From fee389a357a3a7f938460fc4eaf9bec968e24c1c Mon Sep 17 00:00:00 2001
From: Travis Raines <571832+rainest@users.noreply.github.com>
Date: Mon, 2 Oct 2023 10:41:54 -0700
Subject: [PATCH] wip: copy predicate object

---
 internal/controllers/configuration/secret_controller.go | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/controllers/configuration/secret_controller.go b/internal/controllers/configuration/secret_controller.go
index 881a55e066..c98b1a4d07 100644
--- a/internal/controllers/configuration/secret_controller.go
+++ b/internal/controllers/configuration/secret_controller.go
@@ -77,12 +77,16 @@ func (r *CoreV1SecretReconciler) SetLogger(l logr.Logger) {
 // - the secret has label: konghq.com/ca-cert:true
 // - or the secret is referred by objects we care (service, ingress, gateway, ...)
 func (r *CoreV1SecretReconciler) shouldReconcileSecret(obj client.Object) bool {
-	err := util.PopulateTypeMeta(obj)
+	// TypeMeta is necessary to generate the correct key for references, but we can't use the original object
+	// controller-runtime's client provides the same object to both predicates and the admission webhook, and can result
+	// in a race condition if this uses the original
+	o := obj.DeepCopyObject()
+	err := util.PopulateTypeMeta(o)
 	if err != nil {
 		r.Log.Error(err, "could not set resource TypeMeta",
 			"namespace", obj.GetNamespace(), "name", obj.GetName())
 	}
-	secret, ok := obj.(*corev1.Secret)
+	secret, ok := o.(*corev1.Secret)
 	if !ok {
 		return false
 	}