Bug 2005816: make projectid and region anonymization consistent (openshift#534)

Serhii Zakharov · web-flow · commit 0fefe8443deb · 2021-12-15T12:19:11.000+01:00
* make projectid and region anonymization consistent

* anonymized the rest

* cluster-config-v1

* test

* anonymize service accounts

* lint
diff --git a/docs/insights-archive-sample/config/configmaps/kube-system/cluster-config-v1.json b/docs/insights-archive-sample/config/configmaps/kube-system/cluster-config-v1.json
@@ -22,6 +22,6 @@
     ]
   },
   "data": {
-    "install-config": "apiVersion: v1\nbaseDomain: xxxxxxxxxxxxxxxxxxx\ncompute:\n- hyperthreading: Enabled\n  name: worker\n  platform: {}\n  replicas: 3\ncontrolPlane:\n  hyperthreading: Enabled\n  name: master\n  platform: {}\n  replicas: 3\nmetadata:\n  creationTimestamp: null\n  name: tremes-testing.tremes.2021.07.12.ccxdev.devshift.net\nnetworking:\n  clusterNetwork:\n  - cidr: 10.128.0.0/14\n    hostPrefix: 23\n  machineNetwork:\n  - cidr: 10.0.0.0/16\n  networkType: OpenShiftSDN\n  serviceNetwork:\n  - 172.30.0.0/16\nplatform:\n  aws:\n    region: us-east-2\npublish: External\npullSecret: \"\"\n"
+    "install-config": "apiVersion: v1\nbaseDomain: xxxxxxxxxxxxxxxxxxx\ncompute:\n- hyperthreading: Enabled\n  name: worker\n  platform: {}\n  replicas: 3\ncontrolPlane:\n  hyperthreading: Enabled\n  name: master\n  platform: {}\n  replicas: 3\nmetadata:\n  creationTimestamp: null\n  name: tremes-testing.tremes.2021.07.12.ccxdev.devshift.net\nnetworking:\n  clusterNetwork:\n  - cidr: 10.128.0.0/14\n    hostPrefix: 23\n  machineNetwork:\n  - cidr: 10.0.0.0/16\n  networkType: OpenShiftSDN\n  serviceNetwork:\n  - 172.30.0.0/16\nplatform:\n  aws:\n    region: xxxxxxxxx\npublish: External\npullSecret: \"\"\n"
   }
 }
diff --git a/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-b.json b/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-b.json
@@ -64,8 +64,8 @@
                 "subnetwork": "ci-ln-fyvthbt-f76d1-nl2fh-worker-subnet"
               }
             ],
-            "projectID": "openshift-gce-devel-ci",
-            "region": "us-east1",
+            "projectID": "xxxxxxxxxxxxxxxxxxxxxx",
+            "region": "xxxxxxxx",
             "serviceAccounts": [
               {
                 "email": "ci-ln-fyvthbt-f76d1-nl2fh-w@openshift-gce-devel-ci.iam.gserviceaccount.com",
diff --git a/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-c.json b/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-c.json
@@ -64,8 +64,8 @@
                 "subnetwork": "ci-ln-fyvthbt-f76d1-nl2fh-worker-subnet"
               }
             ],
-            "projectID": "openshift-gce-devel-ci",
-            "region": "us-east1",
+            "projectID": "xxxxxxxxxxxxxxxxxxxxxx",
+            "region": "xxxxxxxx",
             "serviceAccounts": [
               {
                 "email": "ci-ln-fyvthbt-f76d1-nl2fh-w@openshift-gce-devel-ci.iam.gserviceaccount.com",
diff --git a/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-d.json b/docs/insights-archive-sample/machinesets/openshift-machine-api/ci-ln-fyvthbt-f76d1-nl2fh-worker-d.json
@@ -64,8 +64,8 @@
                 "subnetwork": "ci-ln-fyvthbt-f76d1-nl2fh-worker-subnet"
               }
             ],
-            "projectID": "openshift-gce-devel-ci",
-            "region": "us-east1",
+            "projectID": "xxxxxxxxxxxxxxxxxxxxxx",
+            "region": "xxxxxxxx",
             "serviceAccounts": [
               {
                 "email": "ci-ln-fyvthbt-f76d1-nl2fh-w@openshift-gce-devel-ci.iam.gserviceaccount.com",
diff --git a/pkg/gatherers/clusterconfig/cluster_config_v1_config_map.go b/pkg/gatherers/clusterconfig/cluster_config_v1_config_map.go
@@ -54,5 +54,25 @@ func anonymizeInstallConfig(installConfig *installertypes.InstallConfig) *instal
 	// we don't use it
 	installConfig.BaseDomain = anonymize.String(installConfig.BaseDomain)
 
