fixup! [RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig

Signed-off-by: cappyzawa <[email protected]>

Author: cappyzawa

go.mod

@@ -24,11 +24,11 @@ require (
 	github.com/fluxcd/pkg/apis/event v0.18.0
 	github.com/fluxcd/pkg/apis/kustomize v1.11.0
 	github.com/fluxcd/pkg/apis/meta v1.18.0
-	github.com/fluxcd/pkg/auth v0.25.0
+	github.com/fluxcd/pkg/auth v0.26.0
 	github.com/fluxcd/pkg/cache v0.10.0
 	github.com/fluxcd/pkg/http/fetch v0.17.0
 	github.com/fluxcd/pkg/kustomize v1.19.0
-	github.com/fluxcd/pkg/runtime v0.72.0
+	github.com/fluxcd/pkg/runtime v0.80.0
 	github.com/fluxcd/pkg/ssa v0.51.0
 	github.com/fluxcd/pkg/tar v0.13.0
 	github.com/fluxcd/pkg/testserver v0.11.0

go.sum

@@ -199,8 +199,8 @@ github.com/fluxcd/pkg/apis/kustomize v1.11.0 h1:0IzDgxZkc4v+5SDNCvgZhfwfkdkQLPXC
 github.com/fluxcd/pkg/apis/kustomize v1.11.0/go.mod h1:j302mJGDww8cn9qvMsRQ0LJ1HPAPs/IlX7CSsoJV7BI=
 github.com/fluxcd/pkg/apis/meta v1.18.0 h1:ACHrMIjlcioE9GKS7NGk62KX4NshqNewr8sBwMcXABs=
 github.com/fluxcd/pkg/apis/meta v1.18.0/go.mod h1:97l3hTwBpJbXBY+wetNbqrUsvES8B1jGioKcBUxmqd8=
-github.com/fluxcd/pkg/auth v0.25.0 h1:q8iJ9vdADiJxNA7EKNgEbIXNGbgqqTz6u975ziI3omk=
-github.com/fluxcd/pkg/auth v0.25.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
+github.com/fluxcd/pkg/auth v0.26.0 h1:jw128zPI4aRSvkGbFfAQcFNF3oK58P4rDdKIpj2/7yM=
+github.com/fluxcd/pkg/auth v0.26.0/go.mod h1:YEAHpBFuW5oLlH9ekuJaQdnJ2Q3A7Ny8kha3WY7QMnY=
 github.com/fluxcd/pkg/cache v0.10.0 h1:M+OGDM4da1cnz7q+sZSBtkBJHpiJsLnKVmR9OdMWxEY=
 github.com/fluxcd/pkg/cache v0.10.0/go.mod h1:pPXRzQUDQagsCniuOolqVhnAkbNgYOg8d2cTliPs7ME=
 github.com/fluxcd/pkg/envsubst v1.4.0 h1:pYsb6wrmXOSfHXuXQHaaBBMt3LumhgCb8SMdBNAwV/U=
@@ -209,8 +209,8 @@ github.com/fluxcd/pkg/http/fetch v0.17.0 h1:U/Fuh+H1cRL2d/EOfdsjJPaPDPtL3pFanPSE
 github.com/fluxcd/pkg/http/fetch v0.17.0/go.mod h1:nMozZtiSKtPGwMrR5wGjIJoQmhvFqZ5P4UsM/Lqza2I=
 github.com/fluxcd/pkg/kustomize v1.19.0 h1:2eO8lMx0/H/Yyq35LMTAMhxEElOzMW0Yi9zUNZoimlU=
 github.com/fluxcd/pkg/kustomize v1.19.0/go.mod h1:OCCW9vU3lStDh3jyg9MM/a29MSdNAVk2wjl0lDos5Fs=
-github.com/fluxcd/pkg/runtime v0.72.0 h1:9JCto84iL2FziuTuuvDwvS+cfIzGhHOk25y8ulXpNOs=
-github.com/fluxcd/pkg/runtime v0.72.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
+github.com/fluxcd/pkg/runtime v0.80.0 h1:vknT2vdQSGTFnAhz4xGk2ZXUWCrXh3whsISStgA57Go=
+github.com/fluxcd/pkg/runtime v0.80.0/go.mod h1:iGhdaEq+lMJQTJNAFEPOU4gUJ7kt3yeDcJPZy7O9IUw=
 github.com/fluxcd/pkg/sourceignore v0.13.0 h1:ZvkzX2WsmyZK9cjlqOFFW1onHVzhPZIqDbCh96rPqbU=
 github.com/fluxcd/pkg/sourceignore v0.13.0/go.mod h1:Z9H1GoBx0ljOhptnzoV0PL6Nd/UzwKcSphP27lqb4xI=
 github.com/fluxcd/pkg/ssa v0.51.0 h1:sFarxKZcS0J8sjq9qvs/r+1XiJqNgRodEiPjV75F8R4=

internal/controller/kustomization_configuration_error_test.go

@@ -178,7 +178,8 @@ data: {}
 	t.Run("object level workload identity feature gate enabled", func(t *testing.T) {
 		g := NewWithT(t)
 
-		t.Setenv(auth.EnvEnableObjectLevelWorkloadIdentity, "true")
+		auth.EnableObjectLevelWorkloadIdentity()
+		t.Cleanup(func() { auth.DisableObjectLevelWorkloadIdentity() })
 
 		kustomizationKey := types.NamespacedName{
 			Name:      fmt.Sprintf("invalid-config-%s", randStringRunes(5)),

internal/decryptor/decryptor.go

@@ -320,8 +320,13 @@ func (d *Decryptor) SetAuthOptions(ctx context.Context) {
 
 		opts = append(opts, auth.WithClient(d.client))
 		opts = append(opts, auth.WithServiceAccountNamespace(d.kustomization.GetNamespace()))
-		if d.kustomization.Spec.Decryption.ServiceAccountName != "" {
-			opts = append(opts, auth.WithServiceAccountName(d.kustomization.Spec.Decryption.ServiceAccountName))
+
+		saName := d.kustomization.Spec.Decryption.ServiceAccountName
+		if saName == "" {
+			saName = auth.GetDefaultDecryptionServiceAccount()
+		}
+		if saName != "" {
+			opts = append(opts, auth.WithServiceAccountName(saName))
 		}
 
 		involvedObject := cache.InvolvedObject{