fix: enhance copySecretToNamespace to handle existing controller ref…

components/operator/internal/handlers/sessions.go

@@ -1234,6 +1234,39 @@ func CleanupExpiredTempContentPods() {
 
 // copySecretToNamespace copies a secret to a target namespace with owner references
 func copySecretToNamespace(ctx context.Context, sourceSecret *corev1.Secret, targetNamespace string, ownerObj *unstructured.Unstructured) error {
+	// Check if secret already exists in target namespace
+	existingSecret, err := config.K8sClient.CoreV1().Secrets(targetNamespace).Get(ctx, sourceSecret.Name, v1.GetOptions{})
+	secretExists := err == nil
+	if err != nil && !errors.IsNotFound(err) {
+		return fmt.Errorf("error checking for existing secret: %w", err)
+	}
+
+	// Determine if we should set Controller: true
+	// For shared secrets (like ambient-vertex), don't set Controller: true if secret already exists
+	// to avoid conflicts when multiple sessions use the same secret
+	shouldSetController := true
+	if secretExists {
+		// Check if existing secret already has a controller reference
+		for _, ownerRef := range existingSecret.OwnerReferences {
+			if ownerRef.Controller != nil && *ownerRef.Controller {
+				shouldSetController = false
+				log.Printf("Secret %s already has a controller reference, adding non-controller reference instead", sourceSecret.Name)
+				break
+			}
+		}
+	}
+
+	// Create owner reference
+	newOwnerRef := v1.OwnerReference{
+		APIVersion: ownerObj.GetAPIVersion(),
+		Kind:       ownerObj.GetKind(),
+		Name:       ownerObj.GetName(),
+		UID:        ownerObj.GetUID(),
+	}
+	if shouldSetController {
+		newOwnerRef.Controller = boolPtr(true)
+	}
+
 	// Create a new secret in the target namespace
 	newSecret := &corev1.Secret{
 		ObjectMeta: v1.ObjectMeta{
@@ -1243,22 +1276,13 @@ func copySecretToNamespace(ctx context.Context, sourceSecret *corev1.Secret, tar
 			Annotations: map[string]string{
 				types.CopiedFromAnnotation: fmt.Sprintf("%s/%s", sourceSecret.Namespace, sourceSecret.Name),
 			},
-			OwnerReferences: []v1.OwnerReference{
-				{
-					APIVersion: ownerObj.GetAPIVersion(),
-					Kind:       ownerObj.GetKind(),
-					Name:       ownerObj.GetName(),
-					UID:        ownerObj.GetUID(),
-					Controller: boolPtr(true),
-				},
-			},
+			OwnerReferences: []v1.OwnerReference{newOwnerRef},
 		},
 		Type: sourceSecret.Type,
 		Data: sourceSecret.Data,
 	}
 
-	// Check if secret already exists in target namespace
-	if existingSecret, err := config.K8sClient.CoreV1().Secrets(targetNamespace).Get(ctx, sourceSecret.Name, v1.GetOptions{}); err == nil {
+	if secretExists {
 		// Secret already exists, check if it needs to be updated
 		log.Printf("Secret %s already exists in namespace %s, checking if update needed", sourceSecret.Name, targetNamespace)
 
@@ -1284,10 +1308,26 @@ func copySecretToNamespace(ctx context.Context, sourceSecret *corev1.Secret, tar
 				return err
 			}
 
+			// Check again if there's already a controller reference (may have changed since last check)
+			hasController := false
+			for _, ownerRef := range currentSecret.OwnerReferences {
+				if ownerRef.Controller != nil && *ownerRef.Controller {
+					hasController = true
+					break
+				}
+			}
+
+			// Create a fresh owner reference based on current state
+			// If there's already a controller, don't set Controller: true for the new reference
+			ownerRefToAdd := newOwnerRef
+			if hasController {
+				ownerRefToAdd.Controller = nil
+			}
+
 			// Apply updates
 			// Create a new slice to avoid mutating shared/cached data
 			currentSecret.OwnerReferences = append([]v1.OwnerReference{}, currentSecret.OwnerReferences...)
-			currentSecret.OwnerReferences = append(currentSecret.OwnerReferences, newSecret.OwnerReferences[0])
+			currentSecret.OwnerReferences = append(currentSecret.OwnerReferences, ownerRefToAdd)
 			currentSecret.Data = sourceSecret.Data
 			if currentSecret.Annotations == nil {
 				currentSecret.Annotations = make(map[string]string)
@@ -1298,12 +1338,10 @@ func copySecretToNamespace(ctx context.Context, sourceSecret *corev1.Secret, tar
 			_, err = config.K8sClient.CoreV1().Secrets(targetNamespace).Update(ctx, currentSecret, v1.UpdateOptions{})
 			return err
 		})
-	} else if !errors.IsNotFound(err) {
-		return fmt.Errorf("error checking for existing secret: %w", err)
 	}
 
