Update the message when recordDiff is disabled by default

This provides more context as to why it may be unsafe to enable it. Signed-off-by: mprahl <mprahl@users.noreply.github.com>
open-cluster-management-io · May 21, 2024 · 0dcb265 · 0dcb265
1 parent 772646b
commit 0dcb265
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 8 deletions.
diff --git a/controllers/configurationpolicy_controller.go b/controllers/configurationpolicy_controller.go
@@ -2792,8 +2792,9 @@ func handleDiff(
  case policyv1.RecordDiffInStatus:
  return computedDiff
  case policyv1.RecordDiffCensored:
- return `# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
- `to record a diff.`
+ return `# This diff might contain sensitive data. The spec["object-templates"][]["recordDiff"] field must be ` +
+ `set to "InStatus" for the differences to be recorded in the policy status. Consider existing access to ` +
+ `the ConfigurationPolicy objects and the etcd encryption configuration before you proceed.`
  }
 
  return ""

diff --git a/test/e2e/case39_diff_generation_test.go b/test/e2e/case39_diff_generation_test.go
@@ -148,8 +148,9 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
  diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
  Expect(diff).To(Equal(
- `# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
- `to record a diff.`,
+ `# This diff might contain sensitive data. The spec["object-templates"][]["recordDiff"] field must be ` +
+ `set to "InStatus" for the differences to be recorded in the policy status. Consider existing access ` +
+ `to the ConfigurationPolicy objects and the etcd encryption configuration before you proceed.`,
  ))
  })
 
@@ -179,8 +180,9 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
  diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
  Expect(diff).To(Equal(
- `# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
- `to record a diff.`,
+ `# This diff might contain sensitive data. The spec["object-templates"][]["recordDiff"] field must be ` +
+ `set to "InStatus" for the differences to be recorded in the policy status. Consider existing access ` +
+ `to the ConfigurationPolicy objects and the etcd encryption configuration before you proceed.`,
  ))
  })
 
@@ -210,8 +212,9 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
  diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
  Expect(diff).To(Equal(
- `# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
- `to record a diff.`,
+ `# This diff might contain sensitive data. The spec["object-templates"][]["recordDiff"] field must be ` +
+ `set to "InStatus" for the differences to be recorded in the policy status. Consider existing access ` +
+ `to the ConfigurationPolicy objects and the etcd encryption configuration before you proceed.`,
  ))
 
  By("Enforcing the policy removes the diff message")