CCXDEV-15992: obfuscation config precedence

pkg/controller/periodic/periodic.go

@@ -23,6 +23,7 @@ import (
 	insightsv1cli "github.com/openshift/client-go/insights/clientset/versioned/typed/insights/v1"
 	operatorv1client "github.com/openshift/client-go/operator/clientset/versioned/typed/operator/v1"
 	"github.com/openshift/insights-operator/pkg/anonymization"
+	"github.com/openshift/insights-operator/pkg/config"
 	"github.com/openshift/insights-operator/pkg/config/configobserver"
 	"github.com/openshift/insights-operator/pkg/controller/status"
 	"github.com/openshift/insights-operator/pkg/controllerstatus"
@@ -474,7 +475,7 @@ func (c *Controller) GatherJob() {
 // If the processing was successful, a new Insights analysis report is loaded; if not,
 // it returns with the providing the info in the log message.
 func (c *Controller) runJobAndCheckResults(ctx context.Context, dataGather *insightsv1.DataGather, image string) {
-	// create a new periodic gathering job
+	// create a new gathering job
 	gj, err := c.jobController.CreateGathererJob(
 		ctx, image, &c.configAggregator.Config().DataReporting, dataGather,
 	)
@@ -806,8 +807,8 @@ func (c *Controller) PeriodicPrune(ctx context.Context) {
 }
 
 // createNewDataGatherCR creates a new "datagather.insights.openshift.io" custom resource
-// with generate name prefix "periodic-gathering-". Returns the newly created
-// resource or an error if the creation failed.
+// for periodic gathering only that has the name prefix "periodic-gathering-".
+// Returns the newly created resource or an error if the creation failed.
 func (c *Controller) createNewDataGatherCR(ctx context.Context) (*insightsv1.DataGather, error) {
 	// Get values from InsightsDataGather CRD that contains config for the data gathering job
 	gatherersConfig, dataPolicy, storageSpec := c.createDataGatherAttributeValues()
@@ -882,16 +883,32 @@ func (c *Controller) createDataGatherAttributeValues() (
 ) {
 	gatherConfig := c.apiConfigurator.GatherConfig()
 
+	// Read data policy from ConfigMap first
 	var dataPolicy []insightsv1.DataPolicyOption
-	for _, dataPolicyOption := range gatherConfig.DataPolicy {
-		switch dataPolicyOption {
-		case configv1.DataPolicyOptionObfuscateNetworking:
+	for _, obfuscationValue := range c.configAggregator.Config().DataReporting.Obfuscation {
+		switch obfuscationValue {
+		case config.Networking:
 			dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateNetworking)
-		case configv1.DataPolicyOptionObfuscateWorkloadNames:
+		case config.WorkloadNames:
 			dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateWorkloadNames)
 		}
 	}
 
+	// ConfigMap should take precedence for the obfuscation configuration so use the
+	// InsightsDataGather configuration only if there was none set in a ConfigMap
+	// If there is not configuration in both then no obfuscation should be applied
+	if len(dataPolicy) == 0 && gatherConfig != nil && len(gatherConfig.DataPolicy) > 0 {
+		klog.Infof("Using data policy from InsightsDataGather CR because ConfigMap has no obfuscation settings")
+		for _, dataPolicyOption := range gatherConfig.DataPolicy {
+			switch dataPolicyOption {
+			case configv1.DataPolicyOptionObfuscateNetworking:
+				dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateNetworking)
+			case configv1.DataPolicyOptionObfuscateWorkloadNames:
+				dataPolicy = append(dataPolicy, insightsv1.DataPolicyOptionObfuscateWorkloadNames)
+			}
+		}
+	}
+
 	gatheringMode := insightsv1.GatheringModeAll
 	// InsightsDataGather might have an empty Spec, which would result in an empty Gatherers Mode.
 	// In that case, default to GatheringModeAll.

