fix: allow cross-namespace push with ClusterSecretStore objects

[Skarlso]

Problem Statement

Cross-namespace access with ClusterSecretStore objects.

Related Issue

Fixes #5832

Proposed Changes

How do you like to solve the issue and why?

Format

Please ensure that your PR follows the following format for the title:

feat(scope): add new feature
fix(scope): fix bug
docs(scope): update documentation
chore(scope): update build tool or dependencies
ref(scope): refactor code
clean(scope): provider cleanup
test(scope): add tests
perf(scope): improve performance
desig(scope): improve design

Where scope is optionally one of:

• charts
• release
• testing
• security
• templating

Checklist

• I have read the contribution guidelines
• All commits are signed with git commit --signoff
• My changes have reasonable test coverage
• All tests pass with make test
• I ensured my PR is ready for review with make reviewable

Summary

Enables cross-namespace secret push operations with ClusterSecretStore by allowing per-secret namespace overrides via metadata.

Key Changes

PushSecret Logic (client.go):

• Added support for remoteNamespace override in PushSecret metadata, restricted to ClusterSecretStore only
• Dynamically resolves target namespace from store configuration or metadata override
• Uses secretsClientFor() to obtain a per-namespace Kubernetes client for each secret operation

Function Signatures:

• mergePushSecretData() now accepts parsed metadata (pushMeta) for label/annotation merging instead of re-parsing from remoteRef
• createOrUpdate() now accepts a secretClient parameter, routing all Get/Create/Update operations through the provided client instead of using a hardcoded userSecretClient

Provider Setup (provider.go):

• Added userCoreV1 field to Client for dynamic namespace-scoped client creation
• New secretsClientFor() helper method that returns the appropriate Secrets client for a given namespace

Test Coverage:

• TestPushSecretRemoteNamespaceRouting: Validates that pushing with a remoteNamespace override creates the secret in the target namespace only
• TestPushSecretRemoteNamespaceRejectedForSecretStore: Ensures SecretStore kind rejects remoteNamespace overrides with a helpful error message

[coderabbitai]

Walkthrough

PushSecret now supports per-secret namespace overrides using ClusterSecretStore, with internal refactoring to route operations through namespace-specific clients. Signatures updated for mergePushSecretData and createOrUpdate functions to accept metadata and client parameters respectively.

Changes

Cohort / File(s)	Summary
Namespace Override Implementation providers/v1/kubernetes/client.go, providers/v1/kubernetes/provider.go	Implemented per-secret namespace override logic for ClusterSecretStore with validation restricting remote namespace overrides to ClusterSecretStore only. Updated function signatures (mergePushSecretData, createOrUpdate) to accept pushMeta and secretClient parameters. Introduced secretsClientFor helper method for per-namespace client routing.
Remote Namespace Tests providers/v1/kubernetes/client_test.go	Added storeKind field to test table struct and expanded test cases with remote namespace scenarios. Introduced TestPushSecretRemoteNamespaceRouting to validate correct secret placement and TestPushSecretRemoteNamespaceRejectedForSecretStore to verify rejection for non-ClusterSecretStore usage. Added fake Kubernetes client imports.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	All changes directly address issue #5832: cross-namespace push with ClusterSecretStore is enabled via namespace override support and client-per-namespace routing.
Out of Scope Changes check	✅ Passed	All changes are scoped to supporting cross-namespace push with ClusterSecretStore as specified in issue #5832.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

providers/v1/kubernetes/client.go (1)

82-105: ⚠️ Potential issue | 🟠 Major

Apply namespace routing to DeleteSecret similar to PushSecret, or extend PushSecretRemoteRef to include namespace context.

DeleteSecret uses c.userSecretClient directly, which is scoped to the store's default RemoteNamespace. However, PushSecret can push secrets to an overridden namespace via metadata (e.g., pushMeta.Spec.RemoteNamespace). When deletion is requested for such a secret, DeleteSecret operates only in the default namespace and cannot locate the secret that was pushed elsewhere, resulting in silent failure or deletion of the wrong secret.

