From 78f655ee04a804512d512e97eb15558fb2e192c0 Mon Sep 17 00:00:00 2001
From: Tore <tore.lonoy@gmail.com>
Date: Tue, 16 May 2023 19:55:39 +0200
Subject: [PATCH] fix: Update Bitbucket SSH host key (#11091)

Signed-off-by: Tore S. Loenoey <tore.lonoy@gmail.com>
Co-authored-by: Tore S. Loenoey <torestendal.lonoy@tv2.no>
---
 hack/ssh_known_hosts                          |  2 +
 pkg/apis/workflow/v1alpha1/workflow_types.go  |  1 +
 .../controller/operator_concurrency_test.go   | 90 +++++++++++++++++++
 workflow/sync/lock_name.go                    |  8 +-
 4 files changed, 99 insertions(+), 2 deletions(-)

diff --git a/hack/ssh_known_hosts b/hack/ssh_known_hosts
index 9f9bf695dc38..6e827d007d6d 100644
--- a/hack/ssh_known_hosts
+++ b/hack/ssh_known_hosts
@@ -1,4 +1,6 @@
 # This file was automatically generated. DO NOT EDIT
+bitbucket.org ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIQmuzMBuKdWeF4+a2sjSSpBK0iqitSQ+5BM9KhpexuGt20JpTVM7u5BDZngncgrqDMbWdxMWWOGtZ9UgbqgZE=
+bitbucket.org ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIazEu89wgQZ4bqs3d63QSMzYVa0MuJ2e2gKTKqu+UUO
 bitbucket.org ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAubiN81eDcafrgMeLzaFPsw2kNvEcqTKl/VqLat/MaB33pZy0y3rJZtnqwR2qOOvbwKZYKiEO1O6VqNEBxKvJJelCq0dTXWT5pbO2gDXC6h6QDXCaHo6pOHGPUy+YBaGQRGuSusMEASYiWunYN0vCAI8QaXnWMXNMdFP3jHAJH0eDsoiGnLPBlBp4TNm6rYI74nMzgz3B9IikW4WVK+dc8KZJZWYjAuORU3jc1c/NPskD2ASinf8v3xnfXeukU0sJ5N6m5E8VLjObPEO+mN2t/FZTMZLiFqPWc/ALSqnMnnhwrNi2rbfg/rd/IpL8Le3pSBne8+seeFVBoGqzHM9yXw==
 github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
 github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
diff --git a/pkg/apis/workflow/v1alpha1/workflow_types.go b/pkg/apis/workflow/v1alpha1/workflow_types.go
index 3c02ef368247..ce77e6c6e9a4 100644
--- a/pkg/apis/workflow/v1alpha1/workflow_types.go
+++ b/pkg/apis/workflow/v1alpha1/workflow_types.go
@@ -1652,6 +1652,7 @@ func (s *Synchronization) GetType() SynchronizationType {
 type SemaphoreRef struct {
 	// ConfigMapKeyRef is configmap selector for Semaphore configuration
 	ConfigMapKeyRef *apiv1.ConfigMapKeySelector `json:"configMapKeyRef,omitempty" protobuf:"bytes,1,opt,name=configMapKeyRef"`
+	Namespace 	 string                      `json:"namespace,omitempty" protobuf:"bytes,2,opt,name=namespace"`
 }
 
 // Mutex holds Mutex configuration
diff --git a/workflow/controller/operator_concurrency_test.go b/workflow/controller/operator_concurrency_test.go
index 66f4940b4727..bc6832f8c292 100644
--- a/workflow/controller/operator_concurrency_test.go
+++ b/workflow/controller/operator_concurrency_test.go
@@ -79,6 +79,33 @@ spec:
         sys.exit(exit_code)
 `
 
+const ScriptWfWithSemaphoreDifferentNamespace = `
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata: 
+  name: script-wf
+  namespace: default
+spec: 
+  entrypoint: scriptTmpl
+  templates:
+  - name: scriptTmpl
+    synchronization: 
+      semaphore: 
+        namespace: other
+        configMapKeyRef: 
+          key: template
+          name: my-config
+    script:
+      image: python:alpine3.6
+      command: ["python"]
+      # fail with a 66% probability
+      source: |
+        import random;
+        import sys; 
+        exit_code = random.choice([0, 1, 1]); 
+        sys.exit(exit_code)
+`
+
 const ResourceWfWithSemaphore = `
 apiVersion: argoproj.io/v1alpha1
 kind: Workflow
@@ -250,6 +277,69 @@ func TestSemaphoreScriptTmplLevel(t *testing.T) {
 	})
 }
 
