From 0e691ba6b679f1ab069807a87aca21b3ef1a2e90 Mon Sep 17 00:00:00 2001 From: Thomas Eckert Date: Fri, 8 Apr 2022 17:05:41 -0400 Subject: [PATCH] Only lookup secrets in the namespace where the install is targeting. (#1156) * Only lookup secrets in the namespace where the install is targeting. * Add Changelog --- CHANGELOG.md | 1 + cli/cmd/install/install.go | 2 +- cli/validation/kubernetes.go | 4 ++-- cli/validation/kubernetes_test.go | 19 ++++++++++++++++++- 4 files changed, 22 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3d20ffcfe5..1def834bc3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -3,6 +3,7 @@ BUG FIXES: * CLI * Fix issue where clusters not in the same namespace as their deployment name could not be upgraded. [[GH-1115](https://github.com/hashicorp/consul-k8s/pull/1115)] + * Fix issue where the CLI was looking for secrets in namespaces other than the namespace targeted by the release. [[GH-1156](https://github.com/hashicorp/consul-k8s/pull/1156)] IMPROVEMENTS: * Helm diff --git a/cli/cmd/install/install.go b/cli/cmd/install/install.go index c994febc98..6053d2f4ac 100644 --- a/cli/cmd/install/install.go +++ b/cli/cmd/install/install.go @@ -411,7 +411,7 @@ func (c *Command) checkForPreviousPVCs() error { // and returns a message if the secret configuration is ok or an error if // the secret configuration could cause a conflict. func (c *Command) checkForPreviousSecrets(release release.Release) (string, error) { - secrets, err := validation.ListConsulSecrets(c.Ctx, c.kubernetes) + secrets, err := validation.ListConsulSecrets(c.Ctx, c.kubernetes, release.Namespace) if err != nil { return "", fmt.Errorf("Error listing Consul secrets: %s", err) } diff --git a/cli/validation/kubernetes.go b/cli/validation/kubernetes.go index 8ece89efc5..99dc8af6f7 100644 --- a/cli/validation/kubernetes.go +++ b/cli/validation/kubernetes.go @@ -11,8 +11,8 @@ import ( ) // ListConsulSecrets attempts to find secrets with the Consul label. -func ListConsulSecrets(ctx context.Context, client kubernetes.Interface) (*v1.SecretList, error) { - secrets, err := client.CoreV1().Secrets("").List(ctx, metav1.ListOptions{ +func ListConsulSecrets(ctx context.Context, client kubernetes.Interface, namespace string) (*v1.SecretList, error) { + secrets, err := client.CoreV1().Secrets(namespace).List(ctx, metav1.ListOptions{ LabelSelector: fmt.Sprintf("%s=%s", common.CLILabelKey, common.CLILabelValue), }) diff --git a/cli/validation/kubernetes_test.go b/cli/validation/kubernetes_test.go index a17c066719..60d7ec243b 100644 --- a/cli/validation/kubernetes_test.go +++ b/cli/validation/kubernetes_test.go @@ -16,6 +16,7 @@ func TestListConsulSecrets(t *testing.T) { cases := map[string]struct { secrets *v1.SecretList + namespace string expectedSecrets int }{ "No secrets": { @@ -33,6 +34,7 @@ func TestListConsulSecrets(t *testing.T) { }, }, }, + namespace: v1.NamespaceDefault, expectedSecrets: 1, }, "A Consul and a non-Consul Secret": { @@ -51,8 +53,23 @@ func TestListConsulSecrets(t *testing.T) { }, }, }, + namespace: v1.NamespaceDefault, expectedSecrets: 1, }, + "A Consul Secret in default namespace with lookup in consul namespace": { + secrets: &v1.SecretList{ + Items: []v1.Secret{ + { + ObjectMeta: metav1.ObjectMeta{ + Name: "test-consul-bootstrap-acl-token", + Labels: map[string]string{common.CLILabelKey: common.CLILabelValue}, + }, + }, + }, + }, + namespace: "consul", + expectedSecrets: 0, + }, } for name, tc := range cases { @@ -64,7 +81,7 @@ func TestListConsulSecrets(t *testing.T) { require.NoError(t, err) } - actual, err := ListConsulSecrets(context.Background(), client) + actual, err := ListConsulSecrets(context.Background(), client, tc.namespace) require.NoError(t, err) require.Equal(t, tc.expectedSecrets, len(actual.Items)) })