🐛 fix issue that pull secret and ns are synced labels when enable-sync-labels is disabled

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_controller.go

@@ -8,7 +8,6 @@ import (
 	"github.com/openshift/library-go/pkg/controller/factory"
 	"github.com/openshift/library-go/pkg/operator/events"
 	"github.com/openshift/library-go/pkg/operator/resource/resourceapply"
-	"github.com/openshift/library-go/pkg/operator/resource/resourcemerge"
 	corev1 "k8s.io/api/core/v1"
 	apiextensionsclient "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -329,17 +328,20 @@ func (n *klusterletController) sync(ctx context.Context, controllerContext facto
 			kubeVersion:           n.kubeVersion,
 			operatorNamespace:     n.operatorNamespace,
 			recorder:              controllerContext.Recorder(),
-			cache:                 n.cache},
+			cache:                 n.cache,
+			enableSyncLabels:      n.enableSyncLabels},
 		&managementReconcile{
 			kubeClient:        n.kubeClient,
 			operatorNamespace: n.operatorNamespace,
 			recorder:          controllerContext.Recorder(),
-			cache:             n.cache},
+			cache:             n.cache,
+			enableSyncLabels:  n.enableSyncLabels},
 		&runtimeReconcile{
 			managedClusterClients: managedClusterClients,
 			kubeClient:            n.kubeClient,
 			recorder:              controllerContext.Recorder(),
-			cache:                 n.cache},
+			cache:                 n.cache,
+			enableSyncLabels:      n.enableSyncLabels},
 		&namespaceReconcile{
 			managedClusterClients: managedClusterClients,
 		},
@@ -418,7 +420,7 @@ func getManagedKubeConfig(ctx context.Context, kubeClient kubernetes.Interface,
 
 // syncPullSecret will sync pull secret from the sourceClient cluster to the targetClient cluster in desired namespace.
 func syncPullSecret(ctx context.Context, sourceClient, targetClient kubernetes.Interface,
-	klusterlet *operatorapiv1.Klusterlet, operatorNamespace, namespace string, recorder events.Recorder) error {
+	klusterlet *operatorapiv1.Klusterlet, operatorNamespace, namespace string, labels map[string]string, recorder events.Recorder) error {
 	_, _, err := helpers.SyncSecret(
 		ctx,
 		sourceClient.CoreV1(),
@@ -429,7 +431,7 @@ func syncPullSecret(ctx context.Context, sourceClient, targetClient kubernetes.I
 		namespace,
 		helpers.ImagePullSecret,
 		[]metav1.OwnerReference{},
-		helpers.GetKlusterletAgentLabels(klusterlet),
+		labels,
 	)
 
 	if err != nil {
@@ -448,8 +450,6 @@ func ensureNamespace(
 	kubeClient kubernetes.Interface,
 	klusterlet *operatorapiv1.Klusterlet,
 	namespace string, labels map[string]string, recorder events.Recorder) error {
-	modified := resourcemerge.BoolPtr(false)
-	resourcemerge.MergeMap(modified, &labels, helpers.GetKlusterletAgentLabels(klusterlet))
 	_, _, err := resourceapply.ApplyNamespace(ctx, kubeClient.CoreV1(), recorder, &corev1.Namespace{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: namespace,

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_managed_reconcile.go

@@ -59,10 +59,16 @@ type managedReconcile struct {
 	kubeVersion           *version.Version
 	recorder              events.Recorder
 	cache                 resourceapply.ResourceCache
+	enableSyncLabels      bool
 }
 
 func (r *managedReconcile) reconcile(ctx context.Context, klusterlet *operatorapiv1.Klusterlet,
 	config klusterletConfig) (*operatorapiv1.Klusterlet, reconcileState, error) {
+	labels := map[string]string{}
+	if r.enableSyncLabels {
+		labels = helpers.GetKlusterletAgentLabels(klusterlet)
+	}
+
 	if !config.DisableAddonNamespace {
 		// For now, whether in Default or Hosted mode, the addons will be deployed on the managed cluster.
 		// sync image pull secret from management cluster to managed cluster for addon namespace
@@ -71,7 +77,7 @@ func (r *managedReconcile) reconcile(ctx context.Context, klusterlet *operatorap
 		if err := ensureNamespace(
 			ctx,
 			r.managedClusterClients.kubeClient,
-			klusterlet, helpers.DefaultAddonNamespace, nil, r.recorder); err != nil {
+			klusterlet, helpers.DefaultAddonNamespace, labels, r.recorder); err != nil {
 			return klusterlet, reconcileStop, err
 		}
 
