fix: preserve connection secret namespace in multi-step pipelines#297
Closed
fabioaraujopt wants to merge 1 commit intocrossplane-contrib:mainfrom
Closed
Conversation
fabioaraujopt
requested review from
negz,
phisco,
sergenyalcin,
turkenf and
ulucinar
as code owners
fabioaraujopt
force-pushed
the
fix/v2-conn-secret-namespace-stickiness
branch
3 times, most recently
from
6b50f97 to
f44a215
Compare
When a Composition uses multiple patch-and-transform steps, a later step without a connection secret namespace could overwrite a previously resolved namespace with an empty one. This is particularly problematic for cluster-scoped XRs where the default namespace is empty. This change makes the connection secret name and namespace 'sticky' by preserving non-empty values from the current desired state if the newly resolved reference has empty values. Signed-off-by: fabioaraujopt <fabioaraujoorg@gmail.com>
fabioaraujopt
force-pushed
the
fix/v2-conn-secret-namespace-stickiness
branch
from
f44a215 to
7a8020d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes a bug in
function-patch-and-transformwhere later pipeline steps can overwrite a previously resolved connection secret namespace with an empty one. This is particularly problematic for cluster-scoped XRs (e.g., S3 Buckets, Caches) because an empty namespace in aSecretreference is invalid in Crossplane's core reconciliation loop, leading to "poisoned" XRs that cannot self-heal.Root Cause
The function re-composes the v2 connection secret at the end of every
patch-and-transformstep if connection details are present. If a later step does not explicitly provide awriteConnectionSecretToRef.namespacein its input, the function defaults to the XR's namespace. For cluster-scoped XRs, this is empty, causing the clobbering of any valid namespace set by an earlier step.Example of the issue:
namespacetomy-tenant-ns. Connection secret is composed withnamespace: my-tenant-ns.namespace. Connection secret is re-composed, defaulting to XR's namespace (empty for cluster-scoped XRs).resourceRefsnow contains aSecretwith an empty namespace, causing reconciliation to fail.Solution
Modified
composeConnectionSecretto be "sticky". It now accepts the current desired state of the connection secret and preserves any non-emptyNameorNamespaceif the newly resolved reference would otherwise be empty. This ensures that once a valid namespace is patched or provided, it persists through subsequent steps in the same pipeline execution.Test plan
TestComposeConnectionSecretinconnection_test.gowithStickyNamespaceandStickyNamecases.go test ./....Relates to #278