From 300fa3effe3f09133e1e24fcfaf592f787ae1a34 Mon Sep 17 00:00:00 2001 From: Ondrej Pokorny Date: Tue, 3 Feb 2026 14:24:04 +0100 Subject: [PATCH 1/2] feat: give ConfigMap obfuscation precedence for periodic jobs Ensure ConfigMap based obfuscation configuration is applied before InsightsDataGather configuration. Signed-off-by: Ondrej Pokorny --- pkg/controller/periodic/periodic.go | 31 ++++++++++++++++++++++------- 1 file changed, 24 insertions(+), 7 deletions(-) diff --git a/pkg/controller/periodic/periodic.go b/pkg/controller/periodic/periodic.go index c95a9abd7..c1aaa4686 100644 --- a/pkg/controller/periodic/periodic.go +++ b/pkg/controller/periodic/periodic.go @@ -23,6 +23,7 @@ import ( insightsv1cli "github.com/openshift/client-go/insights/clientset/versioned/typed/insights/v1" operatorv1client "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1" "github.com/openshift/insights-operator/pkg/anonymization" + "github.com/openshift/insights-operator/pkg/config" "github.com/openshift/insights-operator/pkg/config/configobserver" "github.com/openshift/insights-operator/pkg/controller/status" "github.com/openshift/insights-operator/pkg/controllerstatus" @@ -474,7 +475,7 @@ func (c *Controller) GatherJob() { // If the processing was successful, a new Insights analysis report is loaded; if not, // it returns with the providing the info in the log message. func (c *Controller) runJobAndCheckResults(ctx context.Context, dataGather *insightsv1.DataGather, image string) { - // create a new periodic gathering job + // create a new gathering job gj, err := c.jobController.CreateGathererJob( ctx, image, &c.configAggregator.Config().DataReporting, dataGather, ) @@ -806,8 +807,8 @@ func (c *Controller) PeriodicPrune(ctx context.Context) { } // createNewDataGatherCR creates a new "datagather.insights.openshift.io" custom resource -// with generate name prefix "periodic-gathering-". Returns the newly created -// resource or an error if the creation failed. +// for periodic gathering only that has the name prefix "periodic-gathering-". +// Returns the newly created resource or an error if the creation failed. func (c *Controller) createNewDataGatherCR(ctx context.Context) (*insightsv1.DataGather, error) { // Get values from InsightsDataGather CRD that contains config for the data gathering job gatherersConfig, dataPolicy, storageSpec := c.createDataGatherAttributeValues() @@ -882,16 +883,32 @@ func (c *Controller) createDataGatherAttributeValues() ( ) { gatherConfig := c.apiConfigurator.GatherConfig() + // Read data policy from ConfigMap first var dataPolicy []insightsv1.DataPolicyOption - for _, dataPolicyOption := range gatherConfig.DataPolicy { - switch dataPolicyOption { - case configv1.DataPolicyOptionObfuscateNetworking: + for _, obfuscationValue := range c.configAggregator.Config().DataReporting.Obfuscation { + switch obfuscationValue { + case config.Networking: dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateNetworking) - case configv1.DataPolicyOptionObfuscateWorkloadNames: + case config.WorkloadNames: dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateWorkloadNames) } } + // ConfigMap should take precedence for the obfuscation configuration so use the + // InsightsDataGather configuration only if there was none set in a ConfigMap + // If there is not configuration in both then no obfuscation should be applied + if len(dataPolicy) == 0 && gatherConfig != nil && len(gatherConfig.DataPolicy) > 0 { + klog.Infof("Using data policy from InsightsDataGather CR because ConfigMap has no obfuscation settings") + for _, dataPolicyOption := range gatherConfig.DataPolicy { + switch dataPolicyOption { + case configv1.DataPolicyOptionObfuscateNetworking: + dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateNetworking) + case configv1.DataPolicyOptionObfuscateWorkloadNames: + dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateWorkloadNames) + } + } + } + gatheringMode := insightsv1.GatheringModeAll // InsightsDataGather might have an empty Spec, which would result in an empty Gatherers Mode. // In that case, default to GatheringModeAll. From 054d206cacf0e8fd54dc2855bbf4a1129b6ad4b8 Mon Sep 17 00:00:00 2001 From: Ondrej Pokorny Date: