GitRepo incorrectly marked as Ready upon failure

[anmazzotti]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Rancher version: v2.14.0-alpha9
Fleet version: v0.15.0-beta.4

A GitRepo fails to be deployed correctly due to cabundle errors.
Note this particular error seems to be happening when configuring a Private CA for Rancher. See docs

apiVersion: fleet.cattle.io/v1alpha1
kind: GitRepo
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"fleet.cattle.io/v1alpha1","kind":"GitRepo","metadata":{"annotations":{},"name":"gcp-cluster-class-kubeadm-344zh6","namespace":"fleet-local"},"spec":{"branch":"remove_cert_manager","forceSyncGeneration":1,"paths":["examples/clusterclasses/gcp/kubeadm"],"repo":"https://github.com/rancher/turtles","targetNamespace":"creategitops-gcp-kubeadm"}}
  creationTimestamp: 2026-03-19T08:45:49Z
  finalizers:
  - fleet.cattle.io/gitrepo-finalizer
  generation: 1
  name: gcp-cluster-class-kubeadm-344zh6
  namespace: fleet-local
  resourceVersion: '33557'
  uid: 78fd2c55-10a6-4c2b-9964-29550d54e022
spec:
  branch: remove_cert_manager
  forceSyncGeneration: 1
  paths:
  - examples/clusterclasses/gcp/kubeadm
  repo: https://github.com/rancher/turtles
  targetNamespace: creategitops-gcp-kubeadm
status:
  commit: 2d71fdbec9841cc696121c843796c4ec70fdf7a6
  conditions:
  - lastUpdateTime: 2026-03-19T08:45:50Z
    status: 'True'
    type: Ready
  - lastUpdateTime: 2026-03-19T08:45:50Z
    status: 'True'
    type: GitPolling
  - lastUpdateTime: 2026-03-19T08:45:52Z
    status: 'True'
    type: Accepted
  - lastUpdateTime: 2026-03-19T08:45:52Z
    status: 'False'
    type: Reconciling
  - lastUpdateTime: 2026-03-19T08:45:52Z
    status: 'False'
    type: Stalled
  desiredReadyClusters: 0
  display:
    readyBundleDeployments: 0/0
  gitJobStatus: Current
  lastPollingTriggered: 2026-03-19T09:15:57Z
  observedGeneration: 1
  pollingCommit: 2d71fdbec9841cc696121c843796c4ec70fdf7a6
  readyClusters: 0
  resourceCounts:
    desiredReady: 0
    missing: 0
    modified: 0
    notReady: 0
    orphaned: 0
    ready: 0
    unknown: 0
    waitApplied: 0
  summary:
    desiredReady: 0
    ready: 0
  updateGeneration: 1

There are a few problems with the status reporting:

1. Ready status is True, however no resource was applied in the target namespace and the only log instance for this GitRepo is an error:

{"level":"error","ts":"2026-03-19T08:45:52Z","msg":"Reconciler error","controller":"gitrepo","controllerGroup":"fleet.cattle.io","controllerKind":"GitRepo","GitRepo":{"name":"gcp-cluster-class-kubeadm-344zh6","namespace":"fleet-local"},"namespace":"fleet-local","name":"gcp-cluster-class-kubeadm-344zh6","reconcileID":"a87211a5-74e2-4b00-99f0-b1384f00555e","error":"error creating git job: Secret \"gcp-cluster-class-kubeadm-344zh6-rancher-cabundle\" not found","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.23.1/pkg/internal/controller/controller.go:495\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.23.1/pkg/internal/controller/controller.go:438\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func1.1\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.23.1/pkg/internal/controller/controller.go:313"}

2. The Ready condition timestamp does not make sense. It's too early compared to the log I posted above. It does feel like this condition is always defaulted to True.

3. The GitRepo is no longer reconciled. It does not seem to ever recover from this state. Deletion and recreation seem to be necessary.

Expected Behavior

As user I expect the GitRepo resource to be Ready only when resources are correctly applied on all targeted clusters.

As a workaround, a user can currently exploit the status.readyClusters count, if the expected value is known beforehand.

Steps To Reproduce

No response

Environment

- Architecture:
- Fleet Version:
- Cluster:
  - Provider:
  - Options:
  - Kubernetes Version:

Logs

Anything else?

No response

[anmazzotti]

This is probably related to #4211

[weyfonk]

This seems to be related to targeting (0 expected ready clusters).
0 ready clusters is caused by targeting not having run, because of a missing secret preventing git job creation.
We need to propagate "secret not found" errors to GitRepo conditions.