+	if installConfig.Platform.AWS != nil {
+		installConfig.Platform.AWS.Region = anonymize.String(installConfig.Platform.AWS.Region)
+	}
+	if installConfig.Platform.Azure != nil {
+		installConfig.Platform.Azure.Region = anonymize.String(installConfig.Platform.Azure.Region)
+	}
+	if installConfig.Platform.GCP != nil {
+		installConfig.Platform.GCP.Region = anonymize.String(installConfig.Platform.GCP.Region)
+		installConfig.Platform.GCP.ProjectID = anonymize.String(installConfig.Platform.GCP.ProjectID)
+	}
+	if installConfig.Platform.VSphere != nil {
+		installConfig.Platform.VSphere.Datacenter = anonymize.String(installConfig.Platform.VSphere.Datacenter)
+		installConfig.Platform.VSphere.Username = anonymize.String(installConfig.Platform.VSphere.Username)
+		installConfig.Platform.VSphere.Password = anonymize.String(installConfig.Platform.VSphere.Password)
+	}
+	if installConfig.Platform.OpenStack != nil {
+		installConfig.Platform.OpenStack.Region = anonymize.String(installConfig.Platform.OpenStack.Region)
+		installConfig.Platform.OpenStack.Cloud = anonymize.String(installConfig.Platform.OpenStack.Cloud)
+	}
+
 	return installConfig
 }
diff --git a/pkg/gatherers/clusterconfig/cluster_config_v1_config_map_test.go b/pkg/gatherers/clusterconfig/cluster_config_v1_config_map_test.go
@@ -0,0 +1,50 @@
+package clusterconfig
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubefake "k8s.io/client-go/kubernetes/fake"
+)
+
+func Test_gatherClusterConfigV1(t *testing.T) {
+	coreClient := kubefake.NewSimpleClientset()
+
+	_, err := coreClient.CoreV1().ConfigMaps("kube-system").Create(context.Background(), &corev1.ConfigMap{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "cluster-config-v1",
+		},
+		Immutable: nil,
+		Data: map[string]string{
+			"install-config": "{}",
+		},
+		BinaryData: nil,
+	}, metav1.CreateOptions{})
+	assert.NoError(t, err)
+
+	records, errs := gatherClusterConfigV1(context.Background(), coreClient.CoreV1())
+	assert.Empty(t, errs)
+
+	assert.Len(t, records, 1)
+	assert.Equal(t, "config/configmaps/kube-system/cluster-config-v1", records[0].Name)
+
+	data, err := records[0].Item.Marshal(context.Background())
+	assert.NoError(t, err)
+
+	installConfig := `baseDomain: \"\"\nmetadata:\n  creationTimestamp: null\nplatform: {}\npullSecret: \"\"\n`
+
+	assert.JSONEq(t, `{
+		"metadata": {
+			"name": "cluster-config-v1",
+			"namespace": "kube-system",
+			"creationTimestamp": null
+		},
+		"data": {
+			"install-config": "`+installConfig+`"
+		}
+	}`, string(data))
+}
diff --git a/pkg/gatherers/clusterconfig/image_registries.go b/pkg/gatherers/clusterconfig/image_registries.go
@@ -137,21 +137,23 @@ func anonymizeImageRegistry(config *registryv1.Config) *registryv1.Config {
 	if config.Spec.Storage.IBMCOS != nil {
 		anonymizeIBMCOSStorage(config.Spec.Storage.IBMCOS)
 	}
+
 	if config.Status.Storage.S3 != nil {
 		anonymizeS3Storage(config.Status.Storage.S3)
 	}
-	if config.Status.Storage.GCS != nil {
-		anonymizeGCSStorage(config.Status.Storage.GCS)
-	}
 	if config.Status.Storage.Azure != nil {
 		anonymizeAzureStorage(config.Status.Storage.Azure)
 	}
+	if config.Status.Storage.GCS != nil {
+		anonymizeGCSStorage(config.Status.Storage.GCS)
+	}
 	if config.Status.Storage.Swift != nil {
 		anonymizeSwiftStorage(config.Status.Storage.Swift)
 	}
 	if config.Status.Storage.IBMCOS != nil {
 		anonymizeIBMCOSStorage(config.Status.Storage.IBMCOS)
 	}
+
 	// kubectl.kubernetes.io/last-applied-configuration annotation contains complete previous resource definition
 	// including the sensitive information as bucket, keyIDs, etc.
 	if lac, ok := config.Annotations[lacAnnotation]; ok {
diff --git a/pkg/gatherers/clusterconfig/infrastructures.go b/pkg/gatherers/clusterconfig/infrastructures.go
@@ -42,5 +42,25 @@ func gatherClusterInfrastructure(ctx context.Context, configClient configv1clien
 
