Improve handling of missing namespace in SecretKeyReference (#146)

Fixes aws-controllers-k8s/community#1699

When reconciling a resource that references a Kubernetes Secret via a
`SecretKeyReference`, if the namespace field is not specified, the code
previously defaulted to the "default" namespace.

This commit changes that behavior to instead use the namespace of the
resource being reconciled, if available in the reconcile context.

Signed-off-by: Amine Hilaly <[email protected]>

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Author: a-hilaly

pkg/runtime/reconciler.go

@@ -126,8 +126,18 @@ func (r *reconciler) SecretValueFromReference(
 	}
 
 	namespace := ref.Namespace
-	if namespace == "" {
-		namespace = "default"
+	// During the reconcile process, the resourceNamespace is stored in the context
+	// and can be used to fetch the secret if the namespace is not provided in the
+	// SecretKeyReference.
+	//
+	// NOTE(a-hilaly): When refactoring the runtime, we might want to consider passing
+	// the ObjectMeta in the context.
+	ctxResourceNamespace := ctx.Value("resourceNamespace")
+	if namespace == "" && ctxResourceNamespace != nil {
+		ctxNamespace, ok := ctxResourceNamespace.(string)
+		if ok {
+			namespace = ctxNamespace
+		}
 	}
 
 	nsn := client.ObjectKey{
@@ -175,6 +185,7 @@ func (r *resourceReconciler) Reconcile(ctx context.Context, req ctrlrt.Request)
 	// We're storing a logger pointer in the context, so that any changes to the logger
 	// will be reflected in the context.
 	ctx = context.WithValue(ctx, ackrtlog.ContextKey, rlog)
+	ctx = context.WithValue(ctx, "resourceNamespace", req.Namespace)
 
 	// If a user has specified a namespace that is annotated with the
 	// an owner account ID, we need an appropriate role ARN to assume