From dcff29a2caa5374caedcad6bfe95e5eca0783ffd Mon Sep 17 00:00:00 2001
From: ddl-ebrown <ethan.brown@dominodatalab.com>
Date: Fri, 7 Jul 2023 08:52:04 -0700
Subject: [PATCH] [DOM-47678] Fix secret querying

 - Add secrets list perms

   The secret reading code had a late change to search for matching
   secrets with the correct hephaestus-accessible label instead of
   performing a simple get by namespace/name.

   While this prevents Hephaestus code from even accessing the secret,
   it also now requires the list permission to query secrets.

 - Correctly specify fields for secret name and namespace by specifying
   the metadata. prefix

 - Unit tests don't support the filter syntax and don't apply Kubernetes
   permissioning, and the repo functiona. tests which actually use
   Kubernetes are currently not operational, so this slipped past review
---
 .../helm/hephaestus/templates/controller/clusterrole.yaml      | 1 +
 pkg/controller/support/secrets/secrets.go                      | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/deployments/helm/hephaestus/templates/controller/clusterrole.yaml b/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
index d3abd347..d961cdf0 100644
--- a/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
+++ b/deployments/helm/hephaestus/templates/controller/clusterrole.yaml
@@ -91,6 +91,7 @@ rules:
       - secrets
     verbs:
       - get
+      - list
       - update
   - apiGroups:
       - apps
diff --git a/pkg/controller/support/secrets/secrets.go b/pkg/controller/support/secrets/secrets.go
index 6404b22e..60d2d435 100644
--- a/pkg/controller/support/secrets/secrets.go
+++ b/pkg/controller/support/secrets/secrets.go
@@ -42,7 +42,8 @@ func ReadSecrets(
 
 		path := strings.Join([]string{secretRef.Namespace, secretRef.Name}, "/")
 		log.Info("Finding secret", "path", path)
-		fields := fields.SelectorFromSet(map[string]string{"Namespace": secretRef.Namespace, "Name": secretRef.Name})
+		fields := fields.SelectorFromSet(
+			map[string]string{"metadata.namespace": secretRef.Namespace, "metadata.name": secretRef.Name})
 		// prevent exfiltration of arbitrary secret values by using the presence of this label
 		labels := labels.SelectorFromSet(map[string]string{hephv1.AccessLabel: "true"})
 		secrets, err := secretClient.List(ctx,