[Bug]: Pooler ServiceAccount missing imagePullSecret when created

[mnencia]

Is there an existing issue already for this bug?

• I have searched for an existing issue, and could not find anything. I believe this is a new bug.

I have read the troubleshooting guide

• I have read the troubleshooting guide and I think this is a new bug.

I am running a supported version of CloudNativePG

• I have read the troubleshooting guide and I think this is a new bug.

Contact Details

No response

Version

1.28 (latest patch)

What version of Kubernetes are you using?

1.34

What is your Kubernetes environment?

Self-managed: kind (evaluation)

How did you install the operator?

YAML manifest

What happened?

When creating a new Pooler resource, the ServiceAccount is created without the default imagePullSecret, causing pooler pod failures when pulling images from private registries.

Root Cause

In internal/controller/pooler_update.go at line 238, when creating a new ServiceAccount, the code incorrectly passes resources.ServiceAccount (which is nil) instead of the local serviceAccount variable to ensureServiceAccountHaveImagePullSecret():

if resources.ServiceAccount == nil {
    serviceAccount := pgbouncer.ServiceAccount(pooler)
    ensureServiceAccountHaveImagePullSecret(resources.ServiceAccount, pullSecretName)  // BUG: passing nil
    contextLog.Info("Creating service account")
    // ...
}

Since ensureServiceAccountHaveImagePullSecret has a nil check that returns early:

func ensureServiceAccountHaveImagePullSecret(serviceAccount *corev1.ServiceAccount, pullSecretName string) {
    if serviceAccount == nil || pullSecretName == "" {
        return  // Returns immediately when serviceAccount is nil
    }
    // ... never reached
}

The pull secret is never added to the ServiceAccount.

Cluster resource

Relevant log output

Code of Conduct

• I agree to follow this project's Code of Conduct

[dosubot]

You're correct—this is a real bug in the current code. When a new ServiceAccount is created for a Pooler, the code mistakenly passes resources.ServiceAccount (which is nil) to ensureServiceAccountHaveImagePullSecret, so the imagePullSecret is never added. This matches your analysis and is confirmed in the codebase.

This issue is already being tracked upstream as issue #5300, and a maintainer has acknowledged that imagePullSecrets should be set on the ServiceAccount, not directly on the Pod. There's also a proposed fix in PR #5344 to address this behavior.

Until a fix is released, you can work around this by manually patching the ServiceAccount after it's created to add the required imagePullSecret, or by editing the operator code to pass the correct variable. Keep an eye on the upstream PR and issue for resolution and update once a fix is merged and released.

References:

• Upstream issue #5300
• Relevant code section

To reply, just mention @dosu.

---

^{How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other}