oc debug: Propagate exit code

Make oc debug propagate the debug container exit code.
This is not happening now and `oc debug` always exits with 0.

Author: tchap

pkg/cli/debug/debug.go

@@ -43,6 +43,7 @@ import (
 	"k8s.io/kubectl/pkg/util/interrupt"
 	"k8s.io/kubectl/pkg/util/templates"
 	"k8s.io/pod-security-admission/api"
+	utilexec "k8s.io/utils/exec"
 
 	appsv1 "github.com/openshift/api/apps/v1"
 	dockerv10 "github.com/openshift/api/image/docker10"
@@ -630,12 +631,49 @@ func (o *DebugOptions) RunDebug() error {
 					}
 				}
 			}
-			return o.getLogs(pod)
+			if logErr := o.getLogs(pod); logErr != nil {
+				return logErr
+			}
+			// The watch event may have stale container status for fast-failing
+			// containers. Re-fetch the pod to get the authoritative final state.
+			freshPod, getErr := o.CoreClient.Pods(pod.Namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if getErr != nil {
+				klog.V(4).Infof("Unable to re-fetch pod %s/%s: %v", pod.Namespace, pod.Name, getErr)
+				if ok {
+					freshPod = resultPod
+				}
+			}
+			if freshPod == nil {
+				klog.V(4).Infof("Exit code information unavailable for pod %s/%s", pod.Namespace, pod.Name)
+				return nil
+			}
+			if exitErr := exitCodeError(freshPod, o.ContainerName); exitErr != nil {
+				return exitErr
+			}
+			return nil
 		case err == conditions.ErrNonZeroExitCode:
 			if err = o.getLogs(pod); err != nil {
 				return err
 			}
-			return conditions.ErrNonZeroExitCode
+			// The watch event may have stale container status.
+			// Re-fetch the pod to get the authoritative final state.
+			freshPod, getErr := o.CoreClient.Pods(pod.Namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if getErr != nil {
+				klog.V(4).Infof("Unable to re-fetch pod %s/%s: %v", pod.Namespace, pod.Name, getErr)
+				if resultPod, ok := containerRunningEvent.Object.(*corev1.Pod); ok {
+					freshPod = resultPod
+				}
+			}
+			if freshPod != nil {
+				if exitErr := exitCodeError(freshPod, o.ContainerName); exitErr != nil {
+					return exitErr
+				}
+			}
+			// We know the exit code was non-zero but couldn't determine the actual value.
+			return utilexec.CodeExitError{
+				Err:  fmt.Errorf("the debug container terminated with a non-zero exit code"),
+				Code: 1,
+			}
 		case err != nil:
 			return err
 		case !o.Attach.Stdin:
@@ -645,20 +683,14 @@ func (o *DebugOptions) RunDebug() error {
 			lastWatchEvent, err := watchtools.UntilWithSync(ctx, lw, &corev1.Pod{}, preconditionFunc, conditions.PodDone)
 			if err != nil {
 				if kapierrors.IsNotFound(err) {
-					return nil
+					return fmt.Errorf("the debug pod %q was deleted before completion", pod.Name)
 				}
 				return err
 			}
 
-			resultPod, ok := lastWatchEvent.Object.(*corev1.Pod)
-			if ok {
-				for _, s := range append(append([]corev1.ContainerStatus{}, resultPod.Status.InitContainerStatuses...), resultPod.Status.ContainerStatuses...) {
-					if s.Name != o.ContainerName {
-						continue
-					}
-					if s.State.Terminated != nil && s.State.Terminated.ExitCode != 0 {
-						return conditions.ErrNonZeroExitCode
-					}
+			if resultPod, ok := lastWatchEvent.Object.(*corev1.Pod); ok {
+				if exitErr := exitCodeError(resultPod, o.ContainerName); exitErr != nil {
+					return exitErr
 				}
 			}
 			return nil
@@ -673,7 +705,16 @@ func (o *DebugOptions) RunDebug() error {
 
 			// TODO: attach can race with pod completion, allow attach to switch to logs
 			o.Attach.ContainerName = o.ContainerName
-			return o.Attach.Run()
+			if attachErr := o.Attach.Run(); attachErr != nil {
+				return attachErr
+			}
+			// After the attach session ends, check the container exit code.
+			freshPod, getErr := o.CoreClient.Pods(pod.Namespace).Get(context.TODO(), pod.Name, metav1.GetOptions{})
+			if getErr != nil {
+				klog.V(4).Infof("Unable to re-fetch pod %s/%s after attach: %v", pod.Namespace, pod.Name, getErr)
+				return nil
+			}
+			return exitCodeError(freshPod, o.ContainerName)
 		}
 	})
 }
@@ -1238,6 +1279,35 @@ func (o *DebugOptions) approximatePodTemplateForObject(object runtime.Object) (*
 	return nil, fmt.Errorf("%v is not supported by debug", reflect.TypeOf(object))
 }
 