Tue, 3 Feb 2026 14:47:06 +0100 Subject: [PATCH 2/2] feat: add tests for periodic obfuscation config Signed-off-by: Ondrej Pokorny --- pkg/controller/periodic/periodic_test.go | 84 +++++++++++++++++++++++- 1 file changed, 82 insertions(+), 2 deletions(-) diff --git a/pkg/controller/periodic/periodic_test.go b/pkg/controller/periodic/periodic_test.go index 3af1f4232..9f1bb5013 100644 --- a/pkg/controller/periodic/periodic_test.go +++ b/pkg/controller/periodic/periodic_test.go @@ -314,7 +314,12 @@ func TestCreateNewDataGatherCR(t *testing.T) { tt.dataPolicy, tt.configGatherer, ) - mockController := NewWithTechPreview(nil, nil, apiConfig, nil, nil, cs.InsightsV1(), nil, nil, nil, nil) + mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{ + DataReporting: config.DataReporting{ + Obfuscation: config.Obfuscation{}, + }, + }) + mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, apiConfig, nil, nil, cs.InsightsV1(), nil, nil, nil, nil) dg, err := mockController.createNewDataGatherCR(context.Background()) assert.NoError(t, err) @@ -771,7 +776,12 @@ func TestCreateDataGatherAttributeValues(t *testing.T) { for _, tt := range tests { t.Run(tt.name, func(t *testing.T) { mockAPIConfig := config.NewMockAPIConfigurator(&tt.gatherConfig) - mockController := NewWithTechPreview(nil, nil, mockAPIConfig, tt.gatheres, nil, nil, nil, nil, nil, nil) + mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{ + DataReporting: config.DataReporting{ + Obfuscation: config.Obfuscation{}, + }, + }) + mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, mockAPIConfig, tt.gatheres, nil, nil, nil, nil, nil, nil) disabledGatherers, dp, storage := mockController.createDataGatherAttributeValues() assert.Equal(t, tt.expectedPolicy, dp) assert.EqualValues(t, tt.expectedDisabledGatherers, disabledGatherers) @@ -780,6 +790,76 @@ func TestCreateDataGatherAttributeValues(t *testing.T) { } } +func TestCreateDataGatherAttributeValues_ConfigMapObfuscationPrecedence(t *testing.T) { + tests := []struct { + name string + gatherConfig configv1.GatherConfig + configMapObfuscation config.Obfuscation + expectedPolicy []insightsv1.DataPolicyOption + }{ + { + name: "ConfigMap obfuscation takes precedence over InsightsDataGather CR", + gatherConfig: configv1.GatherConfig{ + DataPolicy: []configv1.DataPolicyOption{ + configv1.DataPolicyOptionObfuscateWorkloadNames, + }, + Gatherers: configv1.Gatherers{ + Mode: configv1.GatheringModeAll, + }, + }, + configMapObfuscation: config.Obfuscation{config.Networking}, + expectedPolicy: []insightsv1.DataPolicyOption{ + insightsv1.DataPolicyOptionObfuscateNetworking, + }, + }, + { + name: "Empty ConfigMap obfuscation - fallback to InsightsDataGather CR", + gatherConfig: configv1.GatherConfig{ + DataPolicy: []configv1.DataPolicyOption{ + configv1.DataPolicyOptionObfuscateNetworking, + configv1.DataPolicyOptionObfuscateWorkloadNames, + }, + Gatherers: configv1.Gatherers{ + Mode: configv1.GatheringModeAll, + }, + }, + configMapObfuscation: config.Obfuscation{}, + expectedPolicy: []insightsv1.DataPolicyOption{ + insightsv1.DataPolicyOptionObfuscateNetworking, + insightsv1.DataPolicyOptionObfuscateWorkloadNames, + }, + }, + { + name: "ConfigMap with both obfuscation types overrides InsightsDataGather CR", + gatherConfig: configv1.GatherConfig{ + DataPolicy: []configv1.DataPolicyOption{}, + Gatherers: configv1.Gatherers{ + Mode: configv1.GatheringModeAll, + }, + }, + configMapObfuscation: config.Obfuscation{config.Networking, config.WorkloadNames}, + expectedPolicy: []insightsv1.DataPolicyOption{ + insightsv1.DataPolicyOptionObfuscateNetworking, + insightsv1.DataPolicyOptionObfuscateWorkloadNames, + }, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + mockAPIConfig := config.NewMockAPIConfigurator(&tt.gatherConfig) + mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{ + DataReporting: config.DataReporting{ + Obfuscation: tt.configMapObfuscation, + }, + }) + mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, mockAPIConfig, nil, nil, nil, nil, nil, nil, nil) + _, dp, _ := mockController.createDataGatherAttributeValues() + assert.Equal(t, tt.expectedPolicy, dp) + }) + } +} + func TestGetInsightsImage(t *testing.T) { tests := []struct { name string