Skip to content

poc: RestrictedDefaultModuleImagePullSecretTransform#3344

Draft
c-pius wants to merge 1 commit into
kyma-project:mainfrom
c-pius:poc/restricted-default-module-image-pull-secret-transform
Draft

poc: RestrictedDefaultModuleImagePullSecretTransform#3344
c-pius wants to merge 1 commit into
kyma-project:mainfrom
c-pius:poc/restricted-default-module-image-pull-secret-transform

Conversation

@c-pius

@c-pius c-pius commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Description

Changes proposed in this pull request:

  • adds a new transform replacing the data of secrets for restricted default modules
  • fetches a secret of the same name in kcp-system and replaces the data with the value from scp-system
    • works also on data updates on kcp-system
  • transform is only added if restricted default modules are configured to KLM
  • transform only applies for resources of restricted default modules
  • transform only applies for secrets annotated with operator.kyma-project.io/replace-from-kcp: "true"

Testing

Secret in Module Manifest

apiVersion: v1
kind: Secret
metadata:
  name: custom-image-pull-secret
  namespace: template-operator-system
  annotations:
    operator.kyma-project.io/replace-from-kcp: "true"
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: |
    eyJhdXRocyI6IHt9fQo=

Secret on KCP

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJzb21lIG5ldyBjcmVkZW50aWFscyJ9fX0K
kind: Secret
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","data":{".dockerconfigjson":"eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJvcGVuc2VzYW1lIn19fQo=\n"},"kind":"Secret","metadata":{"annotations":{},"name":"template-operator-custom-image-pull-secret","namespace":"kcp-system"},"type":"kubernetes.io/dockerconfigjson"}
  creationTimestamp: "2026-06-10T12:54:54Z"
  name: template-operator-custom-image-pull-secret
  namespace: kcp-system
  resourceVersion: "4203"
  uid: c0f820b5-05bb-4530-88b5-8301c1bb8ee4
type: kubernetes.io/dockerconfigjson

Secret applied to SKR

apiVersion: v1
data:
  .dockerconfigjson: eyJhdXRocyI6eyJodHRwczovL2V4YW1wbGUvdjEvIjp7ImF1dGgiOiJzb21lIG5ldyBjcmVkZW50aWFscyJ9fX0K
kind: Secret
metadata:
  annotations:
    deprecated-operator.kyma-project.io/owned-by: kcp-system/kyma-sample-template-operator-2235966007
    operator.kyma-project.io/managed-by-reconciler-disclaimer: |-
      DO NOT EDIT - This resource is managed by Kyma.
      Any modifications are discarded and the resource is reverted to the original state.
    operator.kyma-project.io/replace-from-kcp: "true"
  creationTimestamp: "2026-06-10T12:55:09Z"
  labels:
    app.kubernetes.io/component: kyma-sample-template-operator-2235966007
    app.kubernetes.io/part-of: Kyma
    operator.kyma-project.io/managed-by: kyma
  name: template-operator-custom-image-pull-secret
  namespace: template-operator-system
  resourceVersion: "1689"
  uid: 6af3b192-d5c7-42f7-986d-dcb99f3d1908
type: kubernetes.io/dockerconfigjson

Related issue(s)

@c-pius c-pius mentioned this pull request Jun 10, 2026
Closed
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@c-pius