 func anonymizeInfrastructure(config *configv1.Infrastructure) *configv1.Infrastructure {
 	config.Status.InfrastructureName = anonymize.URL(config.Status.InfrastructureName)
+
+	if config.Status.PlatformStatus.AWS != nil {
+		config.Status.PlatformStatus.AWS.Region = anonymize.String(config.Status.PlatformStatus.AWS.Region)
+	}
+	if config.Status.PlatformStatus.Azure != nil {
+		config.Status.PlatformStatus.Azure.CloudName = configv1.AzureCloudEnvironment(
+			anonymize.String(string(config.Status.PlatformStatus.Azure.CloudName)),
+		)
+	}
+	if config.Status.PlatformStatus.GCP != nil {
+		config.Status.PlatformStatus.GCP.Region = anonymize.String(config.Status.PlatformStatus.GCP.Region)
+		config.Status.PlatformStatus.GCP.ProjectID = anonymize.String(config.Status.PlatformStatus.GCP.ProjectID)
+	}
+	if config.Status.PlatformStatus.IBMCloud != nil {
+		config.Status.PlatformStatus.IBMCloud.Location = anonymize.String(config.Status.PlatformStatus.IBMCloud.Location)
+	}
+	if config.Status.PlatformStatus.OpenStack != nil {
+		config.Status.PlatformStatus.OpenStack.CloudName = anonymize.String(config.Status.PlatformStatus.OpenStack.CloudName)
+	}
+
 	return config
 }
diff --git a/pkg/gatherers/clusterconfig/machine_sets.go b/pkg/gatherers/clusterconfig/machine_sets.go
@@ -6,10 +6,13 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/dynamic"
+	"k8s.io/klog/v2"
 
 	"github.com/openshift/insights-operator/pkg/record"
+	"github.com/openshift/insights-operator/pkg/utils/anonymize"
 )
 
 // GatherMachineSet collects MachineSet information
@@ -52,9 +55,66 @@ func gatherMachineSet(ctx context.Context, dynamicClient dynamic.Interface) ([]r
 		}
 		records = append(records, record.Record{
 			Name: recordName,
-			Item: record.ResourceMarshaller{Resource: &machineSets.Items[i]},
+			Item: record.ResourceMarshaller{Resource: anonymizeMachineset(&machineSets.Items[i])},
 		})
 	}
 
 	return records, nil
 }
+
+func anonymizeMachineset(data *unstructured.Unstructured) *unstructured.Unstructured {
+	fieldsToAnonymize := [][]string{
+		{"spec", "template", "spec", "providerSpec", "value", "projectID"},
+		{"spec", "template", "spec", "providerSpec", "value", "region"},
+		{"spec", "template", "spec", "providerSpec", "value", "placement", "availabilityZone"},
+		{"spec", "template", "spec", "providerSpec", "value", "placement", "region"},
+	}
+
+	for _, fieldToAnonymize := range fieldsToAnonymize {
+		err := anonymize.UnstructuredNestedStringField(data.Object, fieldToAnonymize...)
+		if err != nil {
+			klog.Infof("error during anonymizing machineset: %v", err)
+		}
+	}
+
+	return anonymizeServiceAccounts(data)
+}
+
+func anonymizeServiceAccounts(data *unstructured.Unstructured) *unstructured.Unstructured {
+	serviceAccounts, found, err := unstructured.NestedSlice(
+		data.Object, "spec", "template", "spec", "providerSpec", "value", "serviceAccounts",
+	)
+	if !found || err != nil {
+		klog.Infof("error during anonymizing machineset: unable to find service accounts %v %v", found, err)
+		return data
+	}
+
+	for i := range serviceAccounts {
+		serviceAccount, ok := serviceAccounts[i].(map[string]interface{})
+		if !ok {
+			klog.Infof("error during anonymizing machineset: service account is not a map")
+			continue
+		}
+
+		emailI, found := serviceAccount["email"]
+		if !found {
+			klog.Infof("error during anonymizing machineset: email was not found in service account map")
+			continue
+		}
+
+		email, ok := emailI.(string)
+		if !ok {
+			klog.Infof("error during anonymizing machineset: email was not a string")
+			continue
+		}
+
+		serviceAccount["email"] = anonymize.String(email)
+	}
+
+	err = unstructured.SetNestedSlice(data.Object, serviceAccounts, "spec", "template", "spec", "providerSpec", "value", "serviceAccounts")
+	if err != nil {
+		klog.Infof("error during anonymizing machineset: unable to set anonymized service accounts: %v", err.Error())
+	}
+
+	return data
+}
diff --git a/pkg/gatherers/clusterconfig/nodes.go b/pkg/gatherers/clusterconfig/nodes.go
@@ -48,21 +48,30 @@ func anonymizeNode(node *corev1.Node) *corev1.Node {
 		if isProductNamespacedKey(k) {
 			continue
 		}
+
 		node.Annotations[k] = ""
 	}
+
 	for k, v := range node.Labels {
-		if isProductNamespacedKey(k) {
+		if isProductNamespacedKey(k) && !isRegionLabel(k) {
 			continue
 		}
+
 		node.Labels[k] = anonymize.String(v)
 	}
+
 	node.Status.NodeInfo.BootID = anonymize.String(node.Status.NodeInfo.BootID)
 	node.Status.NodeInfo.SystemUUID = anonymize.String(node.Status.NodeInfo.SystemUUID)
 	node.Status.NodeInfo.MachineID = anonymize.String(node.Status.NodeInfo.MachineID)
 	node.Status.Images = nil
+
 	return node
 }
 
