kyma-project · m00g3n · Jan 5, 2026
@@ -14,13 +14,13 @@ type PodDefaulter = func(p *corev1.Pod, nsAnnotations map[string]string) (bool,
 
 var (
 	annotationsAlterImgRegistry = map[string]string{
-		apiv1.AnnotationAlterImgRegistry: "false",
+		apiv1.AnnotationAlterImgRegistry: "true",
 	}
 	annotationsSetPullSecret = map[string]string{
-		apiv1.AnnotationSetPullSecret: "false",
+		apiv1.AnnotationSetPullSecret: "true",
 	}
 	annotationAddClusterTrustBundle = map[string]string{
-		apiv1.AnnotationAddClusterTrustBundle: "false",
+		apiv1.AnnotationAddClusterTrustBundle: "true",
 	}
 )
 
@@ -34,15 +34,15 @@ func defaultPod(update func(*corev1.Pod) bool, features map[string]string) PodDe
 			With("ns-annotations", nsAnnotations).
 			With("features", features)
 
-		for _, annotations := range []map[string]string{p.Annotations, nsAnnotations} {
+		for _, annotations := range []map[string]string{nsAnnotations, p.Annotations} {
 			if k8s.Contains(annotations, features) {
-				logger.Debug("opt out", "ns-annotations", nsAnnotations)
-				return false, nil
+				logger.Debug("pod defaulting opt in")
+				return update(p), nil
 			}
 		}
 
-		logger.Debug("pod defaulting opt in")
-		return update(p), nil
+		logger.Debug("opt out", "ns-annotations", nsAnnotations)
+		return false, nil
 	}
 }
 

@@ -13,7 +13,7 @@ import (
 const (
 	AnnotationAlterImgRegistry      = "rt-cfg.kyma-project.io/alter-img-registry"
 	AnnotationSetPullSecret         = "rt-cfg.kyma-project.io/add-img-pull-secret"
-	AnnotationAddClusterTrustBundle = "rt-cfg.kyma-project.io/add-add-cluster-trust-bundle"
+	AnnotationAddClusterTrustBundle = "rt-cfg.kyma-project.io/add-cluster-trust-bundle"
 	AnnotationDefaulted             = "rt-bootstrapper.kyma-project.io/defaulted"
 	FiledManager                    = "rt-bootstrapper"
 )

@@ -71,7 +71,10 @@ var _ = Describe("Manager", Ordered, func() {
 
 		By(fmt.Sprintf("opt out altering image registry for namespace: %s", testNamespace2))
 		cmd = exec.Command("kubectl", "annotate", "ns", testNamespace2,
-			"rt-cfg.kyma-project.io/add-img-pull-secret=false")
+			"rt-cfg.kyma-project.io/alter-img-registry=true",
+			"rt-cfg.kyma-project.io/add-img-pull-secret=true",
+			"rt-cfg.kyma-project.io/add-cluster-trust-bundle=true",
+		)
 		_, err = utils.Run(cmd)
 		Expect(err).NotTo(HaveOccurred(), "Failed to create namespace")
 
@@ -320,94 +323,75 @@ var _ = Describe("Manager", Ordered, func() {
 			Expect(signerName).To(Equal("rt-bootstrapper-k3d.test/ctb"))
 		})
 
-		It("should alter the image name and add imagePullSecret property", func() {
-			testNamespace := "rt-bootstrapper-test1"
+		It("should work with all features activated on ns lvl", func() {
 
 			By("applying the deployment in opt in namespace")
 			cmd := exec.Command("kubectl", "apply",
-				"-f", "./test/e2e/testdata/test1.yaml",
-				"-n", testNamespace)
+				"-f", "./test/e2e/testdata/test2.yaml",
+				"-n", testNamespace2)
 
 			_, err := utils.Run(cmd)
 			Expect(err).NotTo(HaveOccurred())
 
-			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test1",
+			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test2",
 				"--for", "condition=Available",
-				"--namespace", testNamespace,
+				"--namespace", testNamespace2,
 				"--timeout", "20s",
 			)
 
