OCPBUGS-33082: Add new use cases for networking obfuscation (#947)

* Remove unneeded utils function

* Add configuration hosts domain to the sensitive values

Author: ncaak

pkg/anonymization/anonymizer.go

@@ -56,8 +56,8 @@ const (
 	Ipv4Regex                            = `((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)`
 	Ipv4NetworkRegex                     = Ipv4Regex + "/([0-9]{1,2})"
 	Ipv4AddressOrNetworkRegex            = Ipv4Regex + "(/([0-9]{1,2}))?"
-	ClusterAPIServerPlaceholder          = "<CLUSTER_API_SERVER>"
 	ClusterBaseDomainPlaceholder         = "<CLUSTER_BASE_DOMAIN>"
+	ClusterHostPlaceholder               = "<CLUSTER_DOMAIN_HOST>"
 	UnableToCreateAnonymizerErrorMessage = "Unable to create anonymizer, " +
 		"some data won't be anonymized(ipv4 and cluster base domain). The error is %v"
 	clusterNetworksRecordName = "config/network.json"
@@ -109,6 +109,7 @@ func NewAnonymizerFromConfigClient(
 	networkClient networkv1client.NetworkV1Interface,
 	configurator configobserver.Interface,
 	dataPolicy v1alpha1.DataPolicy,
+	sensitiveVals map[string]string,
 ) (*Anonymizer, error) {
 	anonBuilder := &AnonBuilder{}
 	anonBuilder.
@@ -120,19 +121,15 @@ func NewAnonymizerFromConfigClient(
 		WithRunningInCluster(true).
 		WithSecretsClient(kubeClient.CoreV1().Secrets(secretNamespace))
 
-	baseDomain, err := utils.GetClusterBaseDomain(ctx, configClient)
-	if err != nil {
-		return nil, err
+	for value, placeholder := range sensitiveVals {
+		anonBuilder.WithSensitiveValue(value, placeholder)
 	}
-	anonBuilder.WithSensitiveValue(baseDomain, ClusterBaseDomainPlaceholder)
 
-	APIServerURLs, err := utils.GetClusterAPIServerInfo(ctx, configClient)
+	baseDomain, err := utils.GetClusterBaseDomain(ctx, configClient)
 	if err != nil {
 		return nil, err
 	}
-	for _, v := range APIServerURLs {
-		anonBuilder.WithSensitiveValue(v, ClusterAPIServerPlaceholder)
-	}
+	anonBuilder.WithSensitiveValue(baseDomain, ClusterBaseDomainPlaceholder)
 
 	return anonBuilder.Build()
 }
@@ -310,15 +307,18 @@ func NewAnonymizerFromConfig(
 	configurator configobserver.Interface,
 	dataPolicy v1alpha1.DataPolicy,
 ) (*Anonymizer, error) {
+	sensitiveVals := make(map[string]string)
 	kubeClient, err := kubernetes.NewForConfig(protoKubeConfig)
 	if err != nil {
 		return nil, err
 	}
+	sensitiveVals[extractDomain(protoKubeConfig.Host)] = ClusterHostPlaceholder
 
 	gatherKubeClient, err := kubernetes.NewForConfig(gatherProtoKubeConfig)
 	if err != nil {
 		return nil, err
 	}
+	sensitiveVals[extractDomain(gatherProtoKubeConfig.Host)] = ClusterHostPlaceholder
 
 	configClient, err := configv1client.NewForConfig(gatherKubeConfig)
 	if err != nil {
@@ -329,8 +329,12 @@ func NewAnonymizerFromConfig(
 	if err != nil {
 		return nil, err
 	}
+	sensitiveVals[extractDomain(gatherKubeConfig.Host)] = ClusterHostPlaceholder
 
-	return NewAnonymizerFromConfigClient(ctx, kubeClient, gatherKubeClient, configClient, networkClient, configurator, dataPolicy)
+	return NewAnonymizerFromConfigClient(ctx,
+		kubeClient, gatherKubeClient, configClient, networkClient,
+		configurator, dataPolicy, sensitiveVals,
+	)
 }
 
 // AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object
@@ -542,3 +546,16 @@ func getNextIP(originalIP net.IP, mask net.IPMask) (net.IP, bool) {
 
 	return resultIP, false
 }
+
+// extractDomain truncates protocol, host and port of the URL argument
+// and returns the base domain
+func extractDomain(url string) string {
+	baseDomain := strings.Join(strings.Split(url, ".")[1:], ".") // removes protocol and host parts
+	domain := strings.Split(baseDomain, ":")[0]                  // removes port (if any)
+
+	if domain == "" { // in case the URL is malformed
+		return url
+	}
+
+	return domain
+}

pkg/anonymization/anonymizer_test.go

@@ -116,7 +116,7 @@ func Test_GetNextIP(t *testing.T) {
 
 func getAnonymizer(t *testing.T) *Anonymizer {
 	clusterBaseDomain := "example.com"
-	clusterAPIServer := "example.apiserver.com" // in HyperShift, API Server does not share base domain
+	clusterConfigHost := "apiserver.com" // in HyperShift, API Server does not share base domain
 	networks := []string{
 		"127.0.0.0/8",
 		"192.168.0.0/16",
@@ -131,7 +131,7 @@ func getAnonymizer(t *testing.T) *Anonymizer {
 	anonBuilder := &AnonBuilder{}
 	anonBuilder.
 		WithSensitiveValue(clusterBaseDomain, ClusterBaseDomainPlaceholder).
-		WithSensitiveValue(clusterAPIServer, ClusterAPIServerPlaceholder).
+		WithSensitiveValue(clusterConfigHost, ClusterHostPlaceholder).
 		WithConfigurator(mockConfigMapConfigurator).
 		WithDataPolicy(v1alpha1.ObfuscateNetworking).
 		WithNetworks(networks).
@@ -153,7 +153,7 @@ func Test_Anonymizer(t *testing.T) {
 	nameTestCases := []testCase{
 		{"node1.example.com", "node1.<CLUSTER_BASE_DOMAIN>"},
 		{"api.example.com/test", "api.<CLUSTER_BASE_DOMAIN>/test"},
-		{"https://example.apiserver.com:6443", "https://<CLUSTER_API_SERVER>:6443"},
+		{"https://example.apiserver.com:6443", "https://example.<CLUSTER_DOMAIN_HOST>:6443"},
 	}
 	dataTestCases := []testCase{
 		{"api.example.com\n127.0.0.1  ", "api.<CLUSTER_BASE_DOMAIN>\n127.0.0.1  "},
@@ -165,7 +165,7 @@ func Test_Anonymizer(t *testing.T) {
 		{"192.168.1.255  ", "192.168.0.3  "},
 		{"192.169.1.255  ", "0.0.0.0  "},
 		{`{"key1": "val1", "key2": "127.0.0.128"'}`, `{"key1": "val1", "key2": "127.0.0.2"'}`},
-		{`{"APIServerURL": "https://example.apiserver.com:6443"}`, `{"APIServerURL": "https://<CLUSTER_API_SERVER>:6443"}`},
+		{`{"APIServerURL": "https://example.apiserver.com:6443"}`, `{"APIServerURL": "https://example.<CLUSTER_DOMAIN_HOST>:6443"}`},
 	}
 
 	for _, testCase := range nameTestCases {
@@ -451,6 +451,7 @@ func TestNewAnonymizerFromConfigClient(t *testing.T) {
 				networkClient,
 				mockConfigMapConfigurator,
 				v1alpha1.ObfuscateNetworking,
+				make(map[string]string),
 			)
 			assert.NoError(t, err)
 			assert.NotNil(t, anonymizer)