fixed obfuscation permissions (#424)

Author: Serhii Zakharov

Dockerfile.debug

@@ -1,4 +1,4 @@
-FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.15-openshift-4.8 AS builder
+FROM registry.ci.openshift.org/ocp/builder:rhel-8-golang-1.16-openshift-4.8 AS builder
 RUN go get github.com/go-delve/delve/cmd/dlv
 WORKDIR /go/src/github.com/openshift/insights-operator
 COPY . .

Makefile

@@ -96,7 +96,7 @@ build-debug: ## Compiles the insights operator in debug mode
 
 .PHONY build-debug-container:
 build-debug-container: ## Compiles the insights operator and its container image for debug
-	$(CONTAINER_RUNTIME) build -t insights-operator -f ./Dockerfile.debug ../.
+	$(CONTAINER_RUNTIME) build -t insights-operator -f ./Dockerfile.debug .
 
 ## --------------------------------------
 ## Tools

pkg/anonymization/anonymizer.go

@@ -32,6 +32,7 @@ import (
 	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	k8snet "k8s.io/utils/net"
 
@@ -68,7 +69,7 @@ type ConfigProvider interface {
 	Config() *config.Controller
 }
 
-// NewAnonymizer creates a new instance of anonymizer with a provided config observer and sensitive data
+// NewAnonymizer creates a new instance of anonymizer
 func NewAnonymizer(clusterBaseDomain string, networks []string) (*Anonymizer, error) {
 	networks = append(networks, "127.0.0.1/8")
 
@@ -94,7 +95,7 @@ func NewAnonymizer(clusterBaseDomain string, networks []string) (*Anonymizer, er
 	}, nil
 }
 
-// NewAnonymizer creates a new instance of anonymizer with a provided config observer and openshift config client
+// NewAnonymizerFromConfigClient creates a new instance of anonymizer with a provided openshift config client
 func NewAnonymizerFromConfigClient(
 	ctx context.Context, kubeClient kubernetes.Interface, configClient configv1client.ConfigV1Interface,
 ) (*Anonymizer, error) {
@@ -147,6 +148,23 @@ func NewAnonymizerFromConfigClient(
 	return NewAnonymizer(baseDomain, networks)
 }
 
+// NewAnonymizerFromConfig creates a new instance of anonymizer with a provided kubeconfig
+func NewAnonymizerFromConfig(
+	ctx context.Context, kubeConfig *rest.Config, protoKubeConfig *rest.Config,
+) (*Anonymizer, error) {
+	kubeClient, err := kubernetes.NewForConfig(protoKubeConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	configClient, err := configv1client.NewForConfig(kubeConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewAnonymizerFromConfigClient(ctx, kubeClient, configClient)
+}
+
 // AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object
 func (anonymizer *Anonymizer) AnonymizeMemoryRecord(memoryRecord *record.MemoryRecord) *record.MemoryRecord {
 	if len(anonymizer.clusterBaseDomain) != 0 {

pkg/controller/gather_job.go

@@ -5,7 +5,6 @@ import (
 	"fmt"
 	"os"
 
-	configv1client "github.com/openshift/client-go/config/clientset/versioned/typed/config/v1"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/kubernetes/scheme"
@@ -69,12 +68,8 @@ func (d *GatherJob) Gather(ctx context.Context, kubeConfig, protoKubeConfig *res
 
 	var anonymizer *anonymization.Anonymizer
 	if anonymization.IsObfuscationEnabled(configObserver) {
-		configClient, err := configv1client.NewForConfig(kubeConfig)
-		if err != nil {
-			return err
-		}
 		// anonymizer is responsible for anonymizing sensitive data, it can be configured to disable specific anonymization
-		anonymizer, err = anonymization.NewAnonymizerFromConfigClient(ctx, kubeClient, configClient)
+		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig)
 		if err != nil {
 			return err
 		}

pkg/controller/operator.go

@@ -106,10 +106,10 @@ func (s *Operator) Run(ctx context.Context, controller *controllercmd.Controller
 	var anonymizer *anonymization.Anonymizer
 	if anonymization.IsObfuscationEnabled(configObserver) {
 		// anonymizer is responsible for anonymizing sensitive data, it can be configured to disable specific anonymization
-		anonymizer, err = anonymization.NewAnonymizerFromConfigClient(ctx, kubeClient, configClient)
+		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig)
 		if err != nil {
+			// in case of an error anonymizer will be nil and anonymization will be just skipped
 			klog.Errorf(anonymization.UnableToCreateAnonymizerErrorMessage, err)
-			// anonymizer will be nil and anonymization will be just skipped
 		}
 	}