 			_, err = utils.Run(cmd)
 			Expect(err).ShouldNot(HaveOccurred())
 
 			cmd = exec.Command("kubectl", "get", "pod",
-				"-l", "app=pause-test1",
-				"-n", testNamespace,
+				"-l", "app=pause-test2",
+				"-n", testNamespace2,
 				"-o", "jsonpath={.items[0]}")
 			output, err := utils.Run(cmd)
 			Expect(err).ShouldNot(HaveOccurred())
 
 			pod, err := utils.ToPod(output)
 			Expect(err).ShouldNot(HaveOccurred())
+
+			By("having registry name replaced on pod")
 			Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me"))
+
+			By("having image-pull-secret added on pod")
 			Expect(pod.Spec.ImagePullSecrets).Should(ContainElement(corev1.LocalObjectReference{
 				Name: "registry-credentials",
 			}))
-			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true"))
-
-			cmd = exec.Command("kubectl", "get", "secret",
-				"-n", testNamespace)
-			_, err = utils.Run(cmd)
-			Expect(err).ShouldNot(HaveOccurred())
-		})
-
-		It("should just alter the image name if opt out on pod lvl from adding imagePullSecret property", func() {
-			By("applying the deployment in opt in namespace")
-			cmd := exec.Command("kubectl", "apply",
-				"-f", "./test/e2e/testdata/test2.yaml",
-				"-n", testNamespace1)
-
-			_, err := utils.Run(cmd)
-			Expect(err).NotTo(HaveOccurred())
-
-			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test2",
-				"--for", "condition=Available",
-				"--namespace", testNamespace1,
-				"--timeout", "20s",
-			)
-
-			_, err = utils.Run(cmd)
-			Expect(err).ShouldNot(HaveOccurred())
 
-			cmd = exec.Command("kubectl", "get", "pod",
-				"-l", "app=pause-test2",
-				"-n", testNamespace1,
-				"-o", "jsonpath={.items[0]}")
-			output, err := utils.Run(cmd)
-			Expect(err).ShouldNot(HaveOccurred())
+			By("having cluster-trust-bundle volume mounted on pod")
+			Expect(pod.Spec.Containers[0].VolumeMounts).Should(ContainElement(corev1.VolumeMount{
+				Name:      "rt-bootstrapper-certs",
+				ReadOnly:  true,
+				MountPath: "/etc/ssl/certs",
+			}))
 
-			pod, err := utils.ToPod(output)
-			Expect(err).ShouldNot(HaveOccurred())
+			By("having cluster-trust-bundle volume created on pod")
+			Expect(pod.Spec.Volumes[1].VolumeSource.Projected.Sources).Should(ContainElement(corev1.VolumeProjection{
+				ClusterTrustBundle: &corev1.ClusterTrustBundleProjection{
+					Name: ptr.To("rt-bootstrapper-k3d.test:ctb:1"),
+					Path: "kube-apiserver-serving.pem",
+				},
+			}))
 
-			Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me"))
+			By("having 'defaulted' annotation added on pod")
 			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true"))
-			Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{
-				Name: "registry-credentials",
-			}))
 		})
 
-		It("should just alter the image name if opt out on ns lvl from adding imagePullSecret property", func() {
+		It("should work with all features activated on pod lvl", func() {
+
 			By("applying the deployment in opt in namespace")
 			cmd := exec.Command("kubectl", "apply",
 				"-f", "./test/e2e/testdata/test1.yaml",
-				"-n", testNamespace2)
+				"-n", testNamespace1)
 
 			_, err := utils.Run(cmd)
 			Expect(err).NotTo(HaveOccurred())
 
 			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test1",
 				"--for", "condition=Available",
-				"--namespace", testNamespace2,
+				"--namespace", testNamespace1,
 				"--timeout", "20s",
 			)
 
@@ -416,76 +400,52 @@ var _ = Describe("Manager", Ordered, func() {
 
 			cmd = exec.Command("kubectl", "get", "pod",
 				"-l", "app=pause-test1",
-				"-n", testNamespace2,
+				"-n", testNamespace1,
 				"-o", "jsonpath={.items[0]}")
 			output, err := utils.Run(cmd)
 			Expect(err).ShouldNot(HaveOccurred())
 
 			pod, err := utils.ToPod(output)
 			Expect(err).ShouldNot(HaveOccurred())
+
+			By("having registry name replaced on pod")
 			Expect(pod.Spec.Containers[0].Image).ShouldNot(HavePrefix("replace.me"))
-			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true"))
-			Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{
+
+			By("having image-pull-secret added on pod")
+			Expect(pod.Spec.ImagePullSecrets).Should(ContainElement(corev1.LocalObjectReference{
 				Name: "registry-credentials",
 			}))
-		})
-
-		It("should inject cluster-trust-bundle", func() {
-			By("applying the deployment")
-			cmd := exec.Command("kubectl", "apply",
-				"-f", "./test/e2e/testdata/test3.yaml",
-				"-n", testNamespace1)
-
-			_, err := utils.Run(cmd)
-			Expect(err).NotTo(HaveOccurred())
-
-			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test3",
-				"--for", "condition=Available",
-				"--namespace", testNamespace1,
-				"--timeout", "20s",
-			)
-
-			_, err = utils.Run(cmd)
-			Expect(err).ShouldNot(HaveOccurred())
-
-			cmd = exec.Command("kubectl", "get", "pod",
-				"-l", "app=pause-test3",
-				"-n", testNamespace1,
-				"-o", "jsonpath={.items[0]}")
-			output, err := utils.Run(cmd)
-			Expect(err).ShouldNot(HaveOccurred())
 