 	// Create the secret
-	_, err := config.K8sClient.CoreV1().Secrets(targetNamespace).Create(ctx, newSecret, v1.CreateOptions{})
+	_, err = config.K8sClient.CoreV1().Secrets(targetNamespace).Create(ctx, newSecret, v1.CreateOptions{})
 	return err
 }
 

components/operator/internal/handlers/sessions_test.go

@@ -348,6 +348,103 @@ func TestCopySecretToNamespace_MultipleOwnerReferences(t *testing.T) {
 	}
 }
 
+// TestCopySecretToNamespace_ExistingController tests adding owner ref when secret already has a controller
+func TestCopySecretToNamespace_ExistingController(t *testing.T) {
+	existingSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ambient-vertex",
+			Namespace: "target-ns",
+			OwnerReferences: []metav1.OwnerReference{
+				{
+					APIVersion: "vteam.ambient-code/v1alpha1",
+					Kind:       "AgenticSession",
+					Name:       "existing-session",
+					UID:        k8stypes.UID("existing-uid-111"),
+					Controller: boolPtr(true), // Already has a controller
+				},
+			},
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"key": []byte("value"),
+		},
+	}
+
+	setupTestClient(existingSecret)
+
+	sourceSecret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "ambient-vertex",
+			Namespace: "source-ns",
+		},
+		Type: corev1.SecretTypeOpaque,
+		Data: map[string][]byte{
+			"key": []byte("updated-value"),
+		},
+	}
+
+	ownerObj := &unstructured.Unstructured{}
+	ownerObj.SetAPIVersion("vteam.ambient-code/v1alpha1")
+	ownerObj.SetKind("AgenticSession")
+	ownerObj.SetName("new-session")
+	ownerObj.SetUID(k8stypes.UID("new-uid-222"))
+
+	ctx := context.Background()
+	err := copySecretToNamespace(ctx, sourceSecret, "target-ns", ownerObj)
+	if err != nil {
+		t.Fatalf("copySecretToNamespace failed: %v", err)
+	}
+
+	// Verify secret has both owner references
+	result, err := config.K8sClient.CoreV1().Secrets("target-ns").Get(ctx, "ambient-vertex", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to get secret: %v", err)
+	}
+
+	if len(result.OwnerReferences) != 2 {
+		t.Fatalf("Expected 2 owner references, got %d", len(result.OwnerReferences))
+	}
+
+	// Verify only one controller reference exists
+	controllerCount := 0
+	foundExisting := false
+	foundNew := false
+	for _, ref := range result.OwnerReferences {
+		if ref.Controller != nil && *ref.Controller {
+			controllerCount++
+		}
+		if ref.UID == k8stypes.UID("existing-uid-111") {
+			foundExisting = true
+			// Original controller should still be true
+			if ref.Controller == nil || !*ref.Controller {
+				t.Error("Existing controller reference should still have Controller: true")
+			}
+		}
+		if ref.UID == k8stypes.UID("new-uid-222") {
+			foundNew = true
+			// New reference should NOT have Controller: true
+			if ref.Controller != nil && *ref.Controller {
+				t.Error("New owner reference should NOT have Controller: true when secret already has a controller")
+			}
+		}
+	}
+
+	if controllerCount != 1 {
+		t.Errorf("Expected exactly 1 controller reference, got %d", controllerCount)
+	}
+	if !foundExisting {
+		t.Error("Existing owner reference was lost")
+	}
+	if !foundNew {
+		t.Error("New owner reference was not added")
+	}
+
+	// Verify data was updated
+	if string(result.Data["key"]) != "updated-value" {
+		t.Errorf("Expected data 'updated-value', got '%s'", string(result.Data["key"]))
+	}
+}
+
 // TestCopySecretToNamespace_NilAnnotations tests updating secret with nil annotations
 func TestCopySecretToNamespace_NilAnnotations(t *testing.T) {
 	existingSecret := &corev1.Secret{