+
+func TestSemaphoreScriptConfigMapInDifferentNamespace(t *testing.T) {
+	cancel, controller := newController()
+	defer cancel()
+	ctx := context.Background()
+	controller.syncManager = sync.NewLockManager(GetSyncLimitFunc(ctx, controller.kubeclientset), func(key string) {
+	}, workflowExistenceFunc)
+	var cm v1.ConfigMap
+	wfv1.MustUnmarshal([]byte(configMap), &cm)
+	_, err := controller.kubeclientset.CoreV1().ConfigMaps("other").Create(ctx, &cm, metav1.CreateOptions{})
+	assert.NoError(t, err)
+
+	t.Run("ScriptTmplLevelAcquireAndRelease", func(t *testing.T) {
+		wf := wfv1.MustUnmarshalWorkflow(ScriptWfWithSemaphoreDifferentNamespace)
+		wf.Name = "one"
+		wf.Namespace = "namespace-one"
+		wf, err := controller.wfclientset.ArgoprojV1alpha1().Workflows(wf.Namespace).Create(ctx, wf, metav1.CreateOptions{})
+		assert.NoError(t, err)
+		woc := newWorkflowOperationCtx(wf, controller)
+
+		// acquired the lock
+		woc.operate(ctx)
+		assert.NotNil(t, woc.wf.Status.Synchronization)
+		assert.NotNil(t, woc.wf.Status.Synchronization.Semaphore)
+		assert.Equal(t, 1, len(woc.wf.Status.Synchronization.Semaphore.Holding))
+
+		for _, node := range woc.wf.Status.Nodes {
+			assert.Equal(t, wfv1.NodePending, node.Phase)
+		}
+
+		// Try to Acquire the lock, But lock is not available
+		wf_Two := wf.DeepCopy()
+		wf_Two.Name = "two"
+		wf_Two.Namespace = "namespace-two"
+		wf_Two, err = controller.wfclientset.ArgoprojV1alpha1().Workflows(wf_Two.Namespace).Create(ctx, wf_Two, metav1.CreateOptions{})
+		assert.NoError(t, err)
+		woc_two := newWorkflowOperationCtx(wf_Two, controller)
+		// Try Acquire the lock
+		woc_two.operate(ctx)
+
+		// Check Node status
+		err = woc_two.podReconciliation(ctx)
+		assert.NoError(t, err)
+		for _, node := range woc_two.wf.Status.Nodes {
+			assert.Equal(t, wfv1.NodePending, node.Phase)
+		}
+		// Updating Pod state
+		makePodsPhase(ctx, woc, v1.PodFailed)
+
+		// Release the lock
+		woc = newWorkflowOperationCtx(woc.wf, controller)
+		woc.operate(ctx)
+		assert.Nil(t, woc.wf.Status.Synchronization)
+
+		// Try to acquired the lock
+		woc_two = newWorkflowOperationCtx(woc_two.wf, controller)
+		woc_two.operate(ctx)
+		assert.NotNil(t, woc_two.wf.Status.Synchronization)
+		assert.NotNil(t, woc_two.wf.Status.Synchronization.Semaphore)
+		assert.Equal(t, 1, len(woc_two.wf.Status.Synchronization.Semaphore.Holding))
+	})
+}
+
 func TestSemaphoreResourceTmplLevel(t *testing.T) {
 	cancel, controller := newController()
 	defer cancel()
diff --git a/workflow/sync/lock_name.go b/workflow/sync/lock_name.go
index 867dbce3112c..d97cb1d32dd8 100644
--- a/workflow/sync/lock_name.go
+++ b/workflow/sync/lock_name.go
@@ -31,15 +31,19 @@ func NewLockName(namespace, resourceName, lockKey string, kind LockKind) *LockNa
 	}
 }
 
-func GetLockName(sync *v1alpha1.Synchronization, namespace string) (*LockName, error) {
+func GetLockName(sync *v1alpha1.Synchronization, wfNamespace string) (*LockName, error) {
 	switch sync.GetType() {
 	case v1alpha1.SynchronizationTypeSemaphore:
 		if sync.Semaphore.ConfigMapKeyRef != nil {
+			namespace := sync.Semaphore.Namespace
+			if namespace == "" {
+				namespace = wfNamespace
+			}
 			return NewLockName(namespace, sync.Semaphore.ConfigMapKeyRef.Name, sync.Semaphore.ConfigMapKeyRef.Key, LockKindConfigMap), nil
 		}
 		return nil, fmt.Errorf("cannot get LockName for a Semaphore without a ConfigMapRef")
 	case v1alpha1.SynchronizationTypeMutex:
-		return NewLockName(namespace, sync.Mutex.Name, "", LockKindMutex), nil
+		return NewLockName(wfNamespace, sync.Mutex.Name, "", LockKindMutex), nil
 	default:
 		return nil, fmt.Errorf("cannot get LockName for a Sync of Unknown type")
 	}