Skip to content

NETOBSERV-2858: export readable OpenSSL TLS plaintext to JSONL#540

Open
jpinsonneau wants to merge 1 commit into
netobserv:mainfrom
jpinsonneau:NETOBSERV-2858
Open

NETOBSERV-2858: export readable OpenSSL TLS plaintext to JSONL#540
jpinsonneau wants to merge 1 commit into
netobserv:mainfrom
jpinsonneau:NETOBSERV-2858

Conversation

@jpinsonneau

@jpinsonneau jpinsonneau commented Jul 6, 2026

Copy link
Copy Markdown
Member

Description

  • Add --enable_openssl (and related TLS plaintext options) to packets capture, wiring agent env vars via packet-capture.yml.
  • Export decrypted payloads to output/plaintext/<timestamp>.jsonl with a human-readable PlaintextDisplay field (HTTP body / request line / JSON text extraction, OpenSSL metadata prefix stripping).
  • Add openssl-test-pod and http-test-pod examples plus TLS coverage notes in docs/tls-decryption-coverage.md.

JSONL export only — TUI wire buffer and live plaintext columns are deferred to NETOBSERV-2859.

Test plan

  • make build
  • go test ./cmd
  • NETOBSERV_AGENT_IMAGE=<2857-image> ./build/oc-netobserv packets --port=8443 --peer_ip=<pod> --enable_openssl --privileged --background
  • Confirm JSONL rows contain PlaintextDisplay with readable HTTP (not raw TLS/binary)

Dependencies

netobserv/netobserv-ebpf-agent#1006

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
    • Standard QE validation, with pre-merge tests unless stated otherwise.
    • Regression tests only (e.g. refactoring with no user-facing change).
    • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot

openshift-ci-robot commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

@jpinsonneau: This pull request references NETOBSERV-2858 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Description

  • Add --enable_openssl (and related TLS plaintext options) to packets capture, wiring agent env vars via packet-capture.yml.
  • Export decrypted payloads to output/plaintext/<timestamp>.jsonl with a human-readable PlaintextDisplay field (HTTP body / request line / JSON text extraction, OpenSSL metadata prefix stripping).
  • Add openssl-test-pod and http-test-pod examples plus TLS coverage notes in docs/tls-decryption-coverage.md.

JSONL export only — TUI wire buffer and live plaintext columns are deferred to NETOBSERV-2859.

Test plan

  • make build
  • go test ./cmd
  • NETOBSERV_AGENT_IMAGE=<2857-image> ./build/oc-netobserv packets --port=8443 --peer_ip=<pod> --enable_openssl --privileged --background
  • Confirm JSONL rows contain PlaintextDisplay with readable HTTP (not raw TLS/binary)

Dependencies

Pairs with agent PR NETOBSERV-2857.

Checklist

  • Does the changes in PR need specific configuration or environment set up for testing?
    • if so please describe it in PR description.
  • I have added thorough unit tests for the change.
  • QE requirements (check 1 from the list):
  • Standard QE validation, with pre-merge tests unless stated otherwise.
  • Regression tests only (e.g. refactoring with no user-facing change).
  • No QE (e.g. trivial change with high reviewer's confidence, or per agreement with the QE team).

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jotak for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 45.37246% with 242 lines in your changes missing coverage. Please review.
✅ Project coverage is 18.24%. Comparing base (fe9ba2f) to head (d504c4d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
cmd/plaintext_format.go 53.50% 122 Missing and 37 partials ⚠️
cmd/packet_capture.go 5.95% 79 Missing ⚠️
cmd/packet_capture_plaintext.go 75.00% 3 Missing ⚠️
cmd/root.go 80.00% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main     #540      +/-   ##
==========================================
+ Coverage   13.18%   18.24%   +5.06%     
==========================================
  Files          20       22       +2     
  Lines        2443     2867     +424     
==========================================
+ Hits          322      523     +201     
- Misses       2095     2281     +186     
- Partials       26       63      +37     
Flag Coverage Δ
unittests 18.24% <45.37%> (+5.06%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines Coverage Δ
cmd/root.go 30.61% <80.00%> (+2.95%) ⬆️
cmd/packet_capture_plaintext.go 75.00% <75.00%> (ø)
cmd/packet_capture.go 2.76% <5.95%> (+2.76%) ⬆️
cmd/plaintext_format.go 53.50% <53.50%> (ø)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Add --enable_openssl packet capture wiring, PlaintextDisplay formatting
(prefix stripping, HTTP peeling), and openssl/http example workloads.
Writes output/plaintext/*.jsonl without wire correlation or TUI (NETOBSERV-2859).
Use --background during capture; pair with agent image from NETOBSERV-2857.

Co-authored-by: Cursor <cursoragent@cursor.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

New image:

quay.io/netobserv/network-observability-cli:d504c4dc

It will expire in two weeks.

To use this build, update your commands using:

USER=netobserv VERSION=d504c4dc make commands

or download the updated commands.

@jpinsonneau jpinsonneau marked this pull request as ready for review July 7, 2026 15:36
@jpinsonneau

Copy link
Copy Markdown
Member Author

Tested and works as expected 🥳

To generate fake traffic:

cd examples

# Build, deploy, wait, generate traffic
make images-all IMAGE_ORG=<your-user>
make deploy-all wait-all traffic-all

# Pod IPs for scoped capture
make pod-ips
make capture-hint   # prints ready-to-paste commands

Then run the capture using:

NETOBSERV_AGENT_IMAGE=<your-agent> ./build/oc-netobserv packets --port=8443 --peer_ip="$OPENSSL_POD_IP" --enable_openssl --privileged

See the plaintext output when capture finished with:

$ jq -r "select(.RecordType==\"plaintext\") | {TLSSource,PlaintextDisplay}" output/plaintext/*.jsonl
{
  "TLSSource": "openssl",
  "PlaintextDisplay": "GET /healthz HTTP/1.1"
}
{
  "TLSSource": "openssl",
  "PlaintextDisplay": "HTTP/1.1 200 OK"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants