From 80af92cf5ccce5624fbe6944d5eaeac5aba183a3 Mon Sep 17 00:00:00 2001
From: mprahl <mprahl@users.noreply.github.com>
Date: Tue, 21 May 2024 15:06:24 -0400
Subject: [PATCH] Clarify the recordDiff default behavior

Signed-off-by: mprahl <mprahl@users.noreply.github.com>
---
 api/v1/configurationpolicy_types.go                    | 10 +++++++---
 ...en-cluster-management.io_configurationpolicies.yaml | 10 +++++++---
 ...en-cluster-management.io_configurationpolicies.yaml | 10 +++++++---
 3 files changed, 21 insertions(+), 9 deletions(-)

diff --git a/api/v1/configurationpolicy_types.go b/api/v1/configurationpolicy_types.go
index e0a07f67..0867c65b 100644
--- a/api/v1/configurationpolicy_types.go
+++ b/api/v1/configurationpolicy_types.go
@@ -199,9 +199,13 @@ type ObjectTemplate struct {
 	// +kubebuilder:pruning:PreserveUnknownFields
 	ObjectDefinition runtime.RawExtension `json:"objectDefinition"`
 
-	// RecordDiff specifies whether (and where) to log the diff between the object on the
-	// cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
-	// ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+	// RecordDiff specifies whether and where to log the difference between the object on the cluster
+	// and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+	// difference in the policy status field, `Log` to log the difference in the
+	// `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+	// object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+	// `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+	// data. For all other kinds, the default value is `InStatus`.
 	RecordDiff RecordDiff `json:"recordDiff,omitempty"`
 }
 
diff --git a/deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml b/deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
index 548f7575..884dad55 100644
--- a/deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
+++ b/deploy/crds/kustomize_configurationpolicy/policy.open-cluster-management.io_configurationpolicies.yaml
@@ -165,9 +165,13 @@ spec:
                       x-kubernetes-preserve-unknown-fields: true
                     recordDiff:
                       description: |-
-                        RecordDiff specifies whether (and where) to log the diff between the object on the
-                        cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
-                        ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+                        RecordDiff specifies whether and where to log the difference between the object on the cluster
+                        and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+                        difference in the policy status field, `Log` to log the difference in the
+                        `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+                        object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+                        `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+                        data. For all other kinds, the default value is `InStatus`.
                       enum:
                       - Log
                       - InStatus
diff --git a/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml b/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
index 6f9a6761..3a87a028 100644
--- a/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
+++ b/deploy/crds/policy.open-cluster-management.io_configurationpolicies.yaml
@@ -172,9 +172,13 @@ spec:
                       x-kubernetes-preserve-unknown-fields: true
                     recordDiff:
                       description: |-
-                        RecordDiff specifies whether (and where) to log the diff between the object on the
-                        cluster and the objectDefinition in the policy. Defaults to "None" when the object kind is
-                        ConfigMap, OAuthAccessToken, OAuthAuthorizeTokens, Route, or Secret. Defaults to "InStatus" otherwise.
+                        RecordDiff specifies whether and where to log the difference between the object on the cluster
+                        and the `objectDefinition` parameter in the policy. The supported options are `InStatus` to record the
+                        difference in the policy status field, `Log` to log the difference in the
+                        `config-policy-controller` pod, and `None` to not log the diff. The default value is `None` for
+                        object kinds that include sensitive data such as `ConfigMap`, `OAuthAccessToken`,
+                        `OAuthAuthorizeTokens`, `Route`, and `Secret`, or when a templated `objectDefinition` references sensitive
+                        data. For all other kinds, the default value is `InStatus`.
                       enum:
                       - Log
                       - InStatus