flyteorg · EngHabu · May 7, 2026 · May 7, 2026 · May 14, 2026 · May 14, 2026
diff --git a/flyteplugins/go/tasks/pluginmachinery/secret/secrets_injector.go b/flyteplugins/go/tasks/pluginmachinery/secret/secrets_injector.go
@@ -6,6 +6,7 @@ import (
 
 	corev1 "k8s.io/api/core/v1"
 	k8sRuntime "k8s.io/apimachinery/pkg/runtime"
+	ctrlcache "sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/flyteorg/flyte/v2/flyteplugins/go/tasks/pluginmachinery/secret/config"
@@ -62,9 +63,38 @@ func newSecretsInjector(
 			return nil, fmt.Errorf("failed to add core v1 to scheme: %w", err)
 		}
 
-		ctrlRuntimeClient, err := client.New(kubeConfig, client.Options{
-			Scheme: ctrlRuntimeScheme,
-		})
+		// The k8s client is only used by embedded_secret_manager's image-pull-secret
+		// path. When that feature is disabled we use a direct client and skip the
+		// informer entirely; otherwise we back the client with a Secret informer.
+		clientOpts := client.Options{Scheme: ctrlRuntimeScheme}
+		if webhookConfig.EmbeddedSecretManagerConfig.ImagePullSecrets.Enabled {
+			secretInformerCache, err := ctrlcache.New(kubeConfig, ctrlcache.Options{
+				Scheme: ctrlRuntimeScheme,
+			})
+			if err != nil {
+				return nil, fmt.Errorf("failed to create informer cache: %w", err)
+			}
+
+			// Explicitly register the Secret informer so the cache only watches
+			// Secrets (not every kind in corev1) and so WaitForCacheSync below
+			// actually blocks on the initial Secret list.
+			if _, err := secretInformerCache.GetInformer(ctx, &corev1.Secret{}); err != nil {
+				return nil, fmt.Errorf("failed to register Secret informer: %w", err)
+			}
+
+			go func() {
+				if err := secretInformerCache.Start(ctx); err != nil {
+					logger.Errorf(ctx, "secret informer cache stopped: %v", err)
+				}
+			}()
+			if !secretInformerCache.WaitForCacheSync(ctx) {
+				return nil, fmt.Errorf("secret informer cache failed to sync")
+			}
+
+			clientOpts.Cache = &client.CacheOptions{Reader: secretInformerCache}
+		}
+
+		ctrlRuntimeClient, err := client.New(kubeConfig, clientOpts)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create controller-runtime client: %w", err)
 		}