From c882342f6704304f5d7626c3b5e60e5200375be4 Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Wed, 18 Mar 2026 16:55:07 -0400
Subject: [PATCH 1/3] Add OCP global pull secret in image version checks

---
 .../webspherelibertyapplication_controller.go   | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/internal/controller/webspherelibertyapplication_controller.go b/internal/controller/webspherelibertyapplication_controller.go
index af1f1301..5a31abc8 100644
--- a/internal/controller/webspherelibertyapplication_controller.go
+++ b/internal/controller/webspherelibertyapplication_controller.go
@@ -1158,6 +1158,23 @@ func (r *ReconcileWebSphereLiberty) deletePVC(reqLogger logr.Logger, pvcName str
 
 func (r *ReconcileWebSphereLiberty) getContainerImageMetadata(reqLogger logr.Logger, wlapp *webspherelibertyv1.WebSphereLibertyApplication, imageRef imagev1.DockerImageReference) (string, *runtime.RawExtension, error) {
 	wlappSecrets := []corev1.Secret{}
+
+	// check the OpenShift global pull secret for inclusion
+	if len(r.watchNamespaces) == 0 && r.IsOpenShift() {
+		globalPullSecretName := "pull-secret"
+		globalPullSecretNamespace := "openshift-config"
+		globalPullSecret := &corev1.Secret{}
+		globalPullSecret.Name = globalPullSecretName
+		globalPullSecret.Namespace = globalPullSecretNamespace
+		err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: globalPullSecretName, Namespace: globalPullSecretNamespace}, globalPullSecret)
+		if err == nil {
+			wlappSecrets = append(wlappSecrets, *globalPullSecret)
+		} else if !kerrors.IsNotFound(err) {
+			return "", nil, fmt.Errorf("Failed to get the global OpenShift pull secret: %v", err)
+		}
+	}
+
+	// check the CR-configured pull secrets
 	var pullSecret *corev1.Secret
 	if wlapp.GetPullSecret() != nil {
 		pullSecretNames := oputils.DecodeStringToList(*wlapp.GetPullSecret())

From df299ac2ec2e7c11c60901934a24f2fb07ce8dc4 Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Wed, 18 Mar 2026 17:00:03 -0400
Subject: [PATCH 2/3] Update wording

---
 internal/controller/webspherelibertyapplication_controller.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/controller/webspherelibertyapplication_controller.go b/internal/controller/webspherelibertyapplication_controller.go
index 5a31abc8..8829ef1b 100644
--- a/internal/controller/webspherelibertyapplication_controller.go
+++ b/internal/controller/webspherelibertyapplication_controller.go
@@ -1170,7 +1170,7 @@ func (r *ReconcileWebSphereLiberty) getContainerImageMetadata(reqLogger logr.Log
 		if err == nil {
 			wlappSecrets = append(wlappSecrets, *globalPullSecret)
 		} else if !kerrors.IsNotFound(err) {
-			return "", nil, fmt.Errorf("Failed to get the global OpenShift pull secret: %v", err)
+			return "", nil, fmt.Errorf("Failed to get the OpenShift global pull secret: %v", err)
 		}
 	}
 

From 846de47e6bcdb1e48080bfc327780d90d788c3b6 Mon Sep 17 00:00:00 2001
From: Kirby Chin <37311900+kabicin@users.noreply.github.com>
Date: Wed, 18 Mar 2026 17:24:44 -0400
Subject: [PATCH 3/3] Store isClusterWide into ReconcileWebSphereLiberty

---
 .../webspherelibertyapplication_controller.go | 49 ++++++++++---------
 1 file changed, 25 insertions(+), 24 deletions(-)

diff --git a/internal/controller/webspherelibertyapplication_controller.go b/internal/controller/webspherelibertyapplication_controller.go
index 8829ef1b..e2a01e88 100644
--- a/internal/controller/webspherelibertyapplication_controller.go
+++ b/internal/controller/webspherelibertyapplication_controller.go
@@ -68,6 +68,7 @@ type ReconcileWebSphereLiberty struct {
 	oputils.ReconcilerBase
 	Log             logr.Logger
 	watchNamespaces []string
+	isClusterWide   bool
 }
 
 const applicationFinalizer = "finalizer.webspherelibertyapps.liberty.websphere.ibm.com"
@@ -1011,33 +1012,33 @@ func (r *ReconcileWebSphereLiberty) SetupWithManager(mgr ctrl.Manager) error {
 	for _, ns := range watchNamespaces {
 		watchNamespacesMap[ns] = true
 	}
-	isClusterWide := oputils.IsClusterWide(watchNamespaces)
+	r.isClusterWide = oputils.IsClusterWide(watchNamespaces)
 
 	pred := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
 			// Ignore updates to CR status in which case metadata.Generation does not change
-			return e.ObjectOld.GetGeneration() != e.ObjectNew.GetGeneration() && (isClusterWide || watchNamespacesMap[e.ObjectNew.GetNamespace()])
+			return e.ObjectOld.GetGeneration() != e.ObjectNew.GetGeneration() && (r.isClusterWide || watchNamespacesMap[e.ObjectNew.GetNamespace()])
 		},
 		CreateFunc: func(e event.CreateEvent) bool {
-			return isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
+			return r.isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			return isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
+			return r.isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
-			return isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
+			return r.isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
 		},
 	}
 
 	predSubResource := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
-			return (isClusterWide || watchNamespacesMap[e.ObjectOld.GetNamespace()])
+			return (r.isClusterWide || watchNamespacesMap[e.ObjectOld.GetNamespace()])
 		},
 		CreateFunc: func(e event.CreateEvent) bool {
 			return false
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			return isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
+			return r.isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
 			return false
@@ -1047,13 +1048,13 @@ func (r *ReconcileWebSphereLiberty) SetupWithManager(mgr ctrl.Manager) error {
 	predSubResWithGenCheck := predicate.Funcs{
 		UpdateFunc: func(e event.UpdateEvent) bool {
 			// Ignore updates to CR status in which case metadata.Generation does not change
-			return (isClusterWide || watchNamespacesMap[e.ObjectOld.GetNamespace()]) && e.ObjectOld.GetGeneration() != e.ObjectNew.GetGeneration()
+			return (r.isClusterWide || watchNamespacesMap[e.ObjectOld.GetNamespace()]) && e.ObjectOld.GetGeneration() != e.ObjectNew.GetGeneration()
 		},
 		CreateFunc: func(e event.CreateEvent) bool {
 			return false
 		},
 		DeleteFunc: func(e event.DeleteEvent) bool {
-			return isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
+			return r.isClusterWide || watchNamespacesMap[e.Object.GetNamespace()]
 		},
 		GenericFunc: func(e event.GenericEvent) bool {
 			return false
@@ -1159,21 +1160,6 @@ func (r *ReconcileWebSphereLiberty) deletePVC(reqLogger logr.Logger, pvcName str
 func (r *ReconcileWebSphereLiberty) getContainerImageMetadata(reqLogger logr.Logger, wlapp *webspherelibertyv1.WebSphereLibertyApplication, imageRef imagev1.DockerImageReference) (string, *runtime.RawExtension, error) {
 	wlappSecrets := []corev1.Secret{}
 
-	// check the OpenShift global pull secret for inclusion
-	if len(r.watchNamespaces) == 0 && r.IsOpenShift() {
-		globalPullSecretName := "pull-secret"
-		globalPullSecretNamespace := "openshift-config"
-		globalPullSecret := &corev1.Secret{}
-		globalPullSecret.Name = globalPullSecretName
-		globalPullSecret.Namespace = globalPullSecretNamespace
-		err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: globalPullSecretName, Namespace: globalPullSecretNamespace}, globalPullSecret)
-		if err == nil {
-			wlappSecrets = append(wlappSecrets, *globalPullSecret)
-		} else if !kerrors.IsNotFound(err) {
-			return "", nil, fmt.Errorf("Failed to get the OpenShift global pull secret: %v", err)
-		}
-	}
-
 	// check the CR-configured pull secrets
 	var pullSecret *corev1.Secret
 	if wlapp.GetPullSecret() != nil {
@@ -1194,6 +1180,21 @@ func (r *ReconcileWebSphereLiberty) getContainerImageMetadata(reqLogger logr.Log
 			}
 		}
 	}
+
+	// check the OpenShift global pull secret for inclusion
+	if r.isClusterWide && r.IsOpenShift() {
+		globalPullSecretName := "pull-secret"
+		globalPullSecretNamespace := "openshift-config"
+		globalPullSecret := &corev1.Secret{}
+		globalPullSecret.Name = globalPullSecretName
+		globalPullSecret.Namespace = globalPullSecretNamespace
+		err := r.GetClient().Get(context.TODO(), types.NamespacedName{Name: globalPullSecretName, Namespace: globalPullSecretNamespace}, globalPullSecret)
+		if err == nil {
+			wlappSecrets = append(wlappSecrets, *globalPullSecret)
+		} else if !kerrors.IsNotFound(err) {
+			return "", nil, fmt.Errorf("Failed to get the OpenShift global pull secret: %v", err)
+		}
+	}
 	return libertyimage.NewNamespaceCredentialsContext(reqLogger, wlappSecrets, wlapp.GetNamespace()).GetContainerImageMetadata(context.TODO(), imageRef, pullSecret, false)
 }