return defensive deepcopy from GetDeploymentConfig to prevent mutation

Author: anik120

internal/operator-controller/config/config.go

@@ -102,6 +102,8 @@ func (c *Config) GetWatchNamespace() *string {
 // Returns nil if deploymentConfig is not set or is explicitly set to null.
 // The returned value is a generic map[string]any that can be marshaled to JSON
 // for validation or conversion to specific types (like v1alpha1.SubscriptionConfig).
+//
+// Returns a defensive deep copy so callers can't mutate the internal Config state.
 func (c *Config) GetDeploymentConfig() map[string]any {
 	if c == nil || *c == nil {
 		return nil
@@ -115,10 +117,26 @@ func (c *Config) GetDeploymentConfig() map[string]any {
 		return nil
 	}
 	// Schema validation ensures this is an object (map)
-	if dcMap, ok := val.(map[string]any); ok {
-		return dcMap
+	dcMap, ok := val.(map[string]any)
+	if !ok {
+		return nil
 	}
-	return nil
+
+	// Return a defensive deep copy so callers can't mutate the internal Config state.
+	// We use JSON marshal/unmarshal because the data is already JSON-compatible and
+	// this handles nested structures correctly.
+	data, err := json.Marshal(dcMap)
+	if err != nil {
+		// This should never happen since the map came from validated JSON/YAML,
+		// but return nil as a safe fallback
+		return nil
+	}
+	var copied map[string]any
+	if err := json.Unmarshal(data, &copied); err != nil {
+		// This should never happen for valid JSON
+		return nil
+	}
+	return copied
 }
 
 // UnmarshalConfig takes user configuration, validates it, and creates a Config object.

internal/operator-controller/config/config_test.go

@@ -651,4 +651,49 @@ func Test_GetDeploymentConfig(t *testing.T) {
 		result := cfg.GetDeploymentConfig()
 		require.Nil(t, result)
 	})
+
+	// Test that returned map is a defensive copy (mutations don't affect original)
+	t.Run("returned map is defensive copy - mutations don't affect original", func(t *testing.T) {
+		rawConfig := []byte(`{
+			"deploymentConfig": {
+				"nodeSelector": {
+					"kubernetes.io/os": "linux"
+				}
+			}
+		}`)
+
+		schema, err := bundle.GetConfigSchema()
+		require.NoError(t, err)
+
+		cfg, err := config.UnmarshalConfig(rawConfig, schema, "")
+		require.NoError(t, err)
+
+		// Get the deploymentConfig
+		result1 := cfg.GetDeploymentConfig()
+		require.NotNil(t, result1)
+
+		// Mutate the returned map
+		result1["nodeSelector"] = map[string]any{
+			"mutated": "value",
+		}
+		result1["newField"] = "added"
+
+		// Get deploymentConfig again - should be unaffected by mutations
+		result2 := cfg.GetDeploymentConfig()
+		require.NotNil(t, result2)
+
+		// Original values should be intact
+		require.Equal(t, map[string]any{
+			"nodeSelector": map[string]any{
+				"kubernetes.io/os": "linux",
+			},
+		}, result2)
+
+		// New field should not exist
+		_, exists := result2["newField"]
+		require.False(t, exists)
+
+		// result1 should have the mutations
+		require.Equal(t, "added", result1["newField"])
+	})
 }