Skip to content

valuesFrom: Namespace assignment does not match downstream target namespace #4274

New issue
New issue
Open
Bug
Open
valuesFrom: Namespace assignment does not match downstream target namespace#4274
Bug
Assignees
0xavi0
Labels
kind/bug
Milestone
v2.13.1
@weyfonk

Description

@weyfonk
weyfonk
opened on Oct 29, 2025

Follow-up to #3617.

The Rancher UI allows users to select resources (secrets or config maps) to reference through valuesFrom.
Selecting a resource is done from a combination of key type (config map or secret reference), name of the corresponding object, and key within that object.
As a result, a configMapKeyRef or secretKeyRef is added to a HelmOp or GitRepo definition.

Before #3617, resources referenced through valuesFrom were expected to be manually created on each downstream cluster, but that feature eliminates that need.
The configMapKeyRef or secretKeyRef is created with the namespace of the source, upstream resource, which Fleet will take care of copying if that resource is referenced through downstreamResources.
This means that the namespace in the configMapKeyRef or secretKeyRef may well be different to the target namespace for the deployment on a downstream cluster.
As a result, at deployment time, the agent is unable to deploy a HelmOp referencing a config map (or secret) for its Helm values, as it looks for the resource in a namespace which is different to the target namespace, where the resource had been copied downstream.

The current workaround for this consists in editing the configMapKeyRef or secretKeyRef to remove the namespace field.
Here are two possible options for a more sustainable solution:

  • the UI could check, when writing a configMapKeyRef or secretKeyRef in a HelmOp/GitRepo, if the corresponding resource is also referenced by downstreamResources; if so, it could leave the namespace field empty
  • the Fleet agent could overwrite that namespace field in configMapKeyRef/secretKeyRef, in the bundle deployment it is about to deploy, for resources also referenced by downstreamResources.
    • This may lead to misleading/mismatching namespaces in configMapKeyRefs/secretKeyRefs between HelmOps/GitRepos and their bundle deployments, but we could probably live with that, as those namespaces would not be realistic anyway if the target deployment (downstream) namespace does not match the upstream namespace of the GitRepo/HelmOp/bundle.

Metadata

Metadata

Assignees

Labels

kind/bug

Type

Bug

Projects

Fleet

Status

Needs QA review

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions