From fbd6fa2afcd59569af47cbba088e5672761b17b1 Mon Sep 17 00:00:00 2001
From: Vara <vara@tigera.io>
Date: Thu, 19 Dec 2024 17:15:41 -0800
Subject: [PATCH] Include dex secrets when oidc is non tigera or nil

---
 pkg/render/dex.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/pkg/render/dex.go b/pkg/render/dex.go
index 2611dce980..2ad536bc07 100644
--- a/pkg/render/dex.go
+++ b/pkg/render/dex.go
@@ -138,10 +138,11 @@ func (c *dexComponent) Objects() ([]client.Object, []client.Object) {
 	// TODO the RequiredSecrets in the dex condig to not pass back secrets of this type.
 	if !c.cfg.DeleteDex {
 		objs = append(objs, secret.ToRuntimeObjects(c.cfg.DexConfig.RequiredSecrets(common.OperatorNamespace())...)...)
-	}
 
-	objs = append(objs, secret.ToRuntimeObjects(c.cfg.DexConfig.RequiredSecrets(DexNamespace)...)...)
-	objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(DexNamespace, c.cfg.PullSecrets...)...)...)
+		// The Dex namespace exists only for non-Tigera OIDC types to create secrets within the namespace.
+		objs = append(objs, secret.ToRuntimeObjects(c.cfg.DexConfig.RequiredSecrets(DexNamespace)...)...)
+		objs = append(objs, secret.ToRuntimeObjects(secret.CopyToNamespace(DexNamespace, c.cfg.PullSecrets...)...)...)
+	}
 
 	if c.cfg.Installation.CertificateManagement != nil {
 		objs = append(objs, certificatemanagement.CSRClusterRoleBinding(DexObjectName, DexNamespace))