Immutable secrets and consumer finalizers for TransportURL credential rotation#606
Closed
lmiccini wants to merge 2 commits into
Closed
Immutable secrets and consumer finalizers for TransportURL credential rotation#606lmiccini wants to merge 2 commits into
lmiccini wants to merge 2 commits into
Conversation
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lmiccini The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
lmiccini
force-pushed
the
immutable-transport-secrets
branch
2 times, most recently
from
a7e25e0 to
d965307
Compare
… rotation
Implement safe credential rotation for TransportURL by creating immutable
secrets with content-hashed names, adding per-consumer finalizers to
coordinate lifecycle between TransportURL and RabbitMQUser CRs, and
gating old user release on both consumer finalizer removal and NodeSet
secret hash synchronization.
Key changes:
- Create immutable transport secrets (rabbitmq-transport-url-{name}-{hash})
during rotation to prevent content mutation by consumers
- Add per-consumer finalizers (turl.openstack.org/t-{name}) on shared
RabbitMQUser and RabbitMQVhost CRs to track active consumers
- Add transport secret consumer finalizer protocol for consuming operators
to signal rollout completion
- Unified release path: wait for consumer finalizer removal, then check
NodeSet secret hash sync — if hashes are in sync the secret is not
tracked by the dataplane and the old user is released immediately;
if out of sync, wait for full NodeSet deployment to complete
- Prevent SecretName flip-flop by comparing content hashes before
deciding whether to create a new immutable secret
- Auto-delete orphaned RabbitMQUser CRs when all consumers release
their finalizers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
lmiccini
force-pushed
the
immutable-transport-secrets
branch
from
d965307 to
650554b
Compare
|
Build failed (check pipeline). Post ✔️ openstack-k8s-operators-content-provider SUCCESS in 20m 58s |
Contributor
Author
|
recheck |
Extracts the transport secret rotation guard boilerplate that every operator duplicates (~15 lines per transport URL) into a single reusable function. The caller passes its own guard condition; the helper handles rotation detection, finalizer removal, and status value management. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
During credential rotation, create a new immutable secret instead of patching the existing mutable one. Consuming service operators add a consumer finalizer to the new secret and remove it from the old one after completing their rollout. The TransportURL controller waits for all consumer finalizers to be removed before deleting the old secret and releasing the old RabbitMQ user.
This follows the Keystone Application Credentials pattern already established across the ecosystem and eliminates the need for cross-operator unstructured lookups (17-API-group RBAC removed).
Backward compatible: if no consumer finalizer is present on the old secret (pre-upgrade operator), the old user is released immediately.
EDPM path unchanged: continues using NodeSet hash-sync gating.