Skip to content

feat: allow cross-namespace ConfigMap/Secret for GitRepositoryVerification #1854

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

feat: allow cross-namespace ConfigMap/Secret for GitRepositoryVerification #1854

wants to merge 2 commits into from

Conversation

@itzPranshul
Copy link

@itzPranshul itzPranshul commented Jul 26, 2025

This PR resolves issue #1674.

  • CrossNamespaceObjectReference support was added in GitRepositoryVerification to allow referencing public keys from a Secret or ConfigMap in another namespace.
  • Updated controller logic (verifySignature) to fetch and verify keys from cross-namespace Secret/ConfigMap when PublicKeyRef is provided.
  • I added an RBAC marker for ConfigMaps (get, list, watch) so the controller can access them.
  • Regenerated CRDs and RBAC manifests (make generate && make manifests).
    Note: This allows users to store cosign public keys in a central namespace and reference them across multiple Git repositories, instead of duplicating keys in every namespace.

@makkes
Copy link
Member

makkes commented Jul 26, 2025

I might be mistaken about the intention of this PR, but we don't allow cross-namespace Secret references for a reason.

@itzPranshul
Copy link
Author

itzPranshul commented Jul 26, 2025

I might be mistaken about the intention of this PR, but we don't allow cross-namespace Secret references for a reason.

Thanks for reviewing!
I understand now — cross‑namespace Secrets are usually restricted for security reasons.

My intention here was mainly to support referencing cosign public keys from a shared ConfigMap in a central namespace (as described in issue #1674), not to bypass any security constraints.

Would you be okay with me updating this PR to allow only cross‑namespace ConfigMaps (and keep Secrets strictly namespace‑scoped)?

@makkes
Copy link
Member

makkes commented Jul 27, 2025

I might be mistaken about the intention of this PR, but we don't allow cross-namespace Secret references for a reason.

Thanks for reviewing! I understand now — cross‑namespace Secrets are usually restricted for security reasons.

My intention here was mainly to support referencing cosign public keys from a shared ConfigMap in a central namespace (as described in issue #1674), not to bypass any security constraints.

Would you be okay with me updating this PR to allow only cross‑namespace ConfigMaps (and keep Secrets strictly namespace‑scoped)?

To be honest I don't think this change would get through. The usual way to solve your problem is to duplicate the Secret/ConfigMap into the Namespaces where it's consumed. This is common practice with many Flux Secrets but also with Kubernetes Secrets, e.g. pull Secrets.

@stefanprodan
Copy link
Member

stefanprodan commented Jul 27, 2025

Sorry but this can't be in Flux. You can't refer to a ConfigMap/Secret in a Kubernetes Deployment from a diffrent namespace, when Kubernetes will allows this then we'll also allow Flux to do the same.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@itzPranshul @makkes @stefanprodan