In case of AppCo charts, the credentials are used for both, fetching the charts and pulling the images. In that case, helmSecretName and downstreamResources of HelmOp point to the same secret and Fleet clones both twice to the cluster namespace on the upstream cluster. That should be prevented. If the secret in helmSecretName is also in downstreamResources, the mechanism for cloning helmSecretName should be skipped. This also preserves backward compatibility with helmSecretName and allows users to be explicit about when helmSecretName should also be copied to downstream clusters.
Should only be implemented after #5262 so that the copy of resources to downstream clusters can also be refused if Fleet doesn't own the downstream resource.
In case of AppCo charts, the credentials are used for both, fetching the charts and pulling the images. In that case,
helmSecretNameanddownstreamResourcesofHelmOppoint to the same secret and Fleet clones both twice to the cluster namespace on the upstream cluster. That should be prevented. If the secret inhelmSecretNameis also indownstreamResources, the mechanism for cloninghelmSecretNameshould be skipped. This also preserves backward compatibility withhelmSecretNameand allows users to be explicit about whenhelmSecretNameshould also be copied to downstream clusters.Should only be implemented after #5262 so that the copy of resources to downstream clusters can also be refused if Fleet doesn't own the downstream resource.