You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is different to #5325, which deals with updates to the secrets themselves, when configuration (whether global.cattle.imagePullSecrets or a Cluster's agentPullSecrets) remains the same.
When the configuration itself is updated, Fleet needs to react accordingly.
Acceptance criteria:
When global.cattle.imagePullSecrets is updated:
no longer referenced secrets need to be deleted from downstream clusters where they had been previously propagated
newly referenced secrets must be propagated to downstream clusters. For each downstream cluster, that must happen if and only if, the Cluster-level agentPullSecrets field has a nil value (an empty value would mean that no image pull secrets should be used for that cluster). See Enable agent image pull secrets propagation to be disabled #5254 for more context.
When a Cluster object's agentPullSecrets is updated:
if the change is nil → no longer nil, then secrets which may have already been propagated from global.cattle.imagePullSecrets must be deleted from the corresponding downstream cluster
for a non-nil → nil change, any secrets configured in global.cattle.imagePullSecrets must now be propagated to that downstream cluster.
Setting owner references for [agent image pull secrets] from the controller may be challenging, as they will be created at the same time as the agent deployment itself. However, we could also consider having the agent check its own deployment's image pull secrets and adopting them, which could be cleaner and less error-prone than eagerly deleting secrets in the agent deployment namespace which would not be referenced as the agent deployment's own image pull secrets.
This is different to #5325, which deals with updates to the secrets themselves, when configuration (whether
global.cattle.imagePullSecretsor a Cluster'sagentPullSecrets) remains the same.When the configuration itself is updated, Fleet needs to react accordingly.
Acceptance criteria:
global.cattle.imagePullSecretsis updated:agentPullSecretsfield has anilvalue (an empty value would mean that no image pull secrets should be used for that cluster). See Enable agent image pull secrets propagation to be disabled #5254 for more context.agentPullSecretsis updated:nil→ no longernil, then secrets which may have already been propagated fromglobal.cattle.imagePullSecretsmust be deleted from the corresponding downstream clusternil→nilchange, any secrets configured inglobal.cattle.imagePullSecretsmust now be propagated to that downstream cluster.Note (from this comment):