DiamondLightSource · davehadley · Nov 7, 2025
diff --git a/charts/workflows/Chart.yaml b/charts/workflows/Chart.yaml
@@ -3,7 +3,7 @@ name: workflows
 description: Data Analysis workflow orchestration
 type: application
 
-version: 0.13.25
+version: 0.13.26
 
 dependencies:
   - name: argo-workflows

diff --git a/charts/workflows/templates/sessionspace-clusterpolicy.yaml b/charts/workflows/templates/sessionspace-clusterpolicy.yaml
@@ -127,7 +127,7 @@ spec:
       apiVersions: ["v1"]
       operations:  ["CREATE"]
       resources:   ["namespaces"]
-    namespaceSelector:
+    objectSelector:
       matchLabels:
           app.kubernetes.io/managed-by: sessionspaces
   variables:

diff --git a/charts/workflows/test-policy/artifact-s3-clone/chainsaw-test.yaml b/charts/workflows/test-policy/artifact-s3-clone/chainsaw-test.yaml
@@ -1,8 +1,9 @@
 apiVersion: chainsaw.kyverno.io/v1alpha1
 kind: Test
 metadata:
-  name: artifact-s3-clone
+  name: artifact-s3-clone-on-namespace-creation
 spec:
+  concurrent: false
   steps:
     - try:
         - apply:
@@ -29,12 +30,73 @@ spec:
                 name: session
                 labels:
                   app.kubernetes.io/managed-by: sessionspaces
-        - sleep:
-            duration: 10s
         - assert:
             resource:
               apiVersion: v1
               kind: Secret
               metadata:
                 name: artifact-s3
                 namespace: session
+---
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: artifact-s3-clone-on-secret-update
+spec:
+  concurrent: false
+  steps:
+    - try:
+        - apply:
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: workflows
+        - apply:
+            resource:
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                name: artifact-s3
+                namespace: workflows
+              data:
+                access-key: aWQ=
+                secret-key: c2VjcmV0
+        - apply:
+            resource:
+              apiVersion: v1
+              kind: Namespace
+              metadata:
+                name: session
+                labels:
+                  app.kubernetes.io/managed-by: sessionspaces
+        - assert:
+            resource:
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                name: artifact-s3
+                namespace: session
+              data:
+                access-key: aWQ=
+                secret-key: c2VjcmV0
+        - apply:
+            resource:
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                name: artifact-s3
+                namespace: workflows
+              data:
+                access-key: aWQ=
+                secret-key: dXBkYXRlZC1zZWNyZXQK
+        - assert:
+            resource:
+              apiVersion: v1
+              kind: Secret
+              metadata:
+                name: artifact-s3
+                namespace: session
+              data:
+                access-key: aWQ=
+                secret-key: dXBkYXRlZC1zZWNyZXQK