@@ -84,15 +90,14 @@ func (r *managedReconcile) reconcile(ctx context.Context, klusterlet *operatorap
 			ctx,
 			r.kubeClient,
 			r.managedClusterClients.kubeClient,
-			klusterlet, r.operatorNamespace, helpers.DefaultAddonNamespace, r.recorder); err != nil {
+			klusterlet, r.operatorNamespace, helpers.DefaultAddonNamespace, labels, r.recorder); err != nil {
 			return klusterlet, reconcileStop, err
 		}
 	}
 
+	labels[klusterletNamespaceLabelKey] = klusterlet.Name
 	if err := ensureNamespace(
-		ctx, r.managedClusterClients.kubeClient, klusterlet, config.KlusterletNamespace, map[string]string{
-			klusterletNamespaceLabelKey: klusterlet.Name,
-		}, r.recorder); err != nil {
+		ctx, r.managedClusterClients.kubeClient, klusterlet, config.KlusterletNamespace, labels, r.recorder); err != nil {
 		return klusterlet, reconcileStop, err
 	}
 
@@ -164,7 +169,9 @@ func (r *managedReconcile) createAggregationRule(ctx context.Context, klusterlet
 			},
 			Rules: []rbacv1.PolicyRule{},
 		}
-		aggregateClusterRole.SetLabels(helpers.GetKlusterletAgentLabels(klusterlet))
+		if r.enableSyncLabels {
+			aggregateClusterRole.SetLabels(helpers.GetKlusterletAgentLabels(klusterlet))
+		}
 		_, createErr := r.managedClusterClients.kubeClient.RbacV1().ClusterRoles().Create(ctx, aggregateClusterRole, metav1.CreateOptions{})
 		return createErr
 	}

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_management_recocile.go

@@ -44,17 +44,24 @@ type managementReconcile struct {
 	recorder          events.Recorder
 	operatorNamespace string
 	cache             resourceapply.ResourceCache
+	enableSyncLabels  bool
 }
 
 func (r *managementReconcile) reconcile(ctx context.Context, klusterlet *operatorapiv1.Klusterlet,
 	config klusterletConfig) (*operatorapiv1.Klusterlet, reconcileState, error) {
-	err := ensureNamespace(ctx, r.kubeClient, klusterlet, config.AgentNamespace, nil, r.recorder)
+	labels := map[string]string{}
+	if r.enableSyncLabels {
+		labels = helpers.GetKlusterletAgentLabels(klusterlet)
+	}
+
+	err := ensureNamespace(ctx, r.kubeClient, klusterlet, config.AgentNamespace, labels, r.recorder)
 	if err != nil {
 		return klusterlet, reconcileStop, err
 	}
 
 	// Sync pull secret to the agent namespace
-	err = syncPullSecret(ctx, r.kubeClient, r.kubeClient, klusterlet, r.operatorNamespace, config.AgentNamespace, r.recorder)
+	err = syncPullSecret(ctx, r.kubeClient, r.kubeClient, klusterlet, r.operatorNamespace, config.AgentNamespace,
+		labels, r.recorder)
 	if err != nil {
 		return klusterlet, reconcileStop, err
 	}

pkg/operator/operators/klusterlet/controllers/klusterletcontroller/klusterlet_runtime_reconcile.go

@@ -29,6 +29,7 @@ type runtimeReconcile struct {
 	kubeClient            kubernetes.Interface
 	recorder              events.Recorder
 	cache                 resourceapply.ResourceCache
+	enableSyncLabels      bool
 }
 
 func (r *runtimeReconcile) reconcile(ctx context.Context, klusterlet *operatorapiv1.Klusterlet,
@@ -198,7 +199,11 @@ func (r *runtimeReconcile) createManagedClusterKubeconfig(
 	klusterlet *operatorapiv1.Klusterlet,
 	klusterletNamespace, agentNamespace, saName, secretName string,
 	recorder events.Recorder) error {
-	labels := helpers.GetKlusterletAgentLabels(klusterlet)
+	labels := map[string]string{}
+	if r.enableSyncLabels {
+		labels = helpers.GetKlusterletAgentLabels(klusterlet)
+	}
+
 	tokenGetter := helpers.SATokenGetter(ctx, saName, klusterletNamespace, r.managedClusterClients.kubeClient)
 	err := helpers.SyncKubeConfigSecret(ctx, secretName, agentNamespace, "/spoke/config/kubeconfig",
 		r.managedClusterClients.kubeconfig, r.kubeClient.CoreV1(), tokenGetter, recorder, labels)