fix(ClickhouseUser/ServiceUser)!: remove cross-namespace secret exfiltration

vmyroslav · vmyroslav · commit 4e41e38c1c61 · 2026-04-09T12:14:31.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@
 - Add `ServiceUser` field `accessControl`, type `object`: AccessControl configures service-specific access control rules for the user.
 When this block is present, the operator manages the full access-control scope it contains
 - Add `OpenSearchACLConfig` to manage OpenSearch ACL
+- **BREAKING**: Removed `ClickhouseUser`/`ServiceUser` field `connInfoSecretSource.namespace`, type `string`: cross-namespace
+  secret references are no longer supported. The source secret must be in the same namespace as the resource.
+  This fixes a potential confused deputy vulnerability where the operator could be exploited to exfiltrate secrets from other namespaces.
 
 ## v0.36.0 - 2026-03-05
 
diff --git a/api/v1alpha1/common.go b/api/v1alpha1/common.go
@@ -46,10 +46,9 @@ type ConnInfoSecretTarget struct {
 type ConnInfoSecretSource struct {
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	// Name of the secret resource to read connection parameters from
+	// Name of the secret resource to read connection parameters from.
+	// The secret must be in the same namespace as the resource.
 	Name string `json:"name"`
-	// Namespace of the source secret. If not specified, defaults to the same namespace as the resource
-	Namespace string `json:"namespace,omitempty"`
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
 	// Key in the secret containing the password to use for authentication
diff --git a/charts/aiven-operator-crds/templates/aiven.io_clickhouseusers.yaml b/charts/aiven-operator-crds/templates/aiven.io_clickhouseusers.yaml
@@ -77,16 +77,11 @@ spec:
                     when the secret data is updated.
                   properties:
                     name:
-                      description:
-                        Name of the secret resource to read connection parameters
-                        from
+                      description: |-
+                        Name of the secret resource to read connection parameters from.
+                        The secret must be in the same namespace as the resource.
                       minLength: 1
                       type: string
-                    namespace:
-                      description:
-                        Namespace of the source secret. If not specified,
-                        defaults to the same namespace as the resource
-                      type: string
                     passwordKey:
                       description:
                         Key in the secret containing the password to use
diff --git a/charts/aiven-operator-crds/templates/aiven.io_serviceusers.yaml b/charts/aiven-operator-crds/templates/aiven.io_serviceusers.yaml
@@ -110,16 +110,11 @@ spec:
                     when the secret data is updated.
                   properties:
                     name:
-                      description:
-                        Name of the secret resource to read connection parameters
-                        from
+                      description: |-
+                        Name of the secret resource to read connection parameters from.
+                        The secret must be in the same namespace as the resource.
                       minLength: 1
                       type: string
-                    namespace:
-                      description:
-                        Namespace of the source secret. If not specified,
-                        defaults to the same namespace as the resource
-                      type: string
                     passwordKey:
                       description:
                         Key in the secret containing the password to use
diff --git a/config/crd/bases/aiven.io_clickhouseusers.yaml b/config/crd/bases/aiven.io_clickhouseusers.yaml
@@ -77,16 +77,11 @@ spec:
                     when the secret data is updated.
                   properties:
                     name:
-                      description:
-                        Name of the secret resource to read connection parameters
-                        from
+                      description: |-
+                        Name of the secret resource to read connection parameters from.
+                        The secret must be in the same namespace as the resource.
                       minLength: 1
                       type: string
-                    namespace:
-                      description:
-                        Namespace of the source secret. If not specified,
-                        defaults to the same namespace as the resource
-                      type: string
                     passwordKey:
                       description:
                         Key in the secret containing the password to use
diff --git a/config/crd/bases/aiven.io_serviceusers.yaml b/config/crd/bases/aiven.io_serviceusers.yaml
@@ -110,16 +110,11 @@ spec:
                     when the secret data is updated.
                   properties:
                     name:
-                      description:
-                        Name of the secret resource to read connection parameters
-                        from
+                      description: |-
+                        Name of the secret resource to read connection parameters from.
+                        The secret must be in the same namespace as the resource.
                       minLength: 1
                       type: string
-                    namespace:
-                      description:
-                        Namespace of the source secret. If not specified,
-                        defaults to the same namespace as the resource
-                      type: string
                     passwordKey:
                       description:
                         Key in the secret containing the password to use
diff --git a/controllers/secret_password_manager.go b/controllers/secret_password_manager.go
@@ -25,31 +25,28 @@ func GetPasswordFromSecret(ctx context.Context, k8sClient client.Client, resourc
 		return "", nil
 	}
 
-	sourceNamespace := secretSource.Namespace
-	if sourceNamespace == "" {
-		sourceNamespace = resource.GetNamespace()
-	}
+	ns := resource.GetNamespace()
 
 	sourceSecret := &corev1.Secret{}
 	err := k8sClient.Get(ctx, types.NamespacedName{
 		Name:      secretSource.Name,
-		Namespace: sourceNamespace,
+		Namespace: ns,
 	}, sourceSecret)
 	if err != nil {
-		return "", fmt.Errorf("failed to read connInfoSecretSource %s/%s: %w", sourceNamespace, secretSource.Name, err)
+		return "", fmt.Errorf("failed to read connInfoSecretSource %s/%s: %w", ns, secretSource.Name, err)
 	}
 
 	passwordBytes, exists := sourceSecret.Data[secretSource.PasswordKey]
 	if !exists {
-		return "", fmt.Errorf("password not found in source secret %s/%s (expected %s key)", sourceNamespace, secretSource.Name, secretSource.PasswordKey)
+		return "", fmt.Errorf("password not found in source secret %s/%s (expected %s key)", ns, secretSource.Name, secretSource.PasswordKey)
 	}
 
 	newPassword := string(passwordBytes)
 
 	// validate password length according to API requirements
 	if len(newPassword) < 8 || len(newPassword) > 256 {
 		return "", fmt.Errorf("password length must be between 8 and 256 characters, got %d characters from source secret %s/%s (key: %s)",
-			len(newPassword), sourceNamespace, secretSource.Name, secretSource.PasswordKey)
+			len(newPassword), ns, secretSource.Name, secretSource.PasswordKey)
 	}
 
 	return newPassword, nil
diff --git a/controllers/secret_password_manager_test.go b/controllers/secret_password_manager_test.go
@@ -53,26 +53,6 @@ func TestPasswordManager_GetPasswordFromSecret(t *testing.T) {
 			expectedResult: "ValidPassword123!",
 			expectError:    false,
 		},
-		{
-			name: "Valid password from secret in different namespace",
-			secretSource: &v1alpha1.ConnInfoSecretSource{
-				Name:        "test-secret",
-				Namespace:   "other-ns",
-				PasswordKey: "PASSWORD",
-			},
-			resourceNS: "default",
-			secret: &corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-secret",
-					Namespace: "other-ns",
-				},
-				Data: map[string][]byte{
-					"PASSWORD": []byte("CrossNSPassword123!"),
-				},
-			},
-			expectedResult: "CrossNSPassword123!",
-			expectError:    false,
-		},
 		{
 			name: "Secret not found",
 			secretSource: &v1alpha1.ConnInfoSecretSource{
@@ -256,72 +236,33 @@ func TestPasswordManager_NamespaceResolution(t *testing.T) {
 	require.NoError(t, corev1.AddToScheme(scheme))
 	require.NoError(t, v1alpha1.AddToScheme(scheme))
 
-	tests := []struct {
-		name         string
-		resourceNS   string
-		sourceNS     string
-		expectedNS   string
-		secretExists bool
-	}{
-		{
-			name:         "Uses resource namespace when source namespace is empty",
-			resourceNS:   "resource-ns",
-			sourceNS:     "",
-			expectedNS:   "resource-ns",
-			secretExists: true,
+	// Secret must always be in the same namespace as the resource
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-secret",
+			Namespace: "resource-ns",
 		},
-		{
-			name:         "Uses source namespace when specified",
-			resourceNS:   "resource-ns",
-			sourceNS:     "source-ns",
-			expectedNS:   "source-ns",
-			secretExists: true,
+		Data: map[string][]byte{
+			"PASSWORD": []byte("ValidPassword123!"),
 		},
 	}
 
