From c9c9fd90b0f386c5a143cbb6e5832a4b4c80b929 Mon Sep 17 00:00:00 2001 From: Luis Sanchez Date: Wed, 1 Apr 2026 12:44:11 -0400 Subject: [PATCH] Skip no-op ServiceAccount updates in image pull secret cleanup When the ImageRegistry capability is disabled, the cleanup controller removes managed image pull secret references from ServiceAccounts. However, when the annotation openshift.io/internal-registry-pull-secret-ref exists but the secret name is not present in .Secrets or .ImagePullSecrets (e.g. because the secret was already deleted), the controller issues an unconditional Update that changes nothing. This no-op update bumps the resourceVersion, re-triggers the informer, and causes a tight reconciliation loop (~900-1000 patches/min). Track whether any references were actually removed and skip the Update call when nothing changed. --- .../internalimageregistry/cleanup_controller.go | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/operator/internalimageregistry/cleanup_controller.go b/pkg/operator/internalimageregistry/cleanup_controller.go index 355e4c581..e5f41a391 100644 --- a/pkg/operator/internalimageregistry/cleanup_controller.go +++ b/pkg/operator/internalimageregistry/cleanup_controller.go @@ -121,22 +121,31 @@ func (c *imagePullSecretCleanupController) cleanup(ctx context.Context) error { // cleanup the refs in the service account if len(imagePullSecretName) != 0 { + changed := false + var secretRefs []corev1.ObjectReference for _, secretRef := range serviceAccount.Secrets { - if secretRef.Name != imagePullSecretName { + if secretRef.Name == imagePullSecretName { + changed = true + } else { secretRefs = append(secretRefs, secretRef) } } serviceAccount.Secrets = secretRefs - var imagePullSecretRefs []corev1.LocalObjectReference = []corev1.LocalObjectReference{} + var imagePullSecretRefs []corev1.LocalObjectReference for _, imagePullSecretRef := range serviceAccount.ImagePullSecrets { - if imagePullSecretRef.Name != imagePullSecretName { + if imagePullSecretRef.Name == imagePullSecretName { + changed = true + } else { imagePullSecretRefs = append(imagePullSecretRefs, imagePullSecretRef) } } serviceAccount.ImagePullSecrets = imagePullSecretRefs + if !changed { + continue + } _, err = c.kubeClient.CoreV1().ServiceAccounts(serviceAccount.Namespace).Update(ctx, serviceAccount, metav1.UpdateOptions{}) if err != nil { var statusErr *errors.StatusError