apiVersion: troubleshoot.sh/v1beta2 kind: SupportBundle metadata: name: circleci-server spec: collectors: - clusterInfo: {} - clusterResources: {} - logs: selector: - layer=application name: application - logs: selector: - layer=data name: data - logs: selector: - layer=execution name: nomad - exec: name: nomad-status selector: - app=nomad-server - layer=execution command: ["/bin/sh"] args: ["-c","nomad node status && echo && nomad server members && echo && nomad status"] timeout: 10s - exec: name: rabbitmq-list-queues selector: - app.kubernetes.io/name=rabbitmq command: ["/bin/sh"] args: ["-c","rabbitmqctl list_queues"] timeout: 10s - exec: name: pvc-postgres selector: - app.kubernetes.io/name=postgresql command: ["/bin/sh"] args: ["-c","df -h /bitnami/postgresql"] timeout: 10s - exec: name: pvc-mongodb selector: - app.kubernetes.io/name=mongodb command: ["/bin/sh"] args: ["-c","df -h /bitnami/mongodb"] timeout: 10s - exec: name: pvc-vault selector: - app=vault command: ["/bin/sh"] args: ["-c","df -h /vault/file"] timeout: 10s - exec: name: pvc-redis selector: - app=redis command: ["/bin/sh"] args: ["-c","df -h /data"] timeout: 10s - exec: name: pvc-rabbitmq selector: - app.kubernetes.io/name=rabbitmq command: ["/bin/sh"] args: ["-c","df -h /bitnami/rabbitmq/mnesia"] timeout: 10s redactors: - name: Redact Object storage credentials fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - selector: __ACCESS_KEY redactor: '("value": ")(?P.*)(")' - selector: __SECRET_KEY redactor: '("value": ")(?P.*)(")' - name: Redact ring session encryption key fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - selector: CIRCLE_SECRETS__SESSION_COOKIE_KEY redactor: '("value": ")(?P.*)(")' - name: Redact Github OAuth credentials fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - selector: CLIENT_ID redactor: '("value": ")(?P.*)(")' - selector: CLIENT_SECRET redactor: '("value": ")(?P.*)(")' - name: Redact soketi secret fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - selector: PUSHER__SECRET redactor: '("value": ")(?P.*)(")' - selector: DEFAULT_APP_SECRET redactor: '("value": ")(?P.*)(")' - name: keyczar encryption and signing keys fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - selector: KEYSET__ redactor: '("value": ")(?P.*)(")' # Removes passwords from URI's of the form ://:@: - name: Redact passwords from URIs fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - redactor: '(?P"value": ")(?P[^:]*)(://)(?P[^:]*)(:)(?P[^@]*)@(?P[^(:|/)]*)(?P.*)(")' # JDBC URI's put the password in the query string of the URI instead of the # user information section of the URI. This removes password= # structured parts - name: Redact passwords from JDBC URIs fileSelector: files: - cluster-resources/pods/*.json - cluster-resources/deployments/*.json removals: regex: - redactor: '(?Ppassword=)(?P.*)' # An annotation on deployments holds the previously applied configuration. It contains much # of the environment variable section from the deployment but JSON escaped which can make the # default redactions fail. We redact the entire annotation here to avoid leakage. - name: last applied configuration annotation removals: regex: - redactor: '("kubectl\.kubernetes\.io/last-applied-configuration": ")(?P.+)(")' analyzers: []