🐛 Fix ClusterObjectSet ref resolution for Secrets outside system namespace#2624
Conversation
✅ Deploy Preview for olmv1 ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
There was a problem hiding this comment.
Pull request overview
Adds an e2e scenario to validate direct ClusterObjectSet creation where phase objects are externalized in a Secret via ref, and improves e2e cleanup to handle additional (non-CE/COS) resources and namespaced deletions.
Changes:
- Add
revision.featurescenario forClusterObjectSetreferencing Secret-stored objects viaref. - Track additional applied resources for cleanup in
ResourceIsApplied. - Extend cleanup deletion to include
-n <namespace>when applicable.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| test/e2e/steps/steps.go | Tracks non-CE/COS applied resources (incl. namespace) for cleanup. |
| test/e2e/steps/hooks.go | Adds namespace field to tracked resources and uses it when deleting. |
| test/e2e/features/revision.feature | Adds new e2e scenario for COS creation via Secret ref objects. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
test/e2e/steps/hooks.go
Outdated
| args = append(args, "-n", res.namespace) | ||
| } | ||
| if _, err := k8sClient(args...); err != nil { | ||
| logger.Info("Error deleting resource", "name", res.name, "namespace", sc.namespace, "stderr", stderrOutput(err)) |
There was a problem hiding this comment.
The log field namespace uses sc.namespace, but the deletion is performed with res.namespace (and some resources may be cluster-scoped / other namespaces). This makes failure logs misleading. Log res.namespace (and optionally also log sc.namespace under a different key if you need scenario context).
| logger.Info("Error deleting resource", "name", res.name, "namespace", sc.namespace, "stderr", stderrOutput(err)) | |
| logger.Info("Error deleting resource", "name", res.name, "namespace", res.namespace, "scenarioNamespace", sc.namespace, "stderr", stderrOutput(err)) |
test/e2e/steps/steps.go
Outdated
| sc.addedResources = append(sc.addedResources, resource{ | ||
| name: res.GetName(), | ||
| kind: strings.ToLower(res.GetKind()), | ||
| namespace: res.GetNamespace(), |
There was a problem hiding this comment.
For namespaced resources applied without an explicit metadata.namespace in the YAML, res.GetNamespace() will be empty (because this is parsed from the manifest). With the new cleanup logic, those resources would be deleted without -n, likely leaving them behind. Consider defaulting namespace to the scenario/test namespace when res.GetNamespace() is empty (at least for this e2e harness), so cleanup reliably targets the namespace resources were applied into.
| sc.addedResources = append(sc.addedResources, resource{ | |
| name: res.GetName(), | |
| kind: strings.ToLower(res.GetKind()), | |
| namespace: res.GetNamespace(), | |
| namespace := res.GetNamespace() | |
| if namespace == "" { | |
| namespace = sc.namespace | |
| } | |
| sc.addedResources = append(sc.addedResources, resource{ | |
| name: res.GetName(), | |
| kind: strings.ToLower(res.GetKind()), | |
| namespace: namespace, |
| go func(res resource) { | ||
| if _, err := k8sClient("delete", res.kind, res.name, "--ignore-not-found=true"); err != nil { | ||
| args := []string{"delete", res.kind, res.name, "--ignore-not-found=true"} | ||
| if res.namespace != "" { | ||
| args = append(args, "-n", res.namespace) | ||
| } | ||
| if _, err := k8sClient(args...); err != nil { | ||
| logger.Info("Error deleting resource", "name", res.name, "namespace", sc.namespace, "stderr", stderrOutput(err)) | ||
| } | ||
| }(r) |
There was a problem hiding this comment.
Cleanup deletes all resources concurrently. With the PR tracking more resources, it becomes more likely that namespace deletion races with deletions of namespaced resources, creating intermittent cleanup failures/noise. Consider deleting in a deterministic order (e.g., delete tracked resources first, then delete the namespace last) and/or avoiding goroutines here so the namespace isn’t removed while other deletes are still in-flight.
pedjak
force-pushed
the
e2e-cos-ref-objects
branch
from
4b980cb to
20c5bc8
Compare
pedjak
changed the title
pedjak
changed the title
pedjak
force-pushed
the
e2e-cos-ref-objects
branch
from
20c5bc8 to
5af3951
Compare
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
The controller cache only watches the system namespace, causing ref resolution to fail when Secrets are stored in other namespaces. Fix by introducing a client wrapper that falls back to direct API calls for Secret reads outside the system namespace, and grant cluster-wide Secret get permission when BoxcutterRuntime is enabled. Adds an e2e scenario covering this path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
pedjak
force-pushed
the
e2e-cos-ref-objects
branch
from
5af3951 to
f8a4c02
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #2624 +/- ##
==========================================
+ Coverage 63.19% 68.86% +5.67%
==========================================
Files 139 139
Lines 9902 9910 +8
==========================================
+ Hits 6258 6825 +567
+ Misses 3147 2573 -574
- Partials 497 512 +15
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
/approve |
openshift-ci
bot
added
the
approved
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rashmigottipati, tmshort The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-merge-bot
bot
merged commit a6989b7
into
operator-framework:main
Description
The controller cache only watches the system namespace, causing ClusterObjectSet ref resolution to fail when Secrets are stored in other namespaces.
This PR:
getpermission when BoxcutterRuntime is enabledReviewer Checklist