From 2b2dbed0162b275348de0234b0a8862b872e82b7 Mon Sep 17 00:00:00 2001 From: Tom Weininger <tweining@redhat.com> Date: Tue, 8 Oct 2024 13:16:21 +0000 Subject: [PATCH] Use VerifySecret to prevent unnecessary reconcile on secret change This uses VerifySecret to get the hash of the specific password selector instead of using GetSecret. The reason for this change is mainly to stay consistent with other operators. Octavia pods were not restarted when the secret was changed. OSPRH-8069 --- controllers/octavia_controller.go | 35 +++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) diff --git a/controllers/octavia_controller.go b/controllers/octavia_controller.go index 54c195eb..0e9e66e2 100644 --- a/controllers/octavia_controller.go +++ b/controllers/octavia_controller.go @@ -309,7 +309,14 @@ func (r *OctaviaReconciler) reconcileInit( // // check for required OpenStack secret holding passwords for service/admin user and add hash to the vars map // - ospSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Spec.Secret, instance.Namespace) + ospSecretHash, result, err := oko_secret.VerifySecret( + ctx, + types.NamespacedName{Namespace: instance.Namespace, Name: instance.Spec.Secret}, + []string{instance.Spec.PasswordSelectors.Service}, + helper.GetClient(), + time.Duration(10)*time.Second, + ) + if err != nil { if k8s_errors.IsNotFound(err) { Log.Info(fmt.Sprintf("OpenStack secret %s not found", instance.Spec.Secret)) @@ -327,10 +334,23 @@ func (r *OctaviaReconciler) reconcileInit( condition.InputReadyErrorMessage, err.Error())) return ctrl.Result{}, err + } else if (result != ctrl.Result{}) { + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return result, err } - secretsVars[ospSecret.Name] = env.SetValue(hash) + secretsVars[instance.Spec.Secret] = env.SetValue(ospSecretHash) - transportURLSecret, hash, err := oko_secret.GetSecret(ctx, helper, instance.Status.TransportURLSecret, instance.Namespace) + transportURLSecretHash, result, err := oko_secret.VerifySecret( + ctx, + types.NamespacedName{Namespace: instance.Namespace, Name: instance.Status.TransportURLSecret}, + []string{"transport_url"}, + helper.GetClient(), + time.Duration(10)*time.Second, + ) if err != nil { if k8s_errors.IsNotFound(err) { Log.Info(fmt.Sprintf("TransportURL secret %s not found", instance.Status.TransportURLSecret)) @@ -348,8 +368,15 @@ func (r *OctaviaReconciler) reconcileInit( condition.InputReadyErrorMessage, err.Error())) return ctrl.Result{}, err + } else if (result != ctrl.Result{}) { + instance.Status.Conditions.Set(condition.FalseCondition( + condition.InputReadyCondition, + condition.RequestedReason, + condition.SeverityInfo, + condition.InputReadyWaitingMessage)) + return result, err } - secretsVars[transportURLSecret.Name] = env.SetValue(hash) + secretsVars[instance.Status.TransportURLSecret] = env.SetValue(transportURLSecretHash) octaviaDb, persistenceDb, result, err := r.ensureDB(ctx, helper, instance) if err != nil {