From 2b2dbed0162b275348de0234b0a8862b872e82b7 Mon Sep 17 00:00:00 2001
From: Tom Weininger <tweining@redhat.com>
Date: Tue, 8 Oct 2024 13:16:21 +0000
Subject: [PATCH] Use VerifySecret to prevent unnecessary reconcile on secret
 change

This uses VerifySecret to get the hash of the specific password selector
instead of using GetSecret. The reason for this change is mainly to stay
consistent with other operators. Octavia pods were not restarted when
the secret was changed.

OSPRH-8069
---
 controllers/octavia_controller.go | 35 +++++++++++++++++++++++++++----
 1 file changed, 31 insertions(+), 4 deletions(-)

diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go
index 54c195eb..0e9e66e2 100644
--- a/controllers/octavia_controller.go
+++ b/controllers/octavia_controller.go
@@ -309,7 +309,14 @@ func (r *OctaviaReconciler) reconcileInit(
 	//
 	// check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map
 	//
-	ospSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace)
+	ospSecretHash, result, err := oko_secret.VerifySecret(
+		ctx,
+		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret},
+		[]string{instance.Spec.PasswordSelectors.Service},
+		helper.GetClient(),
+		time.Duration(10)*time.Second,
+	)
+
 	if err != nil {
 		if k8s_errors.IsNotFound(err) {
 			Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret))
@@ -327,10 +334,23 @@ func (r *OctaviaReconciler) reconcileInit(
 			condition.InputReadyErrorMessage,
 			err.Error()))
 		return ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.RequestedReason,
+			condition.SeverityInfo,
+			condition.InputReadyWaitingMessage))
+		return result, err
 	}
-	secretsVars[ospSecret.Name] = env.SetValue(hash)
+	secretsVars[instance.Spec.Secret] = env.SetValue(ospSecretHash)
 
-	transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Status.TransportURLSecret, instance.Namespace)
+	transportURLSecretHash, result, err := oko_secret.VerifySecret(
+		ctx,
+		types.NamespacedName{Namespace: instance.Namespace, Name: instance.Status.TransportURLSecret},
+		[]string{"transport_url"},
+		helper.GetClient(),
+		time.Duration(10)*time.Second,
+	)
 	if err != nil {
 		if k8s_errors.IsNotFound(err) {
 			Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Status.TransportURLSecret))
@@ -348,8 +368,15 @@ func (r *OctaviaReconciler) reconcileInit(
 			condition.InputReadyErrorMessage,
 			err.Error()))
 		return ctrl.Result{}, err
+	} else if (result != ctrl.Result{}) {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			condition.InputReadyCondition,
+			condition.RequestedReason,
+			condition.SeverityInfo,
+			condition.InputReadyWaitingMessage))
+		return result, err
 	}
-	secretsVars[transportURLSecret.Name] = env.SetValue(hash)
+	secretsVars[instance.Status.TransportURLSecret] = env.SetValue(transportURLSecretHash)
 
 	octaviaDb, persistenceDb, result, err := r.ensureDB(ctx, helper, instance)
 	if err != nil {