From e27b47d3dd09386ab0131c803436cddd16aefc87 Mon Sep 17 00:00:00 2001
From: joey <zchengjoey@gmail.com>
Date: Sat, 16 Nov 2024 13:48:33 +0800
Subject: [PATCH] fix(controller): podSpecPatch updates override the ref
 template in `Secure` mode

Signed-off-by: joey <zchengjoey@gmail.com>
---
 workflow/controller/operator.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/workflow/controller/operator.go b/workflow/controller/operator.go
index bc86b71da857..d77504ed4b4b 100644
--- a/workflow/controller/operator.go
+++ b/workflow/controller/operator.go
@@ -4023,6 +4023,9 @@ func (woc *wfOperationCtx) setStoredWfSpec(ctx context.Context) error {
 		wfutil.JoinWorkflowMetaData(&woc.wf.ObjectMeta, &wfDefault.ObjectMeta)
 		workflowTemplateSpec = wftHolder.GetWorkflowSpec()
 	}
+	if len(woc.execWf.Spec.PodSpecPatch) > 0 && woc.controller.Config.WorkflowRestrictions.MustNotChangeSpec() {
+		return fmt.Errorf("PodSpecPatch may not be setted during execution when the controller is set `templateReferencing: Secure`")
+	}
 	// Update the Entrypoint, ShutdownStrategy and Suspend
 	if woc.needsStoredWfSpecUpdate() {
 		// Join workflow, workflow template, and workflow default metadata to workflow spec.