Skip to content

[Experimental] Support copying user resources to downstream clusters #4236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Oct 17, 2025
Merged

[Experimental] Support copying user resources to downstream clusters #4236

merged 8 commits into from
Oct 17, 2025

Conversation

weyfonk
Copy link
Contributor

@weyfonk weyfonk commented Oct 16, 2025
edited
Loading

A new experimental feature, gated behind environment variable EXPERIMENTAL_COPY_RESOURCES_DOWNSTREAM, enables Fleet to copy resources from the upstream cluster to all downstream clusters.

This introduces a new DownstreamResources field in bundle deployment options, which can be populated directly from a HelmOp's spec. Resources to be copied can be referenced through that field by name and kind, e.g.:

apiVersion: fleet.cattle.io/v1alpha1
kind: HelmOp
[...] # metadata
spec:
  helm:
    [...] # Helm options
  downstreamResources:
    - kind: Secret
      name: my-secret
    - kind: ConfigMap
      name: my-config

An important use case for this could be valuesFrom, which have requested secrets and/or config maps to be created directly on downstream clusters so far. This feature would eliminate that need.

Restrictions:

  • Resources referenced in downstreamResources must live in the same namespace as the HelmOp resource.
  • Only secrets and config maps are currently supported.

When referencing resources to be copied downstream, and the feature is enabled:

  • the Fleet controller will copy those resources from the HelmOp's namespace to the (upstream) namespace of each targeted downstream cluster
  • on each downstream cluster, the Fleet agent will:
    • copy those resources from the upstream namespace for the cluster to the deployment namespace, before the bundle deployment is deployed
    • delete these resources when the bundle deployment is deleted, unless keepResources is set to true on the bundle deployment.

Limitations:

  • copying resources into the local cluster would not make much sense, and has not been tested
  • this has only been tested with HelmOps, but it may work with GitOps too, since the implementation is independent of the bundle type
  • Fleet does not monitor resources referenced by downstreamResources for changes. This could be part of a future iteration of this feature, but in the meantime, changes to secrets and config maps referenced for downstream copy will only be applied when a bundle is updated.

Refers to #3617.

Additional Information

Checklist

@weyfonk weyfonk requested a review from a team as a code owner October 16, 2025 11:08
@weyfonk weyfonk added this to Fleet Oct 16, 2025
@weyfonk weyfonk moved this to 👀 In review in Fleet Oct 16, 2025
@weyfonk weyfonk removed this from Fleet Oct 16, 2025
0xavi0
0xavi0 reviewed Oct 16, 2025
View reviewed changes
Copy link
Contributor

@0xavi0 0xavi0 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just minor things and my main concern would be the CreateOrUpdate call with a "does nothing" MutateFn.

internal/helmdeployer/delete.go

secrets := corev1.SecretList{}

// XXX: should we log instead of erroring?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yup, I also wonder if we should log instead...
We can keep it with error for now, the resource was created by the BundleDeployment so I guess it should behave like any other BundleDeployment

@weyfonk
Remove globals.go
f0708a9 
That file and its contents were unused.
@weyfonk
Add downstream resources field to bundles
c22d5e7 
Bundle deployment options, therefore also bundles and HelmOps, can
specify resources, pointed to by name and kind, to be copied from the
bundle's namespace to each downstream cluster.
@weyfonk
Copy downstream resources to cluster namespace
4b136b2 
As a first step towards making downstream resources available in
downstream clusters, the Fleet controller now copies secrets and config
maps referenced in a bundle options' `DownstreamResources` field into
the upstream namespace for each targeted downstream cluster.

Future commits will deal with the agent copying those resources from
that upstream namespace to the right namespaces in each downstream
cluster, enabling deployments to use those resources.
@weyfonk
Copy downstream resources from cluster to downstream target namespace
0037821 
The agent is now able to read a bundle deployment's
`DownstreamResources` field and to copy the corresponding resources into
the target namespace for the Helm release created when installing the
bundle deployment.

Upon deletion of the bundle deployment, the agent will delete those
resources, unless `keepResources` is set to `true` on the bundle
deployment.
@weyfonk
Allow updates of downstream resources in cluster namespace
ec1a93b 
Copying a secret or a config map into a downstream cluster's upstream
namespace should now succeed even if that config map or secret already
exists, in which case Fleet will update it.
@weyfonk
Use experimental flag for toggling resources copying downstream
5aa8a06 
This introduces a new environment variable, named
`EXPERIMENTAL_COPY_RESOURCES_DOWNSTREAM`. That variable is set to
`false` by default, disabling logic around copy of bundle resources
downstream. That logic will only be enabled when the Fleet chart is
installed with that environment variable set to `true`.
@weyfonk
Use constant for bundle deployment ownership label
511bf3f 
Label `fleet.cattle.io/bundledeployment` is used from three different
locations, granting the use of a constant.
@weyfonk weyfonk force-pushed the 3617-copy-cm-secrets-downstream branch from f4ea0b7 to ff9e190 Compare October 17, 2025 10:25
@weyfonk
Redeploy bundle deployments when downstream resources are updated
cc6acdb 
Changes to resources referenced through `downstreamResources` still does
not trigger a reconcile of the corresponding bundle deployment. However,
when such changes are made, the next reconcile of the bundle leads
to those resources being updated downstream.

The Fleet agent detects updates to those resources, and force-redeploys
the bundle deployment to take them into account.
@weyfonk weyfonk force-pushed the 3617-copy-cm-secrets-downstream branch from ff9e190 to cc6acdb Compare October 17, 2025 10:36
@weyfonk weyfonk requested a review from 0xavi0 October 17, 2025 10:36
0xavi0
0xavi0 approved these changes Oct 17, 2025
View reviewed changes
Copy link
Contributor

@0xavi0 0xavi0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the changes!

@weyfonk weyfonk merged commit 6426638 into rancher:main Oct 17, 2025
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@0xavi0 0xavi0 0xavi0 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@weyfonk @0xavi0