feat(syncer-service): onboard syncer-service component by ab-ghosh · Pull Request #3198 · tektoncd/operator

ab-ghosh · 2026-02-04T09:58:46Z

Changes

This PR onboards the syncer-service component into the Tekton Operator with conditional deployment based on TektonConfig scheduler settings.

Introduces a new SyncerService Custom Resource (CR) to manage the syncer-service component
Deploys syncer-service conditionally, only when:
- scheduler.multi-cluster-disabled is set to false
- scheduler.multi-cluster-role is set to Hub

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

Run make test lint before submitting a PR
Includes tests (if functionality changed/added)
Includes docs (if user facing)
Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

NONE

tekton-robot · 2026-02-04T09:58:49Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign jkhelil after the PR has been reviewed.
You can assign the PR to them by writing /assign @jkhelil in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

ab-ghosh · 2026-02-04T09:59:23Z

Upgrade test results:

Before the upgrade

After the upgrade

Updating the TektonConfig with the scheduler configuration (multi-cluster-disabled: false and multi-cluster-role: Hub)

Updating the TektonConfig with the scheduler configuration (multi-cluster-disabled: true and multi-cluster-role: "")

anithapriyanatarajan · 2026-02-06T14:43:48Z

@ab-ghosh - Thanks for sharing the outcome of upgrade tests. Please includes tests to make sure that sync service behaves the expected way in hub and spoke cluster. Check the possibility incorporating tests in the following one atleast for each type : locations: https://github.com/tektoncd/operator/tree/main/test

Also see the possibility of incorporating unit tests.

jkhelil · 2026-02-08T15:14:54Z

pkg/reconciler/shared/tektonconfig/syncerservice/syncerservice.go

+// Syncer-service is enabled when:
+// 1. Multi-cluster is NOT disabled (i.e., multi-cluster is enabled)
+// 2. The role is Hub
+func IsSyncerServiceEnabled(scheduler *v1alpha1.Scheduler) bool {


add unit test

ab-ghosh · 2026-02-10T07:43:10Z

/kind feature

khrm

Looks good. But shouldn't we keep this to only OpenShift, like PAC?

pratap0007 · 2026-02-12T05:45:55Z

docs/SyncerService.md

+
+SyncerService custom resource allows user to install and manage [Syncer Service][SyncerService].
+
+Syncer Service is a Kubernetes controller that synchronizes secrets between manager (hub) and worker (spoke) nodes in multi-Kueue environments. It enables seamless multi-cluster pipeline execution by ensuring PipelineRuns have the necessary authentication secrets available on their target clusters.


can we add a doc reference to multi-Kueue environments which can provide few details about the multi-kueue/mult-kueue environments?

pratap0007 · 2026-02-12T05:53:11Z

pkg/reconciler/kubernetes/syncerservice/installerset.go

+			"existingNamespace", installerSetTargetNamespace,
+			"newNamespace", ss.Spec.TargetNamespace)
+		err := r.operatorClientSet.OperatorV1alpha1().TektonInstallerSets().
+			Delete(ctx, existingInstallerSet, metav1.DeleteOptions{})


Could we move the delete operation into a separate function for better separation of concerns?

ab-ghosh · 2026-02-14T18:01:44Z

@khrm SyncerService follows the same pattern as TektonScheduler since it's a dependent component of the scheduler's multi-cluster Hub mode. Since TektonScheduler supports both Kubernetes and OpenShift, I kept SyncerService consistent with that.
Would you prefer to restrict this to OpenShift only?

khrm · 2026-02-14T18:07:09Z

This service syncs only PAC secret afaik.

@zakisk Are we syncing any thing other than this?

Add conditional deployment of syncer-service based on TektonConfig: - scheduler.multi-cluster-disabled: false - scheduler.multi-cluster-role: Hub Includes CRD, controllers, reconcilers for Kubernetes and OpenShift. Signed-off-by: ab-ghosh <abghosh@redhat.com>

zakisk · 2026-02-15T06:41:20Z

This service syncs only PAC secret afaik.

@zakisk Are we syncing any thing other than this?

Yes, right it only syncs PaC secrets

ab-ghosh · 2026-02-16T05:58:01Z

@khrm should make this to OpenShift only then?

khrm · 2026-02-16T06:22:25Z

@ab-ghosh Yes, let's do that.

tekton-robot added the release-note-none Denotes a PR that doesnt merit a release note. label Feb 4, 2026

tekton-robot requested review from PuneetPunamiya and pratap0007 February 4, 2026 09:58

tekton-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Feb 4, 2026

ab-ghosh force-pushed the onboard-syncer-service-upstream branch from 77a2861 to 0d89eb4 Compare February 6, 2026 08:01

jkhelil reviewed Feb 8, 2026

View reviewed changes

ab-ghosh force-pushed the onboard-syncer-service-upstream branch 2 times, most recently from 4014bda to fc75dd3 Compare February 9, 2026 17:36

tekton-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Feb 10, 2026

khrm reviewed Feb 12, 2026

View reviewed changes

pratap0007 reviewed Feb 12, 2026

View reviewed changes

tekton-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 12, 2026

ab-ghosh force-pushed the onboard-syncer-service-upstream branch from fc75dd3 to 3f33ccd Compare February 14, 2026 18:09

tekton-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Feb 14, 2026

ab-ghosh force-pushed the onboard-syncer-service-upstream branch from 3f33ccd to f6ea252 Compare February 14, 2026 18:22

ab-ghosh force-pushed the onboard-syncer-service-upstream branch from f6ea252 to c835573 Compare February 14, 2026 18:29


		SyncerService custom resource allows user to install and manage [Syncer Service][SyncerService].

		Syncer Service is a Kubernetes controller that synchronizes secrets between manager (hub) and worker (spoke) nodes in multi-Kueue environments. It enables seamless multi-cluster pipeline execution by ensuring PipelineRuns have the necessary authentication secrets available on their target clusters.

Conversation

ab-ghosh commented Feb 4, 2026

Changes

Submitter Checklist

Release Notes

Uh oh!

tekton-robot commented Feb 4, 2026

Uh oh!

ab-ghosh commented Feb 4, 2026

Uh oh!

anithapriyanatarajan commented Feb 6, 2026

Uh oh!

jkhelil Feb 8, 2026

Choose a reason for hiding this comment

Uh oh!

ab-ghosh commented Feb 10, 2026

Uh oh!

khrm left a comment

Choose a reason for hiding this comment

Uh oh!

pratap0007 Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

pratap0007 Feb 12, 2026

Choose a reason for hiding this comment

Uh oh!

ab-ghosh commented Feb 14, 2026

Uh oh!

khrm commented Feb 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

zakisk commented Feb 15, 2026

Uh oh!

ab-ghosh commented Feb 16, 2026

Uh oh!

khrm commented Feb 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

khrm commented Feb 14, 2026 •

edited

Loading