+// containerExitCode returns the exit code of the named container from the pod status.
+// It returns -1 if the container is not found or has not terminated.
+func containerExitCode(pod *corev1.Pod, containerName string) int32 {
+	for _, s := range append(append([]corev1.ContainerStatus{}, pod.Status.InitContainerStatuses...), pod.Status.ContainerStatuses...) {
+		if s.Name != containerName {
+			continue
+		}
+		if s.State.Terminated != nil {
+			return s.State.Terminated.ExitCode
+		}
+		return -1
+	}
+	return -1
+}
+
+// exitCodeError returns a CodeExitError with the container's actual exit code if it
+// terminated with a non-zero exit code. It returns nil if the container exited
+// successfully or if exit code information is not available.
+func exitCodeError(pod *corev1.Pod, containerName string) error {
+	code := containerExitCode(pod, containerName)
+	if code <= 0 {
+		return nil
+	}
+	return utilexec.CodeExitError{
+		Err:  fmt.Errorf("the debug container terminated with exit code %d", code),
+		Code: int(code),
+	}
+}
+
 func (o *DebugOptions) getLogs(pod *corev1.Pod) error {
 	return logs.LogsOptions{
 		Object: pod,

pkg/cli/debug/debug_test.go

@@ -10,6 +10,7 @@ import (
 	"k8s.io/kubectl/pkg/cmd/attach"
 	"k8s.io/kubectl/pkg/cmd/exec"
 	"k8s.io/pod-security-admission/api"
+	utilexec "k8s.io/utils/exec"
 
 	fakekubeclient "k8s.io/client-go/kubernetes/fake"
 	fakecorev1client "k8s.io/client-go/kubernetes/typed/core/v1/fake"
@@ -266,3 +267,213 @@ func TestCreateLabelMap(t *testing.T) {
 		})
 	}
 }
+
+func TestContainerExitCode(t *testing.T) {
+	tests := []struct {
+		name          string
+		pod           *corev1.Pod
+		containerName string
+		expected      int32
+	}{
+		{
+			name: "terminated with non-zero exit code",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 42}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expected:      42,
+		},
+		{
+			name: "terminated with exit code 0",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 0}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expected:      0,
+		},
+		{
+			name: "container still running",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Running: &corev1.ContainerStateRunning{}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expected:      -1,
+		},
+		{
+			name: "container not found",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "other",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 1}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expected:      -1,
+		},
+		{
+			name: "init container terminated with non-zero exit code",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					InitContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "init",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 137}},
+						},
+					},
+				},
+			},
+			containerName: "init",
+			expected:      137,
+		},
+		{
+			name:          "empty pod status",
+			pod:           &corev1.Pod{},
+			containerName: "debug",
+			expected:      -1,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := containerExitCode(tt.pod, tt.containerName)
+			if got != tt.expected {
+				t.Errorf("containerExitCode() = %d, want %d", got, tt.expected)
+			}
+		})
+	}
+}
+
+func TestExitCodeError(t *testing.T) {
+	tests := []struct {
+		name             string
+		pod              *corev1.Pod
+		containerName    string
+		expectError      bool
+		expectedExitCode int
+	}{
+		{
+			name: "non-zero exit code returns CodeExitError",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 42}},
+						},
+					},
+				},
+			},
+			containerName:    "debug",
+			expectError:      true,
+			expectedExitCode: 42,
+		},
+		{
+			name: "exit code 0 returns nil",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 0}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expectError:   false,
+		},
+		{
+			name: "container not terminated returns nil",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Running: &corev1.ContainerStateRunning{}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expectError:   false,
+		},
+		{
+			name: "container not found returns nil",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "other",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 1}},
+						},
+					},
+				},
+			},
+			containerName: "debug",
+			expectError:   false,
+		},
+		{
+			name: "exit code 127 returns correct code",
+			pod: &corev1.Pod{
+				Status: corev1.PodStatus{
+					ContainerStatuses: []corev1.ContainerStatus{
+						{
+							Name:  "debug",
+							State: corev1.ContainerState{Terminated: &corev1.ContainerStateTerminated{ExitCode: 127}},
+						},
+					},
+				},
+			},
+			containerName:    "debug",
+			expectError:      true,
+			expectedExitCode: 127,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := exitCodeError(tt.pod, tt.containerName)
+			if tt.expectError {
+				if err == nil {
+					t.Fatalf("expected error, got nil")
+				}
+				exitErr, ok := err.(utilexec.ExitError)
+				if !ok {
+					t.Fatalf("expected utilexec.ExitError, got %T", err)
+				}
+				if exitErr.ExitStatus() != tt.expectedExitCode {
+					t.Errorf("ExitStatus() = %d, want %d", exitErr.ExitStatus(), tt.expectedExitCode)
+				}
+			} else {
+				if err != nil {
+					t.Errorf("expected nil, got %v", err)
+				}
+			}
+		})
+	}
+}