Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

fix: disable managed cache for cluster scope if rbac is restricted (#4502)

Signed-off-by: Gergely Brautigam <182850+Skarlso@users.noreply.github.com>
Gergely Brautigam 1 year ago
parent
9a1096dee3
commit
c161c288b0
3 changed files with 9 additions and 3 deletions
Split View Show Diff Stats
  1. 1 1
      cmd/controller/root.go
  2. 7 1
      pkg/controllers/common/common.go
  3. 1 1
      pkg/controllers/externalsecret/suite_test.go

+ 1 - 1
cmd/controller/root.go
View File 

@@ -165,7 +165,7 @@ var rootCmd = &cobra.Command{
 
 		// if we are already caching all secrets, we don't need to use the special client.
 
 		secretClient := mgr.GetClient()
 
 		if enableManagedSecretsCache && !enableSecretsCache {
 
-			secretClient, err = ctrlcommon.BuildManagedSecretClient(mgr)
 
+			secretClient, err = ctrlcommon.BuildManagedSecretClient(mgr, namespace)
 
 			if err != nil {
 
 				setupLog.Error(err, "unable to create managed secret client")
 
 				os.Exit(1)

+ 7 - 1
pkg/controllers/common/common.go
View File 

@@ -32,7 +32,7 @@ import (
 
 )
 
 
 // BuildManagedSecretClient creates a new client that only sees secrets with the "managed" label.
 
-func BuildManagedSecretClient(mgr ctrl.Manager) (client.Client, error) {
 
+func BuildManagedSecretClient(mgr ctrl.Manager, namespace string) (client.Client, error) {
 
 	// secrets we manage will have the `reconcile.external-secrets.io/managed=true` label
 
 	managedLabelReq, _ := labels.NewRequirement(esv1beta1.LabelManaged, selection.Equals, []string{esv1beta1.LabelManagedValue})
 
 	managedLabelSelector := labels.NewSelector().Add(*managedLabelReq)
 
@@ -52,6 +52,12 @@ func BuildManagedSecretClient(mgr ctrl.Manager) (client.Client, error) {
 
 		// and helps avoid people mistakenly using the secret client for other resources
 
 		ReaderFailOnMissingInformer: true,
 
 	}
 
+	if namespace != "" {
 
+		secretCacheOpts.DefaultNamespaces = map[string]cache.Config{
 
+			namespace: {},
 
+		}
 
+	}
 
+
 
 	secretCache, err := cache.New(mgr.GetConfig(), secretCacheOpts)
 
 	if err != nil {
 
 		return nil, err

+ 1 - 1
pkg/controllers/externalsecret/suite_test.go
View File 

@@ -104,7 +104,7 @@ var _ = BeforeSuite(func() {
 
 
 	// by default, we use a separate cached client for secrets that are managed by the controller
 
 	// so we should test under the same conditions
 
-	secretClient, err := ctrlcommon.BuildManagedSecretClient(k8sManager)
 
+	secretClient, err := ctrlcommon.BuildManagedSecretClient(k8sManager, "")
 
 	Expect(err).ToNot(HaveOccurred())
 
 
 	err = (&Reconciler{