Add credential rotation helpers for secret rotation#706
Open
lmiccini wants to merge 2 commits into
Open
Conversation
lmiccini
force-pushed
the
finalize-secret-rotation
branch
9 times, most recently
from
d67d41c to
a7dc750
Compare
lmiccini
changed the title
lmiccini
force-pushed
the
finalize-secret-rotation
branch
3 times, most recently
from
eb31dc5 to
24d9d88
Compare
stuggi
reviewed
Jun 24, 2026
Add shared helpers for transport URL secret rotation across all openstack-k8s-operators consumer operators: - object.ManageSecretConsumerFinalizer: adds a consumer finalizer to a secret so the provider knows consumers still depend on it - object.RemoveSecretConsumerFinalizer: removes the finalizer - object.FinalizeSecretRotation: the rotation guard — if old != new and guard is ready, removes finalizer from old and returns new; otherwise returns old to preserve the reference - object.ManageRotationGracePeriod: time-based grace period that gives sub-CRs time to detect config changes, roll pods, and update conditions before the guard evaluates readiness - condition.CredentialRotationGuardReady: returns true when all sub-CR specs are stable and all mirrored conditions are True - condition.ServiceInstanceIsReady: generation/observedGeneration guard with replica count and DeploymentReadyCondition check - statefulset.IsReady: checks ReadyReplicas, UpdatedReplicas, ObservedGeneration, and CurrentRevision == UpdateRevision so DeploymentReady is only True when all pods have rolled - deployment.IsReady: checks ReadyReplicas, UpdatedReplicas, Status.Replicas, and ObservedGeneration Note: statefulset.IsReady now additionally requires CurrentRevision == UpdateRevision compared to the previous implementation. This tightens the readiness check to prevent declaring ready during in-progress rolling updates. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lmiccini
force-pushed
the
finalize-secret-rotation
branch
from
24d9d88 to
5ec8001
Compare
SimulateStatefulSetReplicaReadyWithPods and
SimulateDeploymentReadyWithPods fail when called multiple times
because they unconditionally Create pods that may already exist.
This prevents using them inside Eventually loops, which is needed
for operators like designate where multiple controllers compete
and readiness simulation must be retried.
Changes:
- Check if pod exists before creating; update annotations on
existing pods instead of failing
- Fix nil Annotations map that could panic when template has
no annotations
- Use deterministic pod names for Deployments ({name}-{index}
instead of GenerateName) so pods can be found on re-call
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add shared helpers for transport URL secret rotation across all
openstack-k8s-operators consumer operators:
to a secret so the provider knows consumers still depend on it
and guard is ready, removes finalizer from old and returns new;
otherwise returns old to preserve the reference
gives sub-CRs time to detect config changes, roll pods, and
update conditions before the guard evaluates readiness
sub-CR specs are stable and all mirrored conditions are True
guard with replica count and DeploymentReadyCondition check
ObservedGeneration, and CurrentRevision == UpdateRevision so
DeploymentReady is only True when all pods have rolled
Status.Replicas, and ObservedGeneration
Note: statefulset.IsReady now additionally requires
CurrentRevision == UpdateRevision compared to the previous
implementation. This tightens the readiness check to prevent
declaring ready during in-progress rolling updates.