test(e2e): scope gcp v2 remote secret names

e2e/suites/provider/cases/common/clusterprovider.go

@@ -72,7 +72,7 @@ func ClusterProviderProviderNamespaceRecovery(f *framework.Framework, harness Cl
 func ClusterProviderDeniedByConditions(f *framework.Framework, harness ClusterProviderExternalSecretHarness) (string, func(*framework.TestCase)) {
 	return "[common] should deny workload namespaces that do not match ClusterProvider conditions", func(tc *framework.TestCase) {
 		targetSecretName := "denied-target"
-		remoteSecretName := "denied-source"
+		remoteSecretName := f.MakeRemoteRefKey("denied-source")
 		expectedMessage := "should-not-sync"
 
 		tc.ExpectedSecret = nil
@@ -117,7 +117,7 @@ func ClusterProviderDeniedByConditions(f *framework.Framework, harness ClusterPr
 func clusterProviderSyncCase(f *framework.Framework, harness ClusterProviderExternalSecretHarness, name, expectedValue string, authScope esv1.AuthenticationScope) (string, func(*framework.TestCase)) {
 	return fmt.Sprintf("[common] should use %s auth with ClusterProvider", authScope), func(tc *framework.TestCase) {
 		targetSecretName := fmt.Sprintf("%s-target", name)
-		remoteSecretName := fmt.Sprintf("%s-source", name)
+		remoteSecretName := f.MakeRemoteRefKey(fmt.Sprintf("%s-source", name))
 
 		tc.ExternalSecret.ObjectMeta.Name = fmt.Sprintf("%s-external-secret", name)
 		tc.ExternalSecret.Spec.Target.Name = targetSecretName
@@ -150,7 +150,7 @@ func clusterProviderSyncCase(f *framework.Framework, harness ClusterProviderExte
 func clusterProviderRecoveryCase(f *framework.Framework, harness ClusterProviderExternalSecretHarness, name, expectedValue string, authScope esv1.AuthenticationScope) (string, func(*framework.TestCase)) {
 	return fmt.Sprintf("[common] should recover after repairing ClusterProvider auth with %s scope", authScope), func(tc *framework.TestCase) {
 		targetSecretName := fmt.Sprintf("%s-target", name)
-		remoteSecretName := fmt.Sprintf("%s-source", name)
+		remoteSecretName := f.MakeRemoteRefKey(fmt.Sprintf("%s-source", name))
 
 		tc.ExpectedSecret = nil
 		tc.ExternalSecret.ObjectMeta.Name = fmt.Sprintf("%s-external-secret", name)

e2e/suites/provider/cases/common/provider_runtime_test.go

@@ -24,6 +24,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	"github.com/external-secrets/external-secrets-e2e/framework"
+	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
 )
 
@@ -153,3 +154,56 @@ func TestApplyClusterProviderPushSecretUsesSafeObjectNameIndependentOfRemoteKey(
 		t.Fatalf("expected remote key %q, got %q", want, got)
 	}
 }
+
+func TestClusterProviderManifestNamespaceUsesMakeRemoteRefKey(t *testing.T) {
+	f := &framework.Framework{
+		Namespace: &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-ns"},
+		},
+		MakeRemoteRefKey: func(base string) string { return "scoped-" + base },
+	}
+	tc := &framework.TestCase{
+		Framework:        f,
+		ExternalSecret:   &esv1.ExternalSecret{},
+		ExpectedSecret:   &corev1.Secret{},
+		PushSecret:       &esv1alpha1.PushSecret{},
+		PushSecretSource: &corev1.Secret{},
+	}
+
+	_, apply := ClusterProviderManifestNamespace(f, ClusterProviderExternalSecretHarness{
+		Prepare: func(_ *framework.TestCase, _ ClusterProviderConfig) *ClusterProviderExternalSecretRuntime {
+			return &ClusterProviderExternalSecretRuntime{ClusterProviderName: "cluster-provider"}
+		},
+	})
+	apply(tc)
+
+	if _, ok := tc.Secrets["scoped-manifest-source"]; !ok {
+		t.Fatalf("expected cluster provider sync case to use MakeRemoteRefKey, got %v", tc.Secrets)
+	}
+	if got := tc.ExternalSecret.Spec.Data[0].RemoteRef.Key; got != "scoped-manifest-source" {
+		t.Fatalf("expected remote ref key %q, got %q", "scoped-manifest-source", got)
+	}
+}
+
+func TestClusterProviderDeniedByConditionsUsesMakeRemoteRefKey(t *testing.T) {
+	f := &framework.Framework{
+		Namespace: &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{Name: "test-ns"},
+		},
+		MakeRemoteRefKey: func(base string) string { return "scoped-" + base },
+	}
+	tc := &framework.TestCase{
+		Framework:      f,
+		ExternalSecret: &esv1.ExternalSecret{},
+	}
+
+	_, apply := ClusterProviderDeniedByConditions(f, ClusterProviderExternalSecretHarness{})
+	apply(tc)
+
+	if _, ok := tc.Secrets["scoped-denied-source"]; !ok {
+		t.Fatalf("expected cluster provider deny case to use MakeRemoteRefKey, got %v", tc.Secrets)
+	}
+	if got := tc.ExternalSecret.Spec.Data[0].RemoteRef.Key; got != "scoped-denied-source" {
+		t.Fatalf("expected remote ref key %q, got %q", "scoped-denied-source", got)
+	}
+}

e2e/suites/provider/cases/gcp/provider_support_test.go

@@ -21,6 +21,11 @@ import (
 	"reflect"
 	"strings"
 	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/external-secrets/external-secrets-e2e/framework"
 )
 
 func TestGCPAccessConfigMissingStaticEnv(t *testing.T) {
@@ -107,3 +112,35 @@ func TestProviderV2RefreshSuiteOverridesDefaultRemoteMutation(t *testing.T) {
 		}
 	}
 }
+
+func TestConfigureGCPRemoteRefKeyKeepsBaseWithoutNamespace(t *testing.T) {
+	t.Parallel()
+
+	f := &framework.Framework{
+		MakeRemoteRefKey: func(base string) string { return base },
+	}
+
+	configureGCPRemoteRefKey(f)
+
+	if got := f.MakeRemoteRefKey("remote-key"); got != "remote-key" {
+		t.Fatalf("MakeRemoteRefKey() = %q, want %q", got, "remote-key")
+	}
+}
+
+func TestConfigureGCPRemoteRefKeyAppendsNamespaceSuffix(t *testing.T) {
+	t.Parallel()
+
+	f := &framework.Framework{
+		Namespace: &corev1.Namespace{
+			ObjectMeta: metav1.ObjectMeta{
+				Name: "test-ns-123456789",
+			},
+		},
+	}
+
+	configureGCPRemoteRefKey(f)
+
+	if got := f.MakeRemoteRefKey("remote-key"); got != "remote-key-23456789" {
+		t.Fatalf("MakeRemoteRefKey() = %q, want %q", got, "remote-key-23456789")
+	}
+}

e2e/suites/provider/cases/gcp/provider_support_v2.go

@@ -57,6 +57,7 @@ type v2ClusterProviderScenario struct {
 
 func NewProviderV2(f *framework.Framework) *ProviderV2 {
 	access := newGCPAccessConfigFromEnv()
+	configureGCPRemoteRefKey(f)
 	backend := &GcpProvider{
 		ServiceAccountName:      access.ServiceAccountName,
 		ServiceAccountNamespace: "default",
@@ -83,6 +84,22 @@ func NewProviderV2(f *framework.Framework) *ProviderV2 {
 	return prov
 }
 
+func configureGCPRemoteRefKey(f *framework.Framework) {
+	f.MakeRemoteRefKey = func(base string) string {
+		if f.Namespace == nil {
+			return base
+		}
+		suffix := f.Namespace.Name
+		if len(suffix) > 8 {
+			suffix = suffix[len(suffix)-8:]
+		}
+		if suffix == "" {
+			return base
+		}
+		return fmt.Sprintf("%s-%s", base, suffix)
+	}
+}
+
 func (p *ProviderV2) CreateSecret(key string, val framework.SecretEntry) {
 	p.backend.CreateSecret(key, val)
 }