 func isProductNamespacedKey(key string) bool {
 	return strings.Contains(key, "openshift.io/") || strings.Contains(key, "k8s.io/") || strings.Contains(key, "kubernetes.io/")
 }
+
+func isRegionLabel(key string) bool {
+	return key == "failure-domain.beta.kubernetes.io/region" || key == "topology.kubernetes.io/region"
+}
diff --git a/pkg/utils/anonymize/unstructured.go b/pkg/utils/anonymize/unstructured.go
@@ -0,0 +1,22 @@
+package anonymize
+
+import (
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+// UnstructuredNestedStringField anonymizes the nested field in the unstructured object
+// or returns error if it is not possible
+func UnstructuredNestedStringField(data map[string]interface{}, fields ...string) error {
+	value, found, err := unstructured.NestedFieldCopy(data, fields...)
+	if err != nil {
+		return err
+	}
+	if !found {
+		return fmt.Errorf("unable to find field '%v'", fields)
+	}
+
+	valueStr, _ := value.(string)
+	return unstructured.SetNestedField(data, String(valueStr), fields...)
+}

Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,6 @@`
`22`	`22`	`]`
`23`	`23`	`},`
`24`	`24`	`"data": {`
`25`		- "install-config": "apiVersion: v1\nbaseDomain: xxxxxxxxxxxxxxxxxxx\ncompute:\n- hyperthreading: Enabled\n name: worker\n platform: {}\n replicas: 3\ncontrolPlane:\n hyperthreading: Enabled\n name: master\n platform: {}\n replicas: 3\nmetadata:\n creationTimestamp: null\n name: tremes-testing.tremes.2021.07.12.ccxdev.devshift.net\nnetworking:\n clusterNetwork:\n - cidr: 10.128.0.0/14\n hostPrefix: 23\n machineNetwork:\n - cidr: 10.0.0.0/16\n networkType: OpenShiftSDN\n serviceNetwork:\n - 172.30.0.0/16\nplatform:\n aws:\n region: us-east-2\npublish: External\npullSecret: \"\"\n"
	`25`	+ "install-config": "apiVersion: v1\nbaseDomain: xxxxxxxxxxxxxxxxxxx\ncompute:\n- hyperthreading: Enabled\n name: worker\n platform: {}\n replicas: 3\ncontrolPlane:\n hyperthreading: Enabled\n name: master\n platform: {}\n replicas: 3\nmetadata:\n creationTimestamp: null\n name: tremes-testing.tremes.2021.07.12.ccxdev.devshift.net\nnetworking:\n clusterNetwork:\n - cidr: 10.128.0.0/14\n hostPrefix: 23\n machineNetwork:\n - cidr: 10.0.0.0/16\n networkType: OpenShiftSDN\n serviceNetwork:\n - 172.30.0.0/16\nplatform:\n aws:\n region: xxxxxxxxx\npublish: External\npullSecret: \"\"\n"
`26`	`26`	`}`
`27`	`27`	`}`
Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,8 @@`
`64`	`64`	`"subnetwork": "ci-ln-fyvthbt-f76d1-nl2fh-worker-subnet"`
`65`	`65`	`}`
`66`	`66`	`],`
`67`		`- "projectID": "openshift-gce-devel-ci",`
`68`		`- "region": "us-east1",`
	`67`	`+ "projectID": "xxxxxxxxxxxxxxxxxxxxxx",`
	`68`	`+ "region": "xxxxxxxx",`
`69`	`69`	`"serviceAccounts": [`
`70`	`70`	`{`