-	for _, tt := range tests {
-		t.Run(tt.name, func(t *testing.T) {
-			var objects []client.Object
-			if tt.secretExists {
-				secret := &corev1.Secret{
-					ObjectMeta: metav1.ObjectMeta{
-						Name:      "test-secret",
-						Namespace: tt.expectedNS,
-					},
-					Data: map[string][]byte{
-						"PASSWORD": []byte("ValidPassword123!"),
-					},
-				}
-				objects = append(objects, secret)
-			}
-
-			secretSource := &v1alpha1.ConnInfoSecretSource{
+	user := &v1alpha1.ClickhouseUser{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-user",
+			Namespace: "resource-ns",
+		},
+		Spec: v1alpha1.ClickhouseUserSpec{
+			ConnInfoSecretSource: &v1alpha1.ConnInfoSecretSource{
 				Name:        "test-secret",
 				PasswordKey: "PASSWORD",
-			}
-			if tt.sourceNS != "" {
-				secretSource.Namespace = tt.sourceNS
-			}
-
-			user := &v1alpha1.ClickhouseUser{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-user",
-					Namespace: tt.resourceNS,
-				},
-				Spec: v1alpha1.ClickhouseUserSpec{
-					ConnInfoSecretSource: secretSource,
-				},
-			}
+			},
+		},
+	}
 
-			k8sClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(objects...).Build()
-			result, err := GetPasswordFromSecret(context.Background(), k8sClient, user)
+	k8sClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(secret).Build()
+	result, err := GetPasswordFromSecret(context.Background(), k8sClient, user)
 
-			if tt.secretExists {
-				require.NoError(t, err)
-				assert.Equal(t, "ValidPassword123!", result)
-			} else {
-				require.Error(t, err)
-			}
-		})
-	}
+	require.NoError(t, err)
+	assert.Equal(t, "ValidPassword123!", result)
 }
diff --git a/controllers/secret_watch_controller.go b/controllers/secret_watch_controller.go
@@ -112,12 +112,7 @@ func (c *SecretWatchController) getResourcesWithSecretSource() []SecretSourceRes
 func connInfoSecretRefIndexFunc(o client.Object) []string {
 	if resource, ok := o.(SecretSourceResource); ok {
 		if secretSource := resource.GetConnInfoSecretSource(); secretSource != nil {
-			sourceNamespace := secretSource.Namespace
-			if sourceNamespace == "" {
-				sourceNamespace = resource.GetNamespace()
-			}
-
-			return []string{fmt.Sprintf("%s/%s", sourceNamespace, secretSource.Name)}
+			return []string{fmt.Sprintf("%s/%s", resource.GetNamespace(), secretSource.Name)}
 		}
 	}
 
diff --git a/controllers/secret_watch_controller_test.go b/controllers/secret_watch_controller_test.go
@@ -132,23 +132,6 @@ func TestConnInfoSecretRefIndexFunc(t *testing.T) {
 			},
 			expected: []string{"default/my-secret"},
 		},
-		{
-			name: "ServiceUser with secretSource in different namespace",
-			resource: &v1alpha1.ServiceUser{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-user",
-					Namespace: "default",
-				},
-				Spec: v1alpha1.ServiceUserSpec{
-					ConnInfoSecretSource: &v1alpha1.ConnInfoSecretSource{
-						Name:        "my-secret",
-						Namespace:   "other-namespace",
-						PasswordKey: "password",
-					},
-				},
-			},
-			expected: []string{"other-namespace/my-secret"},
-		},
 		{
 			name: "ServiceUser without secretSource",
 			resource: &v1alpha1.ServiceUser{
@@ -178,23 +161,6 @@ func TestConnInfoSecretRefIndexFunc(t *testing.T) {
 			},
 			expected: []string{"default/ch-secret"},
 		},
-		{
-			name: "ClickhouseUser with cross-namespace secretSource",
-			resource: &v1alpha1.ClickhouseUser{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-ch-user",
-					Namespace: "app-namespace",
-				},
-				Spec: v1alpha1.ClickhouseUserSpec{
-					ConnInfoSecretSource: &v1alpha1.ConnInfoSecretSource{
-						Name:        "shared-secret",
-						Namespace:   "secrets-namespace",
-						PasswordKey: "password",
-					},
-				},
-			},
-			expected: []string{"secrets-namespace/shared-secret"},
-		},
 		{
 			name: "Non-SecretSourceResource",
 			resource: &corev1.Secret{
@@ -246,29 +212,6 @@ func TestSecretWatchController_resourceMatchesSecret(t *testing.T) {
 			},
 			expected: true,
 		},
-		{
-			name: "ServiceUser matches secret in different namespace",
-			resource: &v1alpha1.ServiceUser{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "test-user",
-					Namespace: "app-ns",
-				},
-				Spec: v1alpha1.ServiceUserSpec{
-					ConnInfoSecretSource: &v1alpha1.ConnInfoSecretSource{
-						Name:        "my-secret",
-						Namespace:   "secret-ns",
-						PasswordKey: "password",
-					},
-				},
-			},
-			secret: &corev1.Secret{
-				ObjectMeta: metav1.ObjectMeta{
-					Name:      "my-secret",
-					Namespace: "secret-ns",
-				},
-			},
-			expected: true,
-		},
 		{
 			name: "ServiceUser does not match different secret name",
 			resource: &v1alpha1.ServiceUser{
@@ -342,12 +285,7 @@ func TestSecretWatchController_resourceMatchesSecret(t *testing.T) {
 				return
 			}
 
-			sourceNamespace := secretSource.Namespace
-			if sourceNamespace == "" {
-				sourceNamespace = tt.resource.GetNamespace()
-			}
-
-			matches := secretSource.Name == tt.secret.Name && sourceNamespace == tt.secret.Namespace
+			matches := secretSource.Name == tt.secret.Name && tt.resource.GetNamespace() == tt.secret.Namespace
 			assert.Equal(t, tt.expected, matches)
 		})
 	}
diff --git a/docs/docs/resources/clickhouseuser.md b/docs/docs/resources/clickhouseuser.md
@@ -62,7 +62,6 @@ This resource uses the following API operations, and for each operation, _any_ o
       # Use existing secret for credential management
       connInfoSecretSource:
         name: predefined-credentials
-        # namespace: my-namespace  # Optional: defaults to same namespace as ClickhouseUser
         passwordKey: PASSWORD
     
       project: aiven-project-name
@@ -205,12 +204,9 @@ when the secret data is updated.
 **Required**
 
 - [`name`](#spec.connInfoSecretSource.name-property){: name='spec.connInfoSecretSource.name-property'} (string, MinLength: 1). Name of the secret resource to read connection parameters from.
+    The secret must be in the same namespace as the resource.
 - [`passwordKey`](#spec.connInfoSecretSource.passwordKey-property){: name='spec.connInfoSecretSource.passwordKey-property'} (string, MinLength: 1). Key in the secret containing the password to use for authentication.
 
-**Optional**
-
-- [`namespace`](#spec.connInfoSecretSource.namespace-property){: name='spec.connInfoSecretSource.namespace-property'} (string). Namespace of the source secret. If not specified, defaults to the same namespace as the resource.
-
 ## connInfoSecretTarget {: #spec.connInfoSecretTarget }
 
 _Appears on [`spec`](#spec)._
diff --git a/docs/docs/resources/examples/clickhouseuser.custom_credentials.yaml b/docs/docs/resources/examples/clickhouseuser.custom_credentials.yaml
@@ -32,7 +32,6 @@ spec:
   # Use existing secret for credential management
   connInfoSecretSource:
     name: predefined-credentials
-    # namespace: my-namespace  # Optional: defaults to same namespace as ClickhouseUser
     passwordKey: PASSWORD
 
   project: aiven-project-name
diff --git a/docs/docs/resources/examples/serviceuser.custom_credentials.yaml b/docs/docs/resources/examples/serviceuser.custom_credentials.yaml
diff --git a/docs/docs/resources/serviceuser.md b/docs/docs/resources/serviceuser.md
diff --git a/tests/clickhouseuser_test.go b/tests/clickhouseuser_test.go
diff --git a/tests/serviceuser_watcher_test.go b/tests/serviceuser_watcher_test.go

Original file line number	Diff line number	Diff line change
`@@ -112,12 +112,7 @@ func (c *SecretWatchController) getResourcesWithSecretSource() []SecretSourceRes`
`112`	`112`	`func connInfoSecretRefIndexFunc(o client.Object) []string {`
`113`	`113`	`if resource, ok := o.(SecretSourceResource); ok {`
`114`	`114`	`if secretSource := resource.GetConnInfoSecretSource(); secretSource != nil {`
`115`		`- sourceNamespace := secretSource.Namespace`
`116`		`- if sourceNamespace == "" {`
`117`		`- sourceNamespace = resource.GetNamespace()`
`118`		`- }`
`119`		`-`
`120`		`- return []string{fmt.Sprintf("%s/%s", sourceNamespace, secretSource.Name)}`
	`115`	`+ return []string{fmt.Sprintf("%s/%s", resource.GetNamespace(), secretSource.Name)}`
`121`	`116`	`}`
`122`	`117`	`}`
`123`	`118`