Apply the same namespace-routing pattern used in PushSecret (via c.secretsClientFor) to DeleteSecret, or modify the interface to pass namespace context through PushSecretRemoteRef.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/kubernetes/client.go` around lines 82 - 105, DeleteSecret
currently always uses c.userSecretClient (scoped to the store default namespace)
which misses secrets pushed to an overridden namespace; change DeleteSecret to
pick the correct namespaced secret client like PushSecret does (use
c.secretsClientFor(...) or otherwise resolve namespace from PushSecretRemoteRef)
before calling Get/Delete. Specifically, in DeleteSecret replace direct use of
c.userSecretClient with the result of c.secretsClientFor(ctx, remoteRef) (or
extend PushSecretRemoteRef to expose the remote namespace and call
c.secretsClientFor(ctx, namespace)), then proceed with extSecret retrieval,
property checks (remoteRef.GetProperty()), removeProperty(...) and
fullDelete(...) using that client so deletion targets the same namespace as
PushSecret.

🧹 Nitpick comments (1)

providers/v1/kubernetes/provider.go (1)

149-154: secretsClientFor creates a new Secrets client on every call for non-default namespaces.

Each invocation of secretsClientFor with a novel namespace allocates a fresh client via c.userCoreV1.Secrets(namespace). In the current PushSecret flow this is called once per push, so it's fine. However, if this is ever called in a hot loop (e.g., batch pushes to the same target namespace), the repeated allocations could add up. Consider caching if usage patterns change, but for now this is acceptable.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@providers/v1/kubernetes/provider.go` around lines 149 - 154, secretsClientFor
currently calls c.userCoreV1.Secrets(namespace) on each call for non-default
namespaces which allocates a new client per invocation; change this to cache
per-namespace clients on the Client struct (e.g., a map[string]KClient plus a
sync.RWMutex) so secretsClientFor first checks the cache and returns the cached
KClient, and only if missing creates c.userCoreV1.Secrets(namespace), stores it
in the cache, and returns it; preserve existing fallback behavior to
c.userSecretClient when namespace is empty or equals c.store.RemoteNamespace and
ensure concurrent access to the map is protected.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@providers/v1/kubernetes/client.go`:
- Around line 82-105: DeleteSecret currently always uses c.userSecretClient
(scoped to the store default namespace) which misses secrets pushed to an
overridden namespace; change DeleteSecret to pick the correct namespaced secret
client like PushSecret does (use c.secretsClientFor(...) or otherwise resolve
namespace from PushSecretRemoteRef) before calling Get/Delete. Specifically, in
DeleteSecret replace direct use of c.userSecretClient with the result of
c.secretsClientFor(ctx, remoteRef) (or extend PushSecretRemoteRef to expose the
remote namespace and call c.secretsClientFor(ctx, namespace)), then proceed with
extSecret retrieval, property checks (remoteRef.GetProperty()),
removeProperty(...) and fullDelete(...) using that client so deletion targets
the same namespace as PushSecret.

---

Nitpick comments:
In `@providers/v1/kubernetes/provider.go`:
- Around line 149-154: secretsClientFor currently calls
c.userCoreV1.Secrets(namespace) on each call for non-default namespaces which
allocates a new client per invocation; change this to cache per-namespace
clients on the Client struct (e.g., a map[string]KClient plus a sync.RWMutex) so
secretsClientFor first checks the cache and returns the cached KClient, and only
if missing creates c.userCoreV1.Secrets(namespace), stores it in the cache, and
returns it; preserve existing fallback behavior to c.userSecretClient when
namespace is empty or equals c.store.RemoteNamespace and ensure concurrent
access to the map is protected.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 5cd2ed1 and 0558fa3.

📒 Files selected for processing (3)

• providers/v1/kubernetes/client.go
• providers/v1/kubernetes/client_test.go
• providers/v1/kubernetes/provider.go

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud