Update the message when recordDiff is disabled by default

This provides more context as to why it may be unsafe to enable it.

Signed-off-by: mprahl <mprahl@users.noreply.github.com>

controllers/configurationpolicy_controller.go

@@ -2792,8 +2792,10 @@ func handleDiff(
 	case policyv1.RecordDiffInStatus:
 		return computedDiff
 	case policyv1.RecordDiffCensored:
-		return `# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
-			`to record a diff.`
+		return `# The difference is redacted because it contains sensitive data. To override, the ` +
+			`spec["object-templates"][].recordDiff field must be set to "InStatus" for the difference to be recorded ` +
+			`in the policy status. Consider existing access to the ConfigurationPolicy objects and the etcd ` +
+			`encryption configuration before you proceed with an override.`
 	}
 
 	return ""

test/e2e/case39_diff_generation_test.go

@@ -148,8 +148,10 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
 		diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
 		Expect(diff).To(Equal(
-			`# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
-				`to record a diff.`,
+			`# The difference is redacted because it contains sensitive data. To override, the ` +
+				`spec["object-templates"][].recordDiff field must be set to "InStatus" for the difference to be ` +
+				`recorded in the policy status. Consider existing access to the ConfigurationPolicy objects and the ` +
+				`etcd encryption configuration before you proceed with an override.`,
 		))
 	})
 
@@ -179,8 +181,10 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
 		diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
 		Expect(diff).To(Equal(
-			`# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
-				`to record a diff.`,
+			`# The difference is redacted because it contains sensitive data. To override, the ` +
+				`spec["object-templates"][].recordDiff field must be set to "InStatus" for the difference to be ` +
+				`recorded in the policy status. Consider existing access to the ConfigurationPolicy objects and the ` +
+				`etcd encryption configuration before you proceed with an override.`,
 		))
 	})
 
@@ -210,8 +214,10 @@ var _ = Describe("Diff generation with sensitive input", Ordered, func() {
 
 		diff, _, _ := unstructured.NestedString(relatedObjects[0].(map[string]interface{}), "properties", "diff")
 		Expect(diff).To(Equal(
-			`# This diff may contain sensitive data. The "recordDiff" field must be set to "InStatus" ` +
-				`to record a diff.`,
+			`# The difference is redacted because it contains sensitive data. To override, the ` +
+				`spec["object-templates"][].recordDiff field must be set to "InStatus" for the difference to be ` +
+				`recorded in the policy status. Consider existing access to the ConfigurationPolicy objects and the ` +
+				`etcd encryption configuration before you proceed with an override.`,
 		))
 
 		By("Enforcing the policy removes the diff message")