-			pod, err := utils.ToPod(output)
-			Expect(err).ShouldNot(HaveOccurred())
-			Expect(pod.Spec.Containers[0].Image).Should(HavePrefix("k8s.gcr.io"))
-			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true"))
+			By("having cluster-trust-bundle volume mounted on pod")
 			Expect(pod.Spec.Containers[0].VolumeMounts).Should(ContainElement(corev1.VolumeMount{
 				Name:      "rt-bootstrapper-certs",
 				ReadOnly:  true,
 				MountPath: "/etc/ssl/certs",
 			}))
+
+			By("having cluster-trust-bundle volume created on pod")
 			Expect(pod.Spec.Volumes[1].VolumeSource.Projected.Sources).Should(ContainElement(corev1.VolumeProjection{
 				ClusterTrustBundle: &corev1.ClusterTrustBundleProjection{
 					Name: ptr.To("rt-bootstrapper-k3d.test:ctb:1"),
 					Path: "kube-apiserver-serving.pem",
 				},
 			}))
 
-			Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{
-				Name: "registry-credentials",
-			}))
+			By("having 'defaulted' annotation added on pod")
+			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(Equal("true"))
 		})
 
-		It("should not modify pod spec", func() {
-			By("applying the deployment")
+		It("should work with all features inactive", func() {
+
+			By("applying the deployment in opt in namespace")
 			cmd := exec.Command("kubectl", "apply",
-				"-f", "./test/e2e/testdata/test4.yaml",
+				"-f", "./test/e2e/testdata/test3.yaml",
 				"-n", testNamespace1)
 
 			_, err := utils.Run(cmd)
 			Expect(err).NotTo(HaveOccurred())
 
-			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test4",
+			cmd = exec.Command("kubectl", "wait", "deployment.apps/pause-test3",
 				"--for", "condition=Available",
 				"--namespace", testNamespace1,
 				"--timeout", "20s",
@@ -495,20 +455,37 @@ var _ = Describe("Manager", Ordered, func() {
 			Expect(err).ShouldNot(HaveOccurred())
 
 			cmd = exec.Command("kubectl", "get", "pod",
-				"-l", "app=pause-test4",
+				"-l", "app=pause-test3",
 				"-n", testNamespace1,
 				"-o", "jsonpath={.items[0]}")
 			output, err := utils.Run(cmd)
 			Expect(err).ShouldNot(HaveOccurred())
 
 			pod, err := utils.ToPod(output)
 			Expect(err).ShouldNot(HaveOccurred())
+
+			By("not having registry name replaced on pod")
 			Expect(pod.Spec.Containers[0].Image).Should(HavePrefix("k8s.gcr.io"))
-			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).ShouldNot(Equal("true"))
+
+			By("not having image-pull-secret added on pod")
 			Expect(pod.Spec.ImagePullSecrets).ShouldNot(ContainElement(corev1.LocalObjectReference{
 				Name: "registry-credentials",
 			}))
+
+			By("not having cluster-trust-bundle volume mounted on pod")
+			Expect(pod.Spec.Containers[0].VolumeMounts).ShouldNot(ContainElement(corev1.VolumeMount{
+				Name:      "rt-bootstrapper-certs",
+				ReadOnly:  true,
+				MountPath: "/etc/ssl/certs",
+			}))
+
+			By("not having cluster-trust-bundle volume created on pod")
+			Expect(len(pod.Spec.Volumes)).Should(Equal(1))
+
+			By("not having 'defaulted' annotation added on pod")
+			Expect(pod.Annotations[apiv1.AnnotationDefaulted]).Should(BeEmpty())
 		})
+
 		// +kubebuilder:scaffold:e2e-webhooks-checks
 	})
 })

@@ -11,6 +11,10 @@ spec:
       app: pause-test1
   template:
     metadata:
+      annotations:
+        rt-cfg.kyma-project.io/alter-img-registry: "true"
+        rt-cfg.kyma-project.io/add-img-pull-secret: "true"
+        rt-cfg.kyma-project.io/add-cluster-trust-bundle: "true"
       labels:
         app: pause-test1
     spec:

@@ -11,8 +11,6 @@ spec:
       app: pause-test2
   template:
     metadata:
-      annotations:
-        rt-cfg.kyma-project.io/add-img-pull-secret: "false"
       labels:
         app: pause-test2
     spec:

@@ -12,8 +12,6 @@ spec:
       app: pause-test3
   template:
     metadata:
-      annotations:
-        rt-cfg.kyma-project.io/add-img-pull-secret: "false"
       labels:
         app: pause-test3
     spec: