Update dynamic DG to use fieldfilter functions

Signed-off-by: Charlie Egan <[email protected]>

Author: charlieegan3

pkg/datagatherer/k8s/dynamic.go

@@ -164,69 +164,41 @@ func (g *DataGathererDynamic) Fetch() (interface{}, error) {
 }
 
 func redactList(list *unstructured.UnstructuredList) error {
-	// In principal we could only redact the list if it's kind is SecretList or
-	// a generic mixed List, however the test suite does not set the list kind
-	// and it is safer to always check for Secrets.
 	for i := range list.Items {
 		// Determine the kind of items in case this is a generic 'mixed' list.
 		gvks, _, err := scheme.Scheme.ObjectKinds(&list.Items[i])
 		if err != nil {
 			return errors.WithStack(err)
 		}
 
-		object := list.Items[i]
+		resource := list.Items[i]
 
 		for _, gvk := range gvks {
 			// If this item is a Secret then we need to redact it.
 			if gvk.Kind == "Secret" && (gvk.Group == "core" || gvk.Group == "") {
+				Select([]string{
+					"kind",
+					"apiVersion",
+					"metadata.name",
+					"metadata.namespace",
+					"type",
+					"/data/tls.crt",
+					"/data/ca.crt",
+				}, &resource)
 
-				// If the secret is a tls secret, we redact all data other then
-				// the tls.crt and ca.crt. This is because we need to inspect
-				// the certificate to make recommendations.
-				if object.Object["type"] == "kubernetes.io/tls" {
-					secretData, ok := object.Object["data"].(map[string]interface{})
-					if ok {
-						for k := range secretData {
-							// Only these two keys will be sent, all others are
-							// deleted
-							if k != "tls.crt" && k != "ca.crt" {
-								delete(secretData, k)
-							}
-						}
-					} else {
-						// If secret is not string mapping, redact all secret data
-						object.Object["data"] = map[string]interface{}{}
-					}
-				} else {
-					// Redact all secret data for non-tls secrets
-					object.Object["data"] = map[string]interface{}{}
-				}
-
-				metadata, metadataPresent := object.Object["metadata"].(map[string]interface{})
-				if metadataPresent {
-					// Redact last-applied-configuration annotation if set
-					annotations, present := metadata["annotations"].(map[string]interface{})
-					if present {
-						_, annotationPresent := annotations["kubectl.kubernetes.io/last-applied-configuration"]
-						if annotationPresent {
-							annotations["kubectl.kubernetes.io/last-applied-configuration"] = "redacted"
-						}
-						metadata["annotations"] = annotations
-					}
-				}
 				// break when the object has been processed as a secret, no
 				// other kinds have redact modifications
 				break
 			}
 
-			metadata, metadataPresent := object.Object["metadata"].(map[string]interface{})
-			if metadataPresent {
-				// Drop managed fields if set
-				if _, present := metadata["managedFields"]; present {
-					delete(metadata, "managedFields")
-				}
-			}
+			// remove managedFields from all resources
+			Redact([]string{
+				"metadata.managedFields",
+			}, &resource)
 		}
+
+		// update the object in the list
+		list.Items[i] = resource
 	}
 	return nil
 }

pkg/datagatherer/k8s/dynamic_test.go

@@ -41,7 +41,10 @@ func getObject(version, kind, name, namespace string, withManagedFields bool) *u
 
 func getSecret(name, namespace string, data map[string]interface{}, isTLS bool, withLastApplied bool) *unstructured.Unstructured {
 	object := getObject("v1", "Secret", name, namespace, false)
-	object.Object["data"] = data
+
+	if data != nil {
+		object.Object["data"] = data
+	}
 
 	object.Object["type"] = "Opaque"
 	if isTLS {
@@ -56,10 +59,6 @@ func getSecret(name, namespace string, data map[string]interface{}, isTLS bool,
 		metadata["annotations"] = map[string]interface{}{
 			"kubectl.kubernetes.io/last-applied-configuration": string(jsonData),
 		}
-	} else { // generate an expected redacted secret
-		metadata["annotations"] = map[string]interface{}{
-			"kubectl.kubernetes.io/last-applied-configuration": "redacted",
-		}
 	}
 
 	return object
@@ -164,8 +163,8 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 				}, false, true),
 			},
 			expected: asUnstructuredList(
-				getSecret("testsecret", "testns1", map[string]interface{}{}, false, false),
-				getSecret("anothertestsecret", "testns2", map[string]interface{}{}, false, false),
+				getSecret("testsecret", "testns1", nil, false, false),
+				getSecret("anothertestsecret", "testns2", nil, false, false),
 			),
 		},
 		"Secret of type kubernetes.io/tls should have crts and not keys": {
@@ -188,7 +187,7 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 					"ca.crt":  "value",
 				}, true, false),
 				// all other keys removed
-				getSecret("anothertestsecret", "testns2", map[string]interface{}{}, true, false),
+				getSecret("anothertestsecret", "testns2", nil, true, false),
 			),
 		},
 		"Foos in different namespaces should be returned if they are in the namespace list for the gatherer": {
@@ -240,6 +239,9 @@ func TestDynamicGatherer_Fetch(t *testing.T) {
 			}
 			if diff, equal := messagediff.PrettyDiff(test.expected, res); !equal {
 				t.Errorf("\n%s", diff)
+				expectedJSON, _ := json.MarshalIndent(test.expected, "", "  ")
+				gotJSON, _ := json.MarshalIndent(res, "", "  ")
+				t.Fatalf("unexpected JSON: \ngot \n%s\nwant\n%s", string(gotJSON), expectedJSON)
 			}
 		})
 	}

pkg/datagatherer/k8s/fieldfilter.go

@@ -80,8 +80,6 @@ func Redact(fields []string, resource *unstructured.Unstructured) error {
 		}
 	}
 
-	fmt.Println(jsonParsed.String())
-
 	// load the filtered JSON back into the resource
 	err = json.Unmarshal(jsonParsed.Bytes(), resource)
 	if err != nil {