fix obfuscation translation table secret (#461)

* fix obfuscation translation table secret

* fix tests

Author: Serhii Zakharov

manifests/03-clusterrole.yaml

@@ -222,38 +222,6 @@ subjects:
   namespace: openshift-insights
   name: gather
 
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: insights-operator-obfuscation-secret
-  namespace: openshift-insights
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-  - list
-  - create
-  - update
-  - delete
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: insights-operator-obfuscation-secret
-  namespace: openshift-insights
-roleRef:
-  kind: Role
-  name: insights-operator-obfuscation-secret
-subjects:
-- kind: ServiceAccount
-  name: gather
-  namespace: openshift-insights
-
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

pkg/anonymization/anonymizer.go

@@ -113,6 +113,7 @@ func NewAnonymizer(clusterBaseDomain string, networks []string, secretsClient co
 func NewAnonymizerFromConfigClient(
 	ctx context.Context,
 	kubeClient kubernetes.Interface,
+	gatherKubeClient kubernetes.Interface,
 	configClient configv1client.ConfigV1Interface,
 	networkClient networkv1client.NetworkV1Interface,
 ) (*Anonymizer, error) {
@@ -135,7 +136,7 @@ func NewAnonymizerFromConfigClient(
 	networks = append(networks, networksConfig.Spec.ExternalIP.Policy.AllowedCIDRs...)
 	networks = append(networks, networksConfig.Spec.ExternalIP.Policy.RejectedCIDRs...)
 
-	clusterConfigV1, err := kubeClient.CoreV1().ConfigMaps("kube-system").Get(ctx, "cluster-config-v1", metav1.GetOptions{})
+	clusterConfigV1, err := gatherKubeClient.CoreV1().ConfigMaps("kube-system").Get(ctx, "cluster-config-v1", metav1.GetOptions{})
 	if err != nil {
 		return nil, err
 	}
@@ -183,24 +184,29 @@ func NewAnonymizerFromConfigClient(
 
 // NewAnonymizerFromConfig creates a new instance of anonymizer with a provided kubeconfig
 func NewAnonymizerFromConfig(
-	ctx context.Context, kubeConfig *rest.Config, protoKubeConfig *rest.Config,
+	ctx context.Context, gatherKubeConfig *rest.Config, gatherProtoKubeConfig *rest.Config, protoKubeConfig *rest.Config,
 ) (*Anonymizer, error) {
 	kubeClient, err := kubernetes.NewForConfig(protoKubeConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	configClient, err := configv1client.NewForConfig(kubeConfig)
+	gatherKubeClient, err := kubernetes.NewForConfig(gatherProtoKubeConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	networkClient, err := networkv1client.NewForConfig(kubeConfig)
+	configClient, err := configv1client.NewForConfig(gatherKubeConfig)
 	if err != nil {
 		return nil, err
 	}
 
-	return NewAnonymizerFromConfigClient(ctx, kubeClient, configClient, networkClient)
+	networkClient, err := networkv1client.NewForConfig(gatherKubeConfig)
+	if err != nil {
+		return nil, err
+	}
+
+	return NewAnonymizerFromConfigClient(ctx, kubeClient, gatherKubeClient, configClient, networkClient)
 }
 
 // AnonymizeMemoryRecord takes record.MemoryRecord, removes the sensitive data from it and returns the same object

pkg/anonymization/anonymizer_test.go

@@ -318,6 +318,7 @@ func TestAnonymizer_NewAnonymizerFromConfigClient(t *testing.T) {
 	anonymizer, err := NewAnonymizerFromConfigClient(
 		context.TODO(),
 		kubeClient,
+		kubeClient,
 		configClient,
 		networkClient,
 	)

pkg/controller/gather_job.go

@@ -69,7 +69,7 @@ func (d *GatherJob) Gather(ctx context.Context, kubeConfig, protoKubeConfig *res
 	var anonymizer *anonymization.Anonymizer
 	if anonymization.IsObfuscationEnabled(configObserver) {
 		// anonymizer is responsible for anonymizing sensitive data, it can be configured to disable specific anonymization
-		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig)
+		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig, protoKubeConfig)
 		if err != nil {
 			return err
 		}

pkg/controller/operator.go

@@ -106,7 +106,7 @@ func (s *Operator) Run(ctx context.Context, controller *controllercmd.Controller
 	var anonymizer *anonymization.Anonymizer
 	if anonymization.IsObfuscationEnabled(configObserver) {
 		// anonymizer is responsible for anonymizing sensitive data, it can be configured to disable specific anonymization
-		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig)
+		anonymizer, err = anonymization.NewAnonymizerFromConfig(ctx, gatherKubeConfig, gatherProtoKubeConfig, controller.ProtoKubeConfig)
 		if err != nil {
 			// in case of an error anonymizer will be nil and anonymization will be just skipped
 			klog.Errorf(anonymization.UnableToCreateAnonymizerErrorMessage, err)

pkg/gatherers/clusterconfig/clusterconfig_gatherer.go

@@ -46,7 +46,7 @@ func failableFunc(function gathererFuncPtr) gatheringFunction {
 }
 
 var gatheringFunctions = map[string]gatheringFunction{
-	"pdbs":                              importantFunc((*Gatherer).GatherPodDisruptionBudgets),
+	"pdbs":                              failableFunc((*Gatherer).GatherPodDisruptionBudgets),
 	"metrics":                           failableFunc((*Gatherer).GatherMostRecentMetrics),
 	"operators":                         importantFunc((*Gatherer).GatherClusterOperators),
 	"operators_pods_and_events":         importantFunc((*Gatherer).GatherClusterOperatorPodsAndEvents),