fix for #146

datashim-io · Dec 16, 2021 · c0070d2 · c0070d2
1 parent 4d777b1
commit c0070d2
Show file tree

Hide file tree

Showing 2 changed files with 21 additions and 7 deletions.
diff --git a/src/dataset-operator/pkg/controller/dataset/dataset_controller.go b/src/dataset-operator/pkg/controller/dataset/dataset_controller.go
@@ -4,18 +4,19 @@ import (
 	"context"
 	b64 "encoding/base64"
 	"fmt"
+	"os"
+	"regexp"
+	"strconv"
+	"time"
+
 	comv1alpha1 "github.com/datashim-io/datashim/src/dataset-operator/pkg/apis/com/v1alpha1"
 	"github.com/go-logr/logr"
 	"gopkg.in/yaml.v2"
 	v1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes"
-	"os"
-	"regexp"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
-	"strconv"
-	"time"
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"

diff --git a/src/dataset-operator/pkg/controller/datasetinternal/datasetinternal_controller.go b/src/dataset-operator/pkg/controller/datasetinternal/datasetinternal_controller.go
@@ -339,16 +339,29 @@ func processLocalDatasetCOS(cr *comv1alpha1.DatasetInternal, rc *ReconcileDatase
 	processLocalDatasetLogger := log.WithValues("Dataset.Namespace", cr.Namespace, "Dataset.Name", cr.Name, "Method", "processLocalDataset")
 
 	authProvided := false
+	secretOK := false
 
 	var secretName, secretNamespace, accessKeyID, secretAccessKey string
 	var ok = false
 
 	if secretName, ok = cr.Spec.Local["secret-name"]; ok {
-		if secretNamespace, ok = cr.Spec.Local["secret-namespace"]; !ok {
-			processLocalDatasetLogger.Info("Warning: Secret namespace not provided, using the dataset namespace", "Dataset.Name", cr.Name)
-			secretNamespace = cr.Namespace
+
+		//16/12 - We will limit secrets to the same namespace as the dataset to fix #146
+		if secretNamespace, ok = cr.Spec.Local["secret-namespace"]; ok {
+			if secretNamespace == cr.ObjectMeta.Namespace {
+				processLocalDatasetLogger.Info("Error: secret namespace is same as dataset namespace, allowed", "Dataset.Name", cr.ObjectMeta.Name)
+				secretOK = true
+			} else {
+				processLocalDatasetLogger.Info("Error: secret namespace is different from dataset namespace, not allowed", "Dataset.Name", cr.ObjectMeta.Name)
+			}
+		} else {
+			processLocalDatasetLogger.Info("No secret namespace provided - using dataset namespace for secret", "Dataset Name", cr.ObjectMeta.Name, "Namespace", cr.ObjectMeta.Namespace)
+			secretNamespace = cr.ObjectMeta.Namespace
+			secretOK = true
 		}
+	}
 
+	if secretOK {
 		// Check if the secret is present
 		cosSecret := &corev1.Secret{}
 		err := rc.client.Get(context.TODO(), types.NamespacedName{Name: secretName, Namespace: secretNamespace}, cosSecret)