In the case where a VaultDynamicSecret instance specifies a Vault namespace that is different from its VaultAuth the ClientCacheKey will be of the clone variant. The cache key format is different from its parent cache key and therefore a parent and a clone cannot be compared. Since the VDS controller stores the clone variant in its state, all instances of this type were ignored during a client callback reconciliation. This would leave unreconciled VDS instances upon client token expiration or other LifetimeWatcher errors.
[x] Extend the VDS integration tests to include a cross-namespace scenario.
In the case where a VaultDynamicSecret instance specifies a Vault namespace that is different from its VaultAuth the ClientCacheKey will be of the clone variant. The cache key format is different from its parent cache key and therefore a parent and a clone cannot be compared. Since the VDS controller stores the clone variant in its state, all instances of this type were ignored during a client callback reconciliation. This would leave unreconciled VDS instances upon client token expiration or other LifetimeWatcher errors.