pkg/controller/periodic/periodic_test.go

@@ -314,7 +314,12 @@ func TestCreateNewDataGatherCR(t *testing.T) {
 				tt.dataPolicy,
 				tt.configGatherer,
 			)
-			mockController := NewWithTechPreview(nil, nil, apiConfig, nil, nil, cs.InsightsV1(), nil, nil, nil, nil)
+			mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{
+				DataReporting: config.DataReporting{
+					Obfuscation: config.Obfuscation{},
+				},
+			})
+			mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, apiConfig, nil, nil, cs.InsightsV1(), nil, nil, nil, nil)
 
 			dg, err := mockController.createNewDataGatherCR(context.Background())
 			assert.NoError(t, err)
@@ -771,7 +776,12 @@ func TestCreateDataGatherAttributeValues(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			mockAPIConfig := config.NewMockAPIConfigurator(&tt.gatherConfig)
-			mockController := NewWithTechPreview(nil, nil, mockAPIConfig, tt.gatheres, nil, nil, nil, nil, nil, nil)
+			mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{
+				DataReporting: config.DataReporting{
+					Obfuscation: config.Obfuscation{},
+				},
+			})
+			mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, mockAPIConfig, tt.gatheres, nil, nil, nil, nil, nil, nil)
 			disabledGatherers, dp, storage := mockController.createDataGatherAttributeValues()
 			assert.Equal(t, tt.expectedPolicy, dp)
 			assert.EqualValues(t, tt.expectedDisabledGatherers, disabledGatherers)
@@ -780,6 +790,76 @@ func TestCreateDataGatherAttributeValues(t *testing.T) {
 	}
 }
 
+func TestCreateDataGatherAttributeValues_ConfigMapObfuscationPrecedence(t *testing.T) {
+	tests := []struct {
+		name                 string
+		gatherConfig         configv1.GatherConfig
+		configMapObfuscation config.Obfuscation
+		expectedPolicy       []insightsv1.DataPolicyOption
+	}{
+		{
+			name: "ConfigMap obfuscation takes precedence over InsightsDataGather CR",
+			gatherConfig: configv1.GatherConfig{
+				DataPolicy: []configv1.DataPolicyOption{
+					configv1.DataPolicyOptionObfuscateWorkloadNames,
+				},
+				Gatherers: configv1.Gatherers{
+					Mode: configv1.GatheringModeAll,
+				},
+			},
+			configMapObfuscation: config.Obfuscation{config.Networking},
+			expectedPolicy: []insightsv1.DataPolicyOption{
+				insightsv1.DataPolicyOptionObfuscateNetworking,
+			},
+		},
+		{
+			name: "Empty ConfigMap obfuscation - fallback to InsightsDataGather CR",
+			gatherConfig: configv1.GatherConfig{
+				DataPolicy: []configv1.DataPolicyOption{
+					configv1.DataPolicyOptionObfuscateNetworking,
+					configv1.DataPolicyOptionObfuscateWorkloadNames,
+				},
+				Gatherers: configv1.Gatherers{
+					Mode: configv1.GatheringModeAll,
+				},
+			},
+			configMapObfuscation: config.Obfuscation{},
+			expectedPolicy: []insightsv1.DataPolicyOption{
+				insightsv1.DataPolicyOptionObfuscateNetworking,
+				insightsv1.DataPolicyOptionObfuscateWorkloadNames,
+			},
+		},
+		{
+			name: "ConfigMap with both obfuscation types overrides InsightsDataGather CR",
+			gatherConfig: configv1.GatherConfig{
+				DataPolicy: []configv1.DataPolicyOption{},
+				Gatherers: configv1.Gatherers{
+					Mode: configv1.GatheringModeAll,
+				},
+			},
+			configMapObfuscation: config.Obfuscation{config.Networking, config.WorkloadNames},
+			expectedPolicy: []insightsv1.DataPolicyOption{
+				insightsv1.DataPolicyOptionObfuscateNetworking,
+				insightsv1.DataPolicyOptionObfuscateWorkloadNames,
+			},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			mockAPIConfig := config.NewMockAPIConfigurator(&tt.gatherConfig)
+			mockConfigMapConfigurator := config.NewMockConfigMapConfigurator(&config.InsightsConfiguration{
+				DataReporting: config.DataReporting{
+					Obfuscation: tt.configMapObfuscation,
+				},
+			})
+			mockController := NewWithTechPreview(nil, mockConfigMapConfigurator, mockAPIConfig, nil, nil, nil, nil, nil, nil, nil)
+			_, dp, _ := mockController.createDataGatherAttributeValues()
+			assert.Equal(t, tt.expectedPolicy, dp)
+		})
+	}
+}
+
 func TestGetInsightsImage(t *testing.T) {
 	tests := []struct {
 		name              string