-config-e2e.yaml Outdated
@bshaw7

bshaw7 commented Jul 2, 2026

Copy link
Copy Markdown
Collaborator Author

Local tests shows leaktk findings are 0 while scanning reports

[root@localhost ~]# oc get pods -n opct -l sonobuoy-plugin=99-openshift-artifacts-collector -o jsonpath='{.items[*].spec.containers[*].image}'; echo
quay.io/rhn-support-bshaw/plugin-artifacts-collector:opct-428 quay.io/opct/sonobuoy:v0.57.3
[root@localhost ~]# oc get clusterversion
NAME      VERSION   AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.3    True        False         98m     Cluster version is 4.22.3
[root@localhost ~]# 
[root@localhost test]# time /root/opct/build/opct-linux-amd64 retrieve
INFO[2026-07-02T06:26:34Z] Collecting results...                        
INFO[2026-07-02T06:26:35Z] Downloading archive from aggregator server... 
INFO[2026-07-02T06:27:02Z] Downloaded 224.3 MB in 27s                   
INFO[2026-07-02T06:27:02Z] Scanning archive for sensitive data...       
INFO[2026-07-02T06:27:42Z] Results saved to /root/test/opct_202607012041_ea0d0485-6949-485f-b138-01fd9836f4ba.tar.gz 
INFO[2026-07-02T06:27:42Z] Run 'opct report -s ./report <archive>.tar.gz' to review the validation results. 

real	1m10.076s
user	0m40.508s
sys	0m2.850s
[root@localhost test]# 


[root@localhost test]# leaktk scan -c ~/.config/leaktk/config.toml --kind Files /Users/bshaw/splat/OPCT/OPCT-428/opct_202607012041_ea0d0485-6949-485f-b138-01fd9836f4ba.tar.gz  |python3 -c "import sys,json; data=json.load(sys.stdin); print(f'Findings:{len(data.get(\"results\",[]))}')"
[INFO] queueing scan: id="D0YUvjO7uSU" queue_size=1
[INFO] starting scan: id="D0YUvjO7uSU"
[INFO] queueing response: id="D0YUvjO7uSU" queue_size=1
Findings:0
[root@localhost test]# 

Now findings shows 0 in local testing

@mtulio mtulio left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Couple nits related to the verbosity as well the MGM plugin.

Comment thread artifacts-collector/collector.sh
Comment thread artifacts-collector/collector.sh Outdated
Comment thread artifacts-collector/Containerfile
@mtulio

mtulio commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

/hold

@mtulio mtulio added the kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. label Jul 2, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 2, 2026
- Add -v4 flag to must-gather-clean calls, redirect output to dedicated
  log files (artifacts_log-mgc-*.log) to avoid mixing with pod stdout
- Add must-gather-clean step for must-gather-monitoring (metrics) archive
  before packing, consistent with must-gather cleaning
Comment thread artifacts-collector/collector.sh Outdated
Keep errors visible for debugging instead of redirecting to /dev/null.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
artifacts-collector/collector.sh (1)

62-64: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Keep a fallback for e2e archive redaction.

If must-gather-clean fails here, the original artifacts_e2e-metadata-*.tar.gz remains unredacted and packaging continues, which reintroduces the token findings this PR targets. Add a fallback redaction path or fail the archive collection explicitly.

Suggested fallback shape
         must-gather-clean -c /plugin/mgc-config-e2e.yaml \
             -i "${tmpdir}" -o "${cleandir}" \
-            -v4 >>./artifacts_log-mgc-e2e-metadata.log 2>&1 || { rm -rf "${tmpdir}" "${cleandir}"; continue; }
+            -v4 >>./artifacts_log-mgc-e2e-metadata.log 2>&1 || {
+            os_log_info "[executor][PluginID#${PLUGIN_ID}] must-gather-clean failed for ${archive##*/}; applying fallback redaction"
+            find "${tmpdir}" -type f -exec sed -i \
+                -e 's/sha256~[A-Za-z0-9_-]\+/sha256~<sensitive>/g' \
+                -e 's/eyJ[A-Za-z0-9_-]\{10,\}\.eyJ[A-Za-z0-9_-]\{10,\}\.[A-Za-z0-9_-]\+/JWT-REDACTED/g' {} +
+            cleandir="${tmpdir}"
+        }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@artifacts-collector/collector.sh` around lines 62 - 64, The e2e metadata
redaction step in collector.sh currently falls back by cleaning up temp dirs and
continuing, which leaves the original artifacts_e2e-metadata-*.tar.gz unredacted
and allows packaging to proceed. Update the must-gather-clean handling in the
archive collection flow to either run an alternate redaction path when the clean
step fails or stop the collection explicitly, so the final artifacts are never
packaged without redaction. Keep the fix localized around the must-gather-clean
invocation and the surrounding archive packaging logic.

Source: Path instructions

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@artifacts-collector/collector.sh`:
- Around line 194-201: The metrics cleanup flow in collector.sh can still
archive the original must-gather-metrics content when must-gather-clean fails
because the current && block is simply skipped. Update the must-gather-metrics
handling around must-gather-clean, metrics_src_dir, and metrics_clean_dir to add
an explicit failure path that either applies fallback redaction or skips/fails
metrics packaging entirely, and ensure the pack step only uses sanitized
content.
- Around line 198-200: The metrics directory swap in collector.sh is not
failure-safe: if the second mv from metrics_clean_dir to metrics_src_dir fails,
the original stays renamed as *-orig and later packaging can break. Update the
swap logic around the metrics_src_dir and metrics_clean_dir moves to check each
mv result and restore the original directory from the *-orig backup before
continuing or exiting, so the original metrics directory is always preserved on
failure.

---

Duplicate comments:
In `@artifacts-collector/collector.sh`:
- Around line 62-64: The e2e metadata redaction step in collector.sh currently
falls back by cleaning up temp dirs and continuing, which leaves the original
artifacts_e2e-metadata-*.tar.gz unredacted and allows packaging to proceed.
Update the must-gather-clean handling in the archive collection flow to either
run an alternate redaction path when the clean step fails or stop the collection
explicitly, so the final artifacts are never packaged without redaction. Keep
the fix localized around the must-gather-clean invocation and the surrounding
archive packaging logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 340dd2e8-3868-4c2e-9135-139bfeae04a0

📥 Commits

Reviewing files that changed from the base of the PR and between 824db01 and 7eae7ff.

📒 Files selected for processing (1)
  • artifacts-collector/collector.sh

Comment thread artifacts-collector/collector.sh Outdated
Comment thread artifacts-collector/collector.sh Outdated
…e regex

- Skip metrics packing if must-gather-clean fails (don't pack uncleaned)
- Restore original metrics directory if swap fails
- Add (?i) to Authorization header regex for case-insensitive matching

@mtulio mtulio left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

Feel free to drop hold label.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 3, 2026
@openshift-ci

openshift-ci Bot commented Jul 3, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtulio

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 3, 2026
@mtulio mtulio removed lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 3, 2026
@mtulio

mtulio commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Removing approval labels as we are discussing on slack how we can keep secret manifests obfuscated, not removing it

…cation

Must-gather already obfuscates secret values (e.g., 'token: MTAwOSBieXRlcyBsb25n'
which decodes to '1009 bytes long'). The omit rule was removing files that are
already safe. Removing it to preserve secrets.yaml for audit with obfuscated values.

leaktk-gcs-filter in CI does not flag these obfuscated values (confirmed by
must-gather.tar being available in regular CI artifacts). Will evaluate in
OPCT CI after merge.
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 5, 2026
@bshaw7

bshaw7 commented Jul 5, 2026

Copy link
Copy Markdown
Collaborator Author

Integration test results (4.22.3 IPI, latest PR #88 image + PR #223 binary):

Collector image verified:

$ oc get pods -n opct -l sonobuoy-plugin=99-openshift-artifacts-collector -o jsonpath='{.items[*].spec.containers[*].image}'; echo 

quay.io/rhn-support-bshaw/plugin-artifacts-collector:opct-428

Retrieve timing:

  $ time /root/opct/build/opct-linux-amd64 retrieve
  Downloaded 178.3 MB in 23s
  Scanning archive for sensitive data...
  Results saved to opct_202607050902_3403eecc-fcf9-4622-8709-59ecd3cbec5e.tar.gz
  
  real    1m12s
  user    0m48s
  sys     0m2s

leaktk scan:

$ leaktk scan -c ~/.config/leaktk/config.toml --kind Files opct_202607050902_3403eecc-fcf9-4622-8709-59ecd3cbec5e.tar.gz
 Findings: 30
 By pattern: Generic Secret: 30

All in must-gather secrets.yaml files (obfuscated values e.g. "token: MTAwOSBieXRlcyBsb25n" = "1009 bytes long")

All 30 findings are must-gather's built-in obfuscation — not real secrets. leaktk-gcs-filter in CI does not remove must-gather with these values (confirmed by must-gather.tar being available in regular CI artifacts).

MGC log file sizes:

  $ tar tzvf opct_202607050902_3403eecc-fcf9-4622-8709-59ecd3cbec5e.tar.gz | grep artifacts_log-mgc
  artifacts_log-mgc-e2e-metadata.log          57KB
  artifacts_log-mgc-must-gather-metrics.log   22KB
  artifacts_log-mgc-must-gather.log          5.9MB
  Total ~6MB added to 178MB archive (~3%)   

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants