fix(boxcutter): cache Secrets only in olmv1-system namespace

Configure cache to watch Secrets exclusively in olmv1-system, avoiding a cluster-wide Secret informer while maintaining performance for bundle Secret lookups via the cached client

Author: camilamacedo86

cmd/operator-controller/main.go

@@ -30,6 +30,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"go.podman.io/image/v5/types"
+	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
@@ -254,6 +255,13 @@ func run() error {
 			&rbacv1.ClusterRoleBinding{}: {Label: k8slabels.Everything()},
 			&rbacv1.Role{}:               {Namespaces: map[string]crcache.Config{}, Label: k8slabels.Everything()},
 			&rbacv1.RoleBinding{}:        {Namespaces: map[string]crcache.Config{}, Label: k8slabels.Everything()},
+			// Only cache Secrets in olmv1-system to avoid cluster-wide Secret informer.
+			// Bundle Secrets are created in systemNamespace by SecretPacker.
+			&corev1.Secret{}: {
+				Namespaces: map[string]crcache.Config{
+					cfg.systemNamespace: {},
+				},
+			},
 		},
 		DefaultNamespaces: map[string]crcache.Config{
 			cfg.systemNamespace: {LabelSelector: k8slabels.Everything()},