[BUG] cannot drop the username and password of a private registry in the secret cattle-system/cattle-private-registry in the downstream cluster once it is set on RKE1 downstream cluster about rancher HOT 3 OPEN

Root cause

When updating the private registries on an RKE1 downstream cluster Rancher always skips the entry whose password is empty. Rancher thinks the reason for an empty password is it has been migrated to a Secret, so skipping the entry can avoid wiping out the password from the Secret. The logic works well in most cases except the following one: once the username and password are set for a private registry on the RKE1 downstream cluster, we will not be able to unset those two values at the same time in the cases where the private registry does not require login anymore or the username and password are set by mistake at the first place.

What was fixed, or what changes have occurred

The logic is updated such that now when updating the private registries on an RKE1 downstream cluster Rancher skips the private registry only if it meets all the following conditions:

• its password is empty
• it can be found in the list of existing private registries
• its username is unchanged

Areas or cases that should be tested

A matrix of cases can be derived from creating/updating a DS RKE1 cluster with/without a private registry that does/doesn't have a username and/or password. In all cases, the cattle-private-registry Secret, whose name is recorded at .State.privateRegistrySecret on the mgmt cluster, should be updated properly.

What areas could experience regressions?

The same as the above.

Are the repro steps accurate/minimal?

Yes.
Note that it is not necessary to use Terraform as the bug is on the Rancher side, not the tf-provider-rancher2.

from rancher.

The issue can validated on the latest v2.9-head tag

from rancher.

This issue is waiting for an alpha/RC to properly test.

from rancher.