From d4523d94c077e9477530a9e221ada42130bd7633 Mon Sep 17 00:00:00 2001
From: Camila Macedo <7708031+camilamacedo86@users.noreply.github.com>
Date: Tue, 31 Mar 2026 07:19:55 +0200
Subject: [PATCH] fix(boxcutter): cache Secrets only in olmv1-system namespace

Configure cache to watch Secrets exclusively in olmv1-system, avoiding a cluster-wide Secret informer while maintaining performance for bundle Secret lookups via the cached client
---
 cmd/operator-controller/main.go | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/cmd/operator-controller/main.go b/cmd/operator-controller/main.go
index 48104537e9..007bebc6a6 100644
--- a/cmd/operator-controller/main.go
+++ b/cmd/operator-controller/main.go
@@ -30,6 +30,7 @@ import (
 
 	"github.com/spf13/cobra"
 	"go.podman.io/image/v5/types"
+	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	apiextensionsv1client "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/typed/apiextensions/v1"
@@ -283,6 +284,18 @@ func run() error {
 		return err
 	}
 
+	// Ensure bundle Secrets in the configured systemNamespace are cached without enabling a cluster-wide Secret informer.
+	// Bundle Secrets are created in cfg.systemNamespace by SecretPacker.
+	if secretCache, ok := cacheOptions.ByObject[&corev1.Secret{}]; ok {
+		if secretCache.Namespaces == nil {
+			secretCache.Namespaces = make(map[string]crcache.Config)
+		}
+		if _, exists := secretCache.Namespaces[cfg.systemNamespace]; !exists {
+			secretCache.Namespaces[cfg.systemNamespace] = crcache.Config{}
+		}
+		cacheOptions.ByObject[&corev1.Secret{}] = secretCache
+	}
+
 	metricsServerOptions := server.Options{}
 	if len(cfg.certFile) > 0 && len(cfg.keyFile) > 0 {
 		setupLog.Info("Starting metrics server with TLS enabled", "addr", cfg.metricsAddr, "tls-cert", cfg.certFile, "tls-key", cfg.keyFile)