Question: We’re creating Rancher projects (rancher2_project) and defining image registries (rancher2_registry) in Terraform for specific downstream clusters. When we terraform apply, the registry secrets are only getting created in the upstream Rancher (management) cluster, not in the target downstream RKE2 cluster where workloads run. As a result, pulling images with that registry secret in downstream namespaces fails. Here’s the code snippet:

## Project container registry secrets
resource "rancher2_registry" "project_registry" {
  for_each   = { for r in var.v_rancher_projects : "${lower(r.name)}-${lower(r.image_registry_name)}" => r }
  name       = lower(each.value.image_registry_name)
  description= each.value.image_registry_description
  project_id = rancher2_project.rancher_projects[each.value.name].id

  registries {
    address  = each.value.image_registry_address
    username = var.v_img_registry_username
    password = var.v_img_registry_password
  }
}

Use Case to Test / Reproduce 1. Setup ◦ Rancher with at least one downstream RKE2 cluster provisioned. ◦ Terraform Rancher2 provider connected to the upstream Rancher API. ◦ Variables:

v_rancher_projects = [
  {
    name                     = "demo-project"
    image_registry_name      = "demo-registry"
    image_registry_description = "Registry for demo workloads"
    image_registry_address   = "<http://my-private-registry.example.com|my-private-registry.example.com>"
  }
]

v_img_registry_username = "demo-user"
v_img_registry_password = "demo-pass"

2. Terraform Steps ◦ Create a new Rancher project in the downstream cluster using rancher2_project. ◦ Create the registry for that project using rancher2_registry as above. ◦ terraform apply. 3. Expected Behavior a. Registry secret should appear in the downstream cluster in the namespace or a project-specific namespace that Rancher manages for registry credentials. ▪︎ Pods in the project’s namespaces can pull from my-private-registry.example.com without extra manual secrets. 4. Actual Behavior ◦ Secret is only created in the upstream cluster. ◦ Secret is not present in the downstream cluster → image pull fails with ImagePullBackOff.

Events:
  Type     Reason                           Age                      From     Message
  ----     ------                           ----                     ----     -------
  Warning  FailedToRetrieveImagePullSecret  100s (x212729 over 32d)  kubelet  Unable to retrieve some image pull secrets (foo3); attempting to pull the image may not succeed.
  Normal   BackOff                          100s (x203693 over 32d)  kubelet  Back-off pulling image "saan24/alpine:2.1"

please note this registry is project scoped. not used for downstream cluster creation looks to be it is not working as expected. please advise ASAP.

Sounds like you're using the wrong credentials or kubeconfig with Terraform.