Skip to content

Commit

Permalink
ReplicatedSecrets should not pick up secrets from outside their own n…
Browse files Browse the repository at this point in the history
…amespace. (#1283)
  • Loading branch information
Miles-Garnsey authored Apr 17, 2024
1 parent 41ea670 commit 5e34af7
Show file tree
Hide file tree
Showing 2 changed files with 12 additions and 4 deletions.
7 changes: 7 additions & 0 deletions CHANGELOG/RELEASE-NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,13 @@ To update an existing cluster, or create a new one, ensure that the `namespace`

If this functionality is critical to your use case, please raise an issue on Github and describe why it is important to you.

## v1.15.0

### Correction to ReplicatedSecrets namespacing behaviour

Replicated secrets no longer look in all namespaces to Replicate secrets whose labels match the MatchLabels selector in the ReplicatedSecret.

Instead, secrets will only be picked up by the matcher if they both have matching labels AND are also in the same namespace as the ReplicatedSecret.

## v1.12.0

Expand Down
9 changes: 5 additions & 4 deletions controllers/replication/secret_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,8 +81,8 @@ func (s *SecretSyncController) Reconcile(ctx context.Context, req ctrl.Request)
logger.Error(err, "Failed to delete the replicated secret, defined labels are invalid", "ReplicatedSecret", req.NamespacedName)
return reconcile.Result{}, err
}
// These are the secrets which are currently being replicated by THIS ReplicatedSecret in the local namespace.
secrets, err := s.fetchAllMatchingSecrets(ctx, selector)

secrets, err := s.fetchAllMatchingSecrets(ctx, selector, rsec.Namespace)
if err != nil {
logger.Error(err, "Failed to fetch the replicated secrets to cleanup", "ReplicatedSecret", req.NamespacedName)
return reconcile.Result{}, err
Expand Down Expand Up @@ -183,7 +183,7 @@ func (s *SecretSyncController) Reconcile(ctx context.Context, req ctrl.Request)
s.selectorMutex.Unlock()

// Fetch all the secrets that match the ReplicatedSecret's rules
secrets, err := s.fetchAllMatchingSecrets(ctx, selector)
secrets, err := s.fetchAllMatchingSecrets(ctx, selector, req.Namespace)
if err != nil {
logger.Error(err, "Failed to fetch linked secrets", "ReplicatedSecret", req.NamespacedName)
return reconcile.Result{Requeue: true}, err
Expand Down Expand Up @@ -373,10 +373,11 @@ func (s *SecretSyncController) verifyHashAnnotation(ctx context.Context, sec *co
return nil
}

func (s *SecretSyncController) fetchAllMatchingSecrets(ctx context.Context, selector labels.Selector) ([]corev1.Secret, error) {
func (s *SecretSyncController) fetchAllMatchingSecrets(ctx context.Context, selector labels.Selector, namespace string) ([]corev1.Secret, error) {
secrets := &corev1.SecretList{}
listOption := client.ListOptions{
LabelSelector: selector,
Namespace: namespace,
}
err := s.ClientCache.GetLocalClient().List(ctx, secrets, &listOption)
if err != nil {
Expand Down

0 comments on commit 5e34af7

Please sign in to comment.