From 2eb94321711a04c3a3b7c1665ba641e565dcdf74 Mon Sep 17 00:00:00 2001
From: killianmuldoon <kmuldoon@vmware.com>
Date: Mon, 23 Jan 2023 12:07:53 +0000
Subject: [PATCH] Fix secret selection logic for ownerRef test

---
 cmd/clusterctl/client/cluster/ownergraph.go | 28 ++++++++++++++++++++-
 util/secret/secret.go                       |  2 +-
 2 files changed, 28 insertions(+), 2 deletions(-)

diff --git a/cmd/clusterctl/client/cluster/ownergraph.go b/cmd/clusterctl/client/cluster/ownergraph.go
index 335c76418bf0..16e49b192345 100644
--- a/cmd/clusterctl/client/cluster/ownergraph.go
+++ b/cmd/clusterctl/client/cluster/ownergraph.go
@@ -20,6 +20,9 @@ import (
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	clusterv1 "sigs.k8s.io/cluster-api/api/v1beta1"
 )
 
 // OwnerGraph contains a graph with all the objects considered by clusterctl move as nodes and the OwnerReference relationship
@@ -57,8 +60,12 @@ func GetOwnerGraph(namespace, kubeconfigPath string) (OwnerGraph, error) {
 
 	graph := newObjectGraph(p, invClient)
 
+	cl, err := p.NewClient()
+	if err != nil {
+		return OwnerGraph{}, errors.Wrap(err, "failed to create client for ownerGraph")
+	}
 	// Gets all the types defined by the CRDs installed by clusterctl plus the ConfigMap/Secret core types.
-	err := graph.getDiscoveryTypes()
+	err = graph.getDiscoveryTypes()
 	if err != nil {
 		return OwnerGraph{}, errors.Wrap(err, "failed to retrieve discovery types")
 	}
@@ -71,6 +78,16 @@ func GetOwnerGraph(namespace, kubeconfigPath string) (OwnerGraph, error) {
 	}
 	owners := OwnerGraph{}
 	for _, v := range graph.uidToNode {
+		// If the object is a Secret but not part of the Cluster ignore it.
+		if v.identity.Kind == "Secret" {
+			clusterSecret, err := isClusterSecret(v.identity, cl)
+			if err != nil {
+				return OwnerGraph{}, err
+			}
+			if !clusterSecret {
+				continue
+			}
+		}
 		n := OwnerGraphNode{Object: v.identity, Owners: []metav1.OwnerReference{}}
 		for owner, attributes := range v.owners {
 			n.Owners = append(n.Owners, nodeToOwnerRef(owner, attributes))
@@ -79,3 +96,12 @@ func GetOwnerGraph(namespace, kubeconfigPath string) (OwnerGraph, error) {
 	}
 	return owners, nil
 }
+
+// isClusterSecret checks whether a Secret is related to a CAPI Cluster by checking if the secret type is ClusterSecretType.
+func isClusterSecret(ref corev1.ObjectReference, c client.Client) (bool, error) {
+	s := &corev1.Secret{}
+	if err := c.Get(ctx, client.ObjectKey{Namespace: ref.Namespace, Name: ref.Name}, s); err != nil {
+		return false, err
+	}
+	return s.Type == clusterv1.ClusterSecretType, nil
+}
diff --git a/util/secret/secret.go b/util/secret/secret.go
index 5af9fd9f5057..c6ac97c80cfe 100644
--- a/util/secret/secret.go
+++ b/util/secret/secret.go
@@ -53,7 +53,7 @@ func Name(cluster string, suffix Purpose) string {
 	return fmt.Sprintf("%s-%s", cluster, suffix)
 }
 
-// ParseSecretName return the cluster name and the suffix Purpose in name is a valid cluster secrets,
+// ParseSecretName return the cluster name and the suffix Purpose in name is a valid cluster secret,
 // otherwise it return error.
 func ParseSecretName(name string) (string, Purpose, error) {
 	separatorPos := strings.LastIndex(name, "-")