Immutable secrets and consumer finalizers for TransportURL credential rotation#608
Immutable secrets and consumer finalizers for TransportURL credential rotation#608lmiccini wants to merge 3 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: lmiccini The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test infra-operator-build-deploy-kuttl |
… rotation
Implement safe credential rotation for TransportURL by creating immutable
secrets with content-hashed names, adding per-consumer finalizers to
coordinate lifecycle between TransportURL and RabbitMQUser CRs, and
gating old user release on both consumer finalizer removal and NodeSet
secret hash synchronization.
Key changes:
- Create immutable transport secrets (rabbitmq-transport-url-{name}-{hash})
during rotation to prevent content mutation by consumers
- Add per-consumer finalizers (turl.openstack.org/t-{name}) on shared
RabbitMQUser and RabbitMQVhost CRs to track active consumers
- Add transport secret consumer finalizer protocol for consuming operators
to signal rollout completion
- Unified release path: wait for consumer finalizer removal, then check
NodeSet secret hash sync — if hashes are in sync the secret is not
tracked by the dataplane and the old user is released immediately;
if out of sync, wait for full NodeSet deployment to complete
- Prevent SecretName flip-flop by comparing content hashes before
deciding whether to create a new immutable secret
- Auto-delete orphaned RabbitMQUser CRs when all consumers release
their finalizers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ManageTransportSecretFinalizer and RemoveTransportSecretConsumerFinalizer are now available as generic object.ManageSecretConsumerFinalizer and object.RemoveSecretConsumerFinalizer in lib-common. Consumer operators should migrate to the lib-common versions. Keep HasTransportConsumerFinalizer and HasSpecificTransportConsumerFinalizer which are provider-side helpers used by the TransportURL controller. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Move the transport consumer finalizer check from the exported API helper into a private function in the controller — the only consumer. Delete transporturl_helpers.go entirely since all exported helpers are now either in lib-common (ManageSecretConsumerFinalizer, RemoveSecretConsumerFinalizer) or inlined here. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
lmiccini
force-pushed
the
finalize-secret-rotation
branch
from
7bda5c0 to
aca54b9
Compare
|
Build failed (check pipeline). Post ❌ openstack-k8s-operators-content-provider FAILURE in 11m 20s |
|
recheck |
|
Build failed (check pipeline). Post ❌ openstack-k8s-operators-content-provider FAILURE in 10m 14s |
|
recheck |
1 participant
Implement safe credential rotation for TransportURL by creating immutable
secrets with content-hashed names, adding per-consumer finalizers to
coordinate lifecycle between TransportURL and RabbitMQUser CRs, and
gating old user release on both consumer finalizer removal and NodeSet
secret hash synchronization.
Key changes:
during rotation to prevent content mutation by consumers
RabbitMQUser and RabbitMQVhost CRs to track active consumers
to signal rollout completion
NodeSet secret hash sync — if hashes are in sync the secret is not
tracked by the dataplane and the old user is released immediately;
if out of sync, wait for full NodeSet deployment to complete
deciding whether to create a new immutable secret
their finalizers