From 3b6c489e86a2d52918bfcc68377cfe529e300f7f Mon Sep 17 00:00:00 2001
From: saumeya <saumeyakatyal@gmail.com>
Date: Wed, 28 Aug 2024 15:25:45 +0530
Subject: [PATCH 1/3] fix: ensure pod security label on namespace

Signed-off-by: saumeya <saumeyakatyal@gmail.com>
---
 controllers/gitopsservice_controller.go | 34 +++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go
index 33840081c00..da3fb3b9726 100644
--- a/controllers/gitopsservice_controller.go
+++ b/controllers/gitopsservice_controller.go
@@ -229,6 +229,14 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
 		} else {
 			return reconcile.Result{}, err
 		}
+	} else {
+		needUpdate, updateNameSpace := ensurePodSecurityLabels(argocdNS)
+		if needUpdate {
+			err = r.Client.Update(context.TODO(), updateNameSpace)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+		}
 	}
 
 	gitopsserviceNamespacedName := types.NamespacedName{
@@ -372,6 +380,15 @@ func (r *ReconcileGitopsService) reconcileDefaultArgoCDInstance(instance *pipeli
 				return reconcile.Result{}, err
 			}
 		}
+
+		needUpdate, updateNameSpace := ensurePodSecurityLabels(argocdNS)
+		if needUpdate {
+			err = r.Client.Update(context.TODO(), updateNameSpace)
+			if err != nil {
+				return reconcile.Result{}, err
+			}
+		}
+
 	}
 
 	// Set GitopsService instance as the owner and controller
@@ -917,3 +934,20 @@ func policyRuleForBackendServiceClusterRole() []rbacv1.PolicyRule {
 		},
 	}
 }
+
+func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
+	for key := range namespace.Labels {
+		if strings.HasPrefix(key, "pod-security") {
+			return false, namespace
+		}
+	}
+
+	namespace.Labels["pod-security.kubernetes.io/enforce"] = "restricted"
+	namespace.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29"
+	namespace.Labels["pod-security.kubernetes.io/audit"] = "restricted"
+	namespace.Labels["pod-security.kubernetes.io/audit-version"] = "latest"
+	namespace.Labels["pod-security.kubernetes.io/warn"] = "restricted"
+	namespace.Labels["pod-security.kubernetes.io/warn-version"] = "latest"
+
+	return true, namespace
+}

From 7b01b23cd16956b687b22b2e629c1e2cedcb86b3 Mon Sep 17 00:00:00 2001
From: saumeya <saumeyakatyal@gmail.com>
Date: Wed, 28 Aug 2024 15:39:29 +0530
Subject: [PATCH 2/3] fix:

Signed-off-by: saumeya <saumeyakatyal@gmail.com>
---
 controllers/gitopsservice_controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go
index da3fb3b9726..a7c15ac2fb3 100644
--- a/controllers/gitopsservice_controller.go
+++ b/controllers/gitopsservice_controller.go
@@ -230,7 +230,7 @@ func (r *ReconcileGitopsService) Reconcile(ctx context.Context, request reconcil
 			return reconcile.Result{}, err
 		}
 	} else {
-		needUpdate, updateNameSpace := ensurePodSecurityLabels(argocdNS)
+		needUpdate, updateNameSpace := ensurePodSecurityLabels(namespaceRef)
 		if needUpdate {
 			err = r.Client.Update(context.TODO(), updateNameSpace)
 			if err != nil {

From deefd881572b33f36d24072a36ebd41ca6cd1973 Mon Sep 17 00:00:00 2001
From: saumeya <saumeyakatyal@gmail.com>
Date: Tue, 3 Sep 2024 17:05:12 +0530
Subject: [PATCH 3/3] review comments

Signed-off-by: saumeya <saumeyakatyal@gmail.com>
---
 controllers/gitopsservice_controller.go | 27 +++++++++++++++----------
 1 file changed, 16 insertions(+), 11 deletions(-)

diff --git a/controllers/gitopsservice_controller.go b/controllers/gitopsservice_controller.go
index a7c15ac2fb3..83cf84c94bb 100644
--- a/controllers/gitopsservice_controller.go
+++ b/controllers/gitopsservice_controller.go
@@ -936,18 +936,23 @@ func policyRuleForBackendServiceClusterRole() []rbacv1.PolicyRule {
 }
 
 func ensurePodSecurityLabels(namespace *corev1.Namespace) (bool, *corev1.Namespace) {
-	for key := range namespace.Labels {
-		if strings.HasPrefix(key, "pod-security") {
-			return false, namespace
-		}
+
+	pssLabels := map[string]string{
+		"pod-security.kubernetes.io/enforce":         "restricted",
+		"pod-security.kubernetes.io/enforce-version": "v1.29",
+		"pod-security.kubernetes.io/audit":           "restricted",
+		"pod-security.kubernetes.io/audit-version":   "latest",
+		"pod-security.kubernetes.io/warn":            "restricted",
+		"pod-security.kubernetes.io/warn-version":    "latest",
 	}
 
-	namespace.Labels["pod-security.kubernetes.io/enforce"] = "restricted"
-	namespace.Labels["pod-security.kubernetes.io/enforce-version"] = "v1.29"
-	namespace.Labels["pod-security.kubernetes.io/audit"] = "restricted"
-	namespace.Labels["pod-security.kubernetes.io/audit-version"] = "latest"
-	namespace.Labels["pod-security.kubernetes.io/warn"] = "restricted"
-	namespace.Labels["pod-security.kubernetes.io/warn-version"] = "latest"
+	changed := false
+	for pssKey, pssVal := range pssLabels {
+		if nsVal, exists := namespace.Labels[pssKey]; !exists || nsVal != pssVal {
+			namespace.Labels[pssKey] = pssVal
+			changed = true
+		}
 
-	return true, namespace
+	}
+	return changed, namespace
 }