From 61ee4e7917a5b1b0c401ce748b4b6c89cc18e64f Mon Sep 17 00:00:00 2001
From: Olivier Tardieu <tardieu@us.ibm.com>
Date: Wed, 18 Oct 2023 13:47:21 -0400
Subject: [PATCH 1/2] Force creation of generic items into namespace of
 AppWrapper

---
 .../queuejobresources/genericresource/genericresource.go    | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/pkg/controller/queuejobresources/genericresource/genericresource.go b/pkg/controller/queuejobresources/genericresource/genericresource.go
index 0231b53c..4c969762 100644
--- a/pkg/controller/queuejobresources/genericresource/genericresource.go
+++ b/pkg/controller/queuejobresources/genericresource/genericresource.go
@@ -273,7 +273,7 @@ func (gr *GenericResources) SyncQueueJob(aw *arbv1.AppWrapper, awr *arbv1.AppWra
 	ownerRef := metav1.NewControllerRef(aw, appWrapperKind)
 	unstruct.Object = blob.(map[string]interface{}) // set object to the content of the blob after Unmarshalling
 	unstruct.SetOwnerReferences(append(unstruct.GetOwnerReferences(), *ownerRef))
-	namespace := "default"
+	namespace := aw.Namespace // create resource in AppWrapper namespace
 	name := ""
 	if md, ok := unstruct.Object["metadata"]; ok {
 
@@ -282,7 +282,9 @@ func (gr *GenericResources) SyncQueueJob(aw *arbv1.AppWrapper, awr *arbv1.AppWra
 			name = objectName.(string)
 		}
 		if objectns, ok := metadata["namespace"]; ok {
-			namespace = objectns.(string)
+			if objectns.(string) != namespace {
+				return []*v1.Pod{}, fmt.Errorf("[SyncQueueJob] resource namespace \"%s\" is different from AppWrapper namespace \"%s\"", objectns.(string), namespace)
+			}
 		}
 	}
 	labels := map[string]string{}

From 324aa60fa5abe69ff99a0a7f0648079026c24661 Mon Sep 17 00:00:00 2001
From: Olivier Tardieu <tardieu@us.ibm.com>
Date: Thu, 19 Oct 2023 08:53:43 -0400
Subject: [PATCH 2/2] Restrict resource deletion to AppWrapper namespace

---
 .../genericresource/genericresource.go           | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/pkg/controller/queuejobresources/genericresource/genericresource.go b/pkg/controller/queuejobresources/genericresource/genericresource.go
index 4c969762..a1057f76 100644
--- a/pkg/controller/queuejobresources/genericresource/genericresource.go
+++ b/pkg/controller/queuejobresources/genericresource/genericresource.go
@@ -150,7 +150,7 @@ func (gr *GenericResources) Cleanup(aw *arbv1.AppWrapper, awr *arbv1.AppWrapperG
 	}
 
 	unstruct.Object = blob.(map[string]interface{}) // set object to the content of the blob after Unmarshalling
-	namespace := ""
+	namespace := aw.Namespace                       // only delete resources from AppWrapper namespace
 	if md, ok := unstruct.Object["metadata"]; ok {
 
 		metadata := md.(map[string]interface{})
@@ -158,13 +158,16 @@ func (gr *GenericResources) Cleanup(aw *arbv1.AppWrapper, awr *arbv1.AppWrapperG
 			name = objectName.(string)
 		}
 		if objectns, ok := metadata["namespace"]; ok {
-			namespace = objectns.(string)
+			if objectns.(string) != namespace {
+				err := fmt.Errorf("[Cleanup] resource namespace \"%s\" is different from AppWrapper namespace \"%s\"", objectns.(string), namespace)
+				return name, gvk, err
+			}
 		}
 	}
 
-	// Get the resource to see if it exists
+	// Get the resource to see if it exists in the AppWrapper namespace
 	labelSelector := fmt.Sprintf("%s=%s, %s=%s", appwrapperJobName, aw.Name, resourceName, unstruct.GetName())
-	inEtcd, err := dclient.Resource(rsrc).List(context.Background(), metav1.ListOptions{LabelSelector: labelSelector})
+	inEtcd, err := dclient.Resource(rsrc).Namespace(aw.Namespace).List(context.Background(), metav1.ListOptions{LabelSelector: labelSelector})
 	if err != nil {
 		return name, gvk, err
 	}
@@ -273,7 +276,7 @@ func (gr *GenericResources) SyncQueueJob(aw *arbv1.AppWrapper, awr *arbv1.AppWra
 	ownerRef := metav1.NewControllerRef(aw, appWrapperKind)
 	unstruct.Object = blob.(map[string]interface{}) // set object to the content of the blob after Unmarshalling
 	unstruct.SetOwnerReferences(append(unstruct.GetOwnerReferences(), *ownerRef))
-	namespace := aw.Namespace // create resource in AppWrapper namespace
+	namespace := aw.Namespace // only create resources in AppWrapper namespace
 	name := ""
 	if md, ok := unstruct.Object["metadata"]; ok {
 
@@ -283,7 +286,8 @@ func (gr *GenericResources) SyncQueueJob(aw *arbv1.AppWrapper, awr *arbv1.AppWra
 		}
 		if objectns, ok := metadata["namespace"]; ok {
 			if objectns.(string) != namespace {
-				return []*v1.Pod{}, fmt.Errorf("[SyncQueueJob] resource namespace \"%s\" is different from AppWrapper namespace \"%s\"", objectns.(string), namespace)
+				err := fmt.Errorf("[SyncQueueJob] resource namespace \"%s\" is different from AppWrapper namespace \"%s\"", objectns.(string), namespace)
+				return []*v1.Pod{}, err
 			}
 		}
 	}