`71`	`71`	`"email": "ci-ln-fyvthbt-f76d1-nl2fh-w@openshift-gce-devel-ci.iam.gserviceaccount.com",`
Original file line number	Diff line number	Diff line change
`@@ -137,21 +137,23 @@ func anonymizeImageRegistry(config registryv1.Config) registryv1.Config {`
`137`	`137`	`if config.Spec.Storage.IBMCOS != nil {`
`138`	`138`	`anonymizeIBMCOSStorage(config.Spec.Storage.IBMCOS)`
`139`	`139`	`}`
	`140`	`+`
`140`	`141`	`if config.Status.Storage.S3 != nil {`
`141`	`142`	`anonymizeS3Storage(config.Status.Storage.S3)`
`142`	`143`	`}`
`143`		`- if config.Status.Storage.GCS != nil {`
`144`		`- anonymizeGCSStorage(config.Status.Storage.GCS)`
`145`		`- }`
`146`	`144`	`if config.Status.Storage.Azure != nil {`
`147`	`145`	`anonymizeAzureStorage(config.Status.Storage.Azure)`
`148`	`146`	`}`
	`147`	`+ if config.Status.Storage.GCS != nil {`
	`148`	`+ anonymizeGCSStorage(config.Status.Storage.GCS)`
	`149`	`+ }`
`149`	`150`	`if config.Status.Storage.Swift != nil {`
`150`	`151`	`anonymizeSwiftStorage(config.Status.Storage.Swift)`
`151`	`152`	`}`
`152`	`153`	`if config.Status.Storage.IBMCOS != nil {`
`153`	`154`	`anonymizeIBMCOSStorage(config.Status.Storage.IBMCOS)`
`154`	`155`	`}`
	`156`	`+`
`155`	`157`	`// kubectl.kubernetes.io/last-applied-configuration annotation contains complete previous resource definition`
`156`	`158`	`// including the sensitive information as bucket, keyIDs, etc.`
`157`	`159`	`if lac, ok := config.Annotations[lacAnnotation]; ok {`
Original file line number	Diff line number	Diff line change
`@@ -48,21 +48,30 @@ func anonymizeNode(node corev1.Node) corev1.Node {`
`48`	`48`	`if isProductNamespacedKey(k) {`
`49`	`49`	`continue`
`50`	`50`	`}`
	`51`	`+`
`51`	`52`	`node.Annotations[k] = ""`
`52`	`53`	`}`
	`54`	`+`
`53`	`55`	`for k, v := range node.Labels {`
`54`		`- if isProductNamespacedKey(k) {`
	`56`	`+ if isProductNamespacedKey(k) && !isRegionLabel(k) {`
`55`	`57`	`continue`
`56`	`58`	`}`
	`59`	`+`
`57`	`60`	`node.Labels[k] = anonymize.String(v)`
`58`	`61`	`}`
	`62`	`+`
`59`	`63`	`node.Status.NodeInfo.BootID = anonymize.String(node.Status.NodeInfo.BootID)`
`60`	`64`	`node.Status.NodeInfo.SystemUUID = anonymize.String(node.Status.NodeInfo.SystemUUID)`
`61`	`65`	`node.Status.NodeInfo.MachineID = anonymize.String(node.Status.NodeInfo.MachineID)`
`62`	`66`	`node.Status.Images = nil`
	`67`	`+`
`63`	`68`	`return node`
`64`	`69`	`}`
`65`	`70`
`66`	`71`	`func isProductNamespacedKey(key string) bool {`
`67`	`72`	`return strings.Contains(key, "openshift.io/") \|\| strings.Contains(key, "k8s.io/") \|\| strings.Contains(key, "kubernetes.io/")`
`68`	`73`	`}`
	`74`	`+`
	`75`	`+func isRegionLabel(key string) bool {`
	`76`	`+ return key == "failure-domain.beta.kubernetes.io/region" \|\| key == "topology.kubernetes.io/region"`
	`77`	`+}`