fix(appset): do not trigger reconciliation on appsets not part of allowed namespaces when updating a cluster secret

[OpenGuidou]

Fixes #25621

Checklist:

• Either (a) I've created an enhancement proposal and discussed it with the community, (b) this is a bug fix, or (c) this does not need to be in the release notes.
• The title of the PR states what changed and the related issues number (used for the release note).
• The title of the PR conforms to the Title of the PR
• I've included "Closes [ISSUE #]" or "Fixes [ISSUE #]" in the description to automatically close the associated issue.
• I've updated both the CLI and UI to expose my feature, or I plan to submit a second PR with them.
• Does this PR require documentation updates?
• I've updated documentation as required by this PR.
• I have signed off all my commits as required by DCO
• I have written unit and/or e2e tests for my change. PRs without these are unlikely to be merged.
• My build is green (troubleshooting builds).
• My new feature complies with the feature status guidelines.
• I have added a brief description of why this PR is necessary and/or what this PR solves.
• Optional. My organization is added to USERS.md.
• Optional. For bug fixes, I've indicated what older releases this fix should be cherry-picked into (this may or may not happen depending on risk/complexity).

[bunnyshell]

❌ Preview Environment deleted from Bunnyshell

Available commands (reply to this comment):

• 🚀 /bns:deploy to deploy the environment

[speedfl]

LGTM

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 62.59%. Comparing base (8fec5c5) to head (cbca896).
⚠️ Report is 116 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #25622      +/-   ##
==========================================
- Coverage   62.60%   62.59%   -0.02%     
==========================================
  Files         353      353              
  Lines       49883    50150     +267     
==========================================
+ Hits        31229    31390     +161     
- Misses      15660    15740      +80     
- Partials     2994     3020      +26     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[OpenGuidou]

@argoproj/argocd-approvers : Hello guys, can I get a review for this fix of an annoying bug ?

[agaudreault]

Seems like the method WithEventFilter(ignoreNotAllowedNamespaces(r.ApplicationSetNamespaces)). should also apply to the Secret type.

// WithEventFilter sets the event filters, to filter which create/update/delete/generic events eventually
// trigger reconciliations. For example, filtering on whether the resource version has changed.
// Given predicate is added for all watched objects and thus must be able to deal with the type
// of all watched objects.

Do you have an explanation why it is not the case?

[OpenGuidou]

This correctly filters the cluster secrets in the correct namespaces, however the code inside createSecretEventHandler does a list on ApplicationSets at cluster scope without any filter on namespaces.

This PR fixes that

[agaudreault]

So it should use the object.GetNamespace() for to list on a specific namespace and not all namespace instead.

afaik, Appset cannot use cluster secrets from another namespace than where they are defined right?

[OpenGuidou]

In the case of Appset in any namespaces, they can.
Cluster secrets are in fact not allowed anywhere else than the controller namespace.
So we have this list of allowed namespaces for applicationsets as controller variable, that I'm just reusing here.

[agaudreault]

Gotcha, but I think what you are doing is not officially supported based on https://argo-cd.readthedocs.io/en/latest/operator-manual/applicationset/Appset-Any-Namespace/#cluster-scoped-argo-cd-installation, most likely because cluster resource is access is required, but the event handling should work correctly.

Your code is good, but a small optimization could be that if the len(ApplicationSetNamespaces) == 1, use a ListOption to only list on the single watched namespace instead of cluster scoped. This would need a new unit test for 1 vs multiple allowedNamespace.

[agaudreault]

Approving this PR still since it is an optimization and this PR by itself fixes the issue.

[OpenGuidou]

I agree and it forces to have the list/watch rbac at cluster level even if it's not required. I don't think that's the only place we would have to change that...
Thanks !

[OpenGuidou]

@agaudreault could you add the labels for cherry picking on 3.X releases ?

[argo-cd-cherry-pick-bot]

🍒 Cherry-pick PR created for 3.3: #25909

[argo-cd-cherry-pick-bot]

🍒 Cherry-pick PR created for 3.1: #25910

[argo-cd-cherry-pick-bot]

🍒 Cherry-pick PR created for 3.2: #25911