From e3c229022d92482b2469ce91e20ec01b003cb29b Mon Sep 17 00:00:00 2001
From: Miles Garnsey <miles.garnsey@datastax.com>
Date: Mon, 15 Apr 2024 17:38:22 +1000
Subject: [PATCH] ReplicatedSecrets should not pick up secrets from outside
 their own namespace.

---
 CHANGELOG/RELEASE-NOTES.md                   | 6 ++++++
 controllers/replication/secret_controller.go | 7 ++++---
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG/RELEASE-NOTES.md b/CHANGELOG/RELEASE-NOTES.md
index 39f5f310b..43c8f1c7c 100644
--- a/CHANGELOG/RELEASE-NOTES.md
+++ b/CHANGELOG/RELEASE-NOTES.md
@@ -1,5 +1,11 @@
 # k8ssandra-operator - Release Notes
 
+## v1.14.0
+
+Replicated secrets no longer look in all namespaces to Replicate secrets whose labels match the MatchLabels selector in the ReplicatedSecret.
+
+Instead, secrets will only be picked up by the matcher if they both have matching labels AND are also in the same namespace as the ReplicatedSecret.
+
 ## v1.12.0
 
 It is now possible to disable Reaper front end authentication by adding either `spec.reaper.uiUserSecretRef: {}` or `spec.reaper.uiUserSecretRef: ""`. 
diff --git a/controllers/replication/secret_controller.go b/controllers/replication/secret_controller.go
index 3902e3ef9..46dda1771 100644
--- a/controllers/replication/secret_controller.go
+++ b/controllers/replication/secret_controller.go
@@ -82,7 +82,7 @@ func (s *SecretSyncController) Reconcile(ctx context.Context, req ctrl.Request)
 					return reconcile.Result{}, err
 				}
 
-				secrets, err := s.fetchAllMatchingSecrets(ctx, selector)
+				secrets, err := s.fetchAllMatchingSecrets(ctx, selector, rsec.Namespace)
 				if err != nil {
 					logger.Error(err, "Failed to fetch the replicated secrets to cleanup", "ReplicatedSecret", req.NamespacedName)
 					return reconcile.Result{}, err
@@ -177,7 +177,7 @@ func (s *SecretSyncController) Reconcile(ctx context.Context, req ctrl.Request)
 	s.selectorMutex.Unlock()
 
 	// Fetch all the secrets that match the ReplicatedSecret's rules
-	secrets, err := s.fetchAllMatchingSecrets(ctx, selector)
+	secrets, err := s.fetchAllMatchingSecrets(ctx, selector, req.Namespace)
 	if err != nil {
 		logger.Error(err, "Failed to fetch linked secrets", "ReplicatedSecret", req.NamespacedName)
 		return reconcile.Result{Requeue: true}, err
@@ -361,10 +361,11 @@ func (s *SecretSyncController) verifyHashAnnotation(ctx context.Context, sec *co
 	return nil
 }
 
-func (s *SecretSyncController) fetchAllMatchingSecrets(ctx context.Context, selector labels.Selector) ([]corev1.Secret, error) {
+func (s *SecretSyncController) fetchAllMatchingSecrets(ctx context.Context, selector labels.Selector, namespace string) ([]corev1.Secret, error) {
 	secrets := &corev1.SecretList{}
 	listOption := client.ListOptions{
 		LabelSelector: selector,
+		Namespace:     namespace,
 	}
 	err := s.ClientCache.GetLocalClient().List(ctx, secrets, &listOption)
 	if err != nil {