From 0dd4f706ffffd6b51cdebd46c1801929078b909e Mon Sep 17 00:00:00 2001
From: Aurel Canciu <aurelcanciu@gmail.com>
Date: Thu, 11 Nov 2021 14:57:22 +0100
Subject: [PATCH 1/2] Watched cross-ns image repos trigger reconcile

Cross-namespace ImageRepository resources should trigger reconciles for
ImagePolicies that refer to them. Previously, this was only done for
resources in the same namespace.

Fixes #195

Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
---
 controllers/imagepolicy_controller.go |  3 +--
 controllers/policy_test.go            | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/controllers/imagepolicy_controller.go b/controllers/imagepolicy_controller.go
index 8995cfb8..77249bd7 100644
--- a/controllers/imagepolicy_controller.go
+++ b/controllers/imagepolicy_controller.go
@@ -259,8 +259,7 @@ func (r *ImagePolicyReconciler) SetupWithManager(mgr ctrl.Manager, opts ImagePol
 func (r *ImagePolicyReconciler) imagePoliciesForRepository(obj client.Object) []reconcile.Request {
 	ctx := context.Background()
 	var policies imagev1.ImagePolicyList
-	if err := r.List(ctx, &policies, client.InNamespace(obj.GetNamespace()),
-		client.MatchingFields{imageRepoKey: obj.GetName()}); err != nil {
+	if err := r.List(ctx, &policies, client.MatchingFields{imageRepoKey: obj.GetName()}); err != nil {
 		return nil
 	}
 	reqs := make([]reconcile.Request, len(policies.Items))
diff --git a/controllers/policy_test.go b/controllers/policy_test.go
index 7369ce06..6f0f720d 100644
--- a/controllers/policy_test.go
+++ b/controllers/policy_test.go
@@ -615,7 +615,8 @@ var _ = Describe("ImagePolicy controller", func() {
 				defer k8sClient.Delete(context.Background(), policyNamespace)
 
 				versions := []string{"1.0.0", "1.0.1"}
-				imgRepo := loadImages(registryServer, "acl-image-"+randStringRunes(5), versions)
+				imageName := "acl-image-" + randStringRunes(5)
+				imgRepo := loadImages(registryServer, imageName, versions)
 
 				repo := imagev1.ImageRepository{
 					Spec: imagev1.ImageRepositorySpec{
@@ -687,6 +688,19 @@ var _ = Describe("ImagePolicy controller", func() {
 				}, timeout, interval).Should(BeTrue())
 				Expect(pol.Status.LatestImage).To(Equal(imgRepo + ":1.0.1"))
 
+				// Updating the image should reconcile the cross-namespace policy
+				imgRepo = loadImages(registryServer, imageName, []string{"1.0.2"})
+				Eventually(func() bool {
+					err := r.Get(ctx, repoObjectName, &repo)
+					return err == nil && repo.Status.LastScanResult.TagCount == len(versions)+1
+				}, timeout, interval).Should(BeTrue())
+
+				Eventually(func() bool {
+					err := r.Get(ctx, polObjectName, &pol)
+					return err == nil && pol.Status.LatestImage != ""
+				}, timeout, interval).Should(BeTrue())
+				Expect(pol.Status.LatestImage).To(Equal(imgRepo + ":1.0.2"))
+
 				Expect(r.Delete(ctx, &pol)).To(Succeed())
 			})
 		})

From 006f204aaa15840f0b819332214a023df72a7577 Mon Sep 17 00:00:00 2001
From: Aurel Canciu <aurelcanciu@gmail.com>
Date: Thu, 11 Nov 2021 15:36:55 +0100
Subject: [PATCH 2/2] Update ImagePolicy index imageRepoKey include ns

The imageRepoKey only contains the name of the ImageRepository resource.
This change uses the namespaced name to avoid collisions.

Signed-off-by: Aurel Canciu <aurelcanciu@gmail.com>
---
 controllers/imagepolicy_controller.go | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/controllers/imagepolicy_controller.go b/controllers/imagepolicy_controller.go
index 77249bd7..ca2885e6 100644
--- a/controllers/imagepolicy_controller.go
+++ b/controllers/imagepolicy_controller.go
@@ -48,7 +48,7 @@ import (
 // this is used as the key for the index of policy->repository; the
 // string is arbitrary and acts as a reminder where the value comes
 // from.
-const imageRepoKey = ".spec.imageRepository.name"
+const imageRepoKey = ".spec.imageRepository"
 
 // ImagePolicyReconciler reconciles a ImagePolicy object
 type ImagePolicyReconciler struct {
@@ -237,7 +237,11 @@ func (r *ImagePolicyReconciler) SetupWithManager(mgr ctrl.Manager, opts ImagePol
 	// it's easy to list those out when an image repo changes.
 	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &imagev1.ImagePolicy{}, imageRepoKey, func(obj client.Object) []string {
 		pol := obj.(*imagev1.ImagePolicy)
-		return []string{pol.Spec.ImageRepositoryRef.Name}
+		namespacedName := types.NamespacedName{
+			Name:      pol.Spec.ImageRepositoryRef.Name,
+			Namespace: pol.Spec.ImageRepositoryRef.Namespace,
+		}
+		return []string{namespacedName.String()}
 	}); err != nil {
 		return err
 	}
@@ -259,7 +263,7 @@ func (r *ImagePolicyReconciler) SetupWithManager(mgr ctrl.Manager, opts ImagePol
 func (r *ImagePolicyReconciler) imagePoliciesForRepository(obj client.Object) []reconcile.Request {
 	ctx := context.Background()
 	var policies imagev1.ImagePolicyList
-	if err := r.List(ctx, &policies, client.MatchingFields{imageRepoKey: obj.GetName()}); err != nil {
+	if err := r.List(ctx, &policies, client.MatchingFields{imageRepoKey: client.ObjectKeyFromObject(obj).String()}); err != nil {
 		return nil
 	}
 	reqs := make([]reconcile.Request, len(policies.Items))