feat: propagate workloadServiceAccount imagePullSecrets to selected synced ServiceAccounts#3771
Conversation
flomedja
force-pushed
the
ENGNODE-93-add-image-pull-secret-to-selected-service-account
branch
from
8c5b698 to
d1799bb
Compare
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 8c5b698e59
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
flomedja
force-pushed
the
ENGNODE-93-add-image-pull-secret-to-selected-service-account
branch
from
d1799bb to
9d89b91
Compare
|
@codex review |
|
Codex Review: Didn't find any major issues. Chef's kiss. ℹ️ About Codex in GitHubCodex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback". |
| }) | ||
|
|
||
| By("waiting for the host SA to exist and verifying it has no imagePullSecrets", func() { | ||
| Eventually(func(g Gomega) { |
There was a problem hiding this comment.
This should be Consistently to make sure it doesn't happen in the polling time.
| matches, err := s.imagePullSecretSelector.Matches(virtualSA) | ||
| if err != nil { | ||
| klog.Errorf("failed to evaluate imagePullSecretSelector for ServiceAccount %s/%s: %v", virtualSA.Namespace, virtualSA.Name, err) | ||
| return nil |
There was a problem hiding this comment.
Should this return the error or is just logging the expectation?
flomedja
force-pushed
the
ENGNODE-93-add-image-pull-secret-to-selected-service-account
branch
2 times, most recently
from
cb6585f to
0ffe6bb
Compare
…ynced ServiceAccounts
flomedja
force-pushed
the
ENGNODE-93-add-image-pull-secret-to-selected-service-account
branch
from
0ffe6bb to
a5c69a7
Compare
|
Issue deprioritized. Reopen later if necessary |
3 participants
What issue type does this pull request address? (keep at least one, remove the others)
/kind bugfix
/kind enhancement
/kind feature
/kind documentation
/kind test
What does this pull request do? Which issues does it resolve? (use
resolves #<issue_number>if possible)resolves #ENGNODE-93
Please provide a short message that should be published in the vcluster release notes
When sync.toHost.serviceAccounts.enabled is true, each virtual SA is synced to the host and pods use their own SA instead of the shared workloadServiceAccount. Previously, imagePullSecrets configured on workloadServiceAccount were silently
dropped for all synced host SAs.
Adds imagePullSecretSelector (StandardLabelSelector) to controlPlane.advanced.workloadServiceAccount. When a virtual SA matches the selector, the configured imagePullSecrets are written onto its corresponding host SA on both creation and every reconcile. An empty or absent selector means no propagation (safe default — explicit opt-in required). Setting matchLabels: {} matches all virtual SAs.
The selector is evaluated against the virtual SA labels before the bidirectional label sync so the original desired state is used for matching.
What else do we need to know?
E2E Tests
Default Test Execution
The mandatory PR suite runs automatically. Only specify additional test suites below if needed.
Adding New Test Suites
When adding a new ginkgo test suite:
Additional test suites
Additional test suite(s) that will be executed before the mandatory PR suite: