fix: prevent duplicate owner references

Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>

controllers/secretproviderclasspodstatus_controller.go

@@ -444,8 +444,10 @@ func (r *SecretProviderClassPodStatusReconciler) patchSecretWithOwnerRef(ctx con
 		if _, exists := secretOwnerMap[ownerRefs[i].Name]; exists {
 			continue
 		}
+		// add to map for tracking
+		secretOwnerMap[ownerRefs[i].Name] = ownerRefs[i].UID
 		needsPatch = true
-		klog.Infof("Adding %s/%s as owner ref for %s/%s", ownerRefs[i].APIVersion, ownerRefs[i].Name, namespace, name)
+		klog.V(5).Infof("Adding %s/%s as owner ref for %s/%s", ownerRefs[i].APIVersion, ownerRefs[i].Name, namespace, name)
 		secretOwnerRefs = append(secretOwnerRefs, ownerRefs[i])
 	}
 

controllers/secretproviderclasspodstatus_controller_test.go

@@ -172,7 +172,7 @@ func TestPatchSecretWithOwnerRef(t *testing.T) {
 	client := fake.NewFakeClientWithScheme(scheme, initObjects...)
 	reconciler := newReconciler(client, scheme, "node1")
 
-	err = reconciler.patchSecretWithOwnerRef(context.TODO(), "my-secret", "default", ref)
+	err = reconciler.patchSecretWithOwnerRef(context.TODO(), "my-secret", "default", ref, ref)
 	g.Expect(err).NotTo(HaveOccurred())
 
 	secret := &v1.Secret{}

test/bats/azure.bats

@@ -136,15 +136,15 @@ setup() {
   result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")
   [[ "${result//$'\r'}" == "true" ]]
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 4"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 2"
   assert_success
 }
 
 @test "Sync with K8s secrets - delete deployment, check owner ref updated, check secret deleted" {
   run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-synck8s-azure.yaml
   assert_success
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 2"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 1"
   assert_success
 
   run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-two-synck8s-azure.yaml
@@ -197,7 +197,7 @@ setup() {
   result=$(kubectl exec -n test-ns $POD -- printenv | grep SECRET_USERNAME) | awk -F"=" '{ print $2}'
   [[ "${result//$'\r'}" == "${SECRET_VALUE}" ]]
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret test-ns 2"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret test-ns 1"
   assert_success
 }
 

test/bats/vault.bats

@@ -196,15 +196,15 @@ EOF
   result=$(kubectl get secret foosecret -o jsonpath="{.metadata.labels.secrets-store\.csi\.k8s\.io/managed}")
   [[ "${result//$'\r'}" == "true" ]]
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 4"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 2"
   assert_success
 }
 
 @test "Sync with K8s secrets - delete deployment, check secret is deleted" {
   run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-synck8s.yaml
   assert_success
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 2"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret default 1"
   assert_success
 
   run kubectl delete -f $BATS_TESTS_DIR/nginx-deployment-two-synck8s.yaml
@@ -254,7 +254,7 @@ EOF
   result=$(kubectl exec -n test-ns $POD -- printenv | grep SECRET_USERNAME | awk -F"=" '{ print $2 }' | tr -d '\r\n')
   [[ "$result" == "hello1" ]]
 
-  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret test-ns 2"
+  run wait_for_process $WAIT_TIME $SLEEP_TIME "compare_owner_count foosecret test-ns 1"
   assert_success
 }