WIP: Trying to add UpdateOpt for password, using resource version of object to determine when the password has been changed, need to test first before opening a proper PR

Signed-off-by: Daniel Lawton <dlawton@redhat.com>

Author: dlaw4608

internal/controllers/user/actuator.go

@@ -137,6 +137,7 @@ func (actuator userActuator) CreateResource(ctx context.Context, obj orcObjectPT
 	}
 
 	var password string
+	var passwordSecretVersion string
 	if resource.Password != nil {
 		secret, secretReconcileStatus := dependency.FetchDependency(
 			ctx, actuator.k8sClient, obj.Namespace,
@@ -145,13 +146,13 @@ func (actuator userActuator) CreateResource(ctx context.Context, obj orcObjectPT
 		)
 		reconcileStatus = reconcileStatus.WithReconcileStatus(secretReconcileStatus)
 		if secretReconcileStatus == nil {
-			var ok bool
 			passwordBytes, ok := secret.Data["password"]
 			if !ok {
 				reconcileStatus = reconcileStatus.WithReconcileStatus(
 					progress.NewReconcileStatus().WithProgressMessage("Password secret does not contain \"password\" key"))
 			} else {
 				password = string(passwordBytes)
+				passwordSecretVersion = secret.ResourceVersion
 			}
 		}
 	}
@@ -177,6 +178,15 @@ func (actuator userActuator) CreateResource(ctx context.Context, obj orcObjectPT
 		return nil, progress.WrapError(err)
 	}
 
+	// Store the password Secret ResourceVersion after successful creation
+	if passwordSecretVersion != "" {
+		if err := actuator.updatePasswordSecretVersionAnnotation(ctx, obj, passwordSecretVersion); err != nil {
+			log := ctrl.LoggerFrom(ctx)
+			log.Error(err, "Failed to update password secret version annotation after creation")
+			// Don't fail the create just because we couldn't update the annotation
+		}
+	}
+
 	return osResource, nil
 }
 
@@ -199,6 +209,11 @@ func (actuator userActuator) updateResource(ctx context.Context, obj orcObjectPT
 	handleDescriptionUpdate(&updateOpts, resource, osResource)
 	handleEnabledUpdate(&updateOpts, resource, osResource)
 
+	newSecretVersion, passwordRS := actuator.handlePasswordUpdate(ctx, &updateOpts, obj)
+	if passwordRS != nil {
+		return passwordRS
+	}
+
 	needsUpdate, err := needsUpdate(updateOpts)
 	if err != nil {
 		return progress.WrapError(
@@ -220,6 +235,15 @@ func (actuator userActuator) updateResource(ctx context.Context, obj orcObjectPT
 		return progress.WrapError(err)
 	}
 
+	// If password was updated, store the new Secret ResourceVersion in annotation
+	if newSecretVersion != "" {
+		if err := actuator.updatePasswordSecretVersionAnnotation(ctx, obj, newSecretVersion); err != nil {
+			log.Error(err, "Failed to update password secret version annotation")
+			// Don't fail the reconcile just because we couldn't update the annotation
+			// The password was already updated in OpenStack
+		}
+	}
+
 	return progress.NeedsRefresh()
 }
 
@@ -258,6 +282,51 @@ func handleEnabledUpdate(updateOpts *users.UpdateOpts, resource *resourceSpecT,
 	}
 }
 
+func (actuator userActuator) updatePasswordSecretVersionAnnotation(ctx context.Context, obj orcObjectPT, secretVersion string) error {
+	// Create a patch to update just the annotation
+	patch := client.MergeFrom(obj.DeepCopy())
+
+	if obj.Annotations == nil {
+		obj.Annotations = make(map[string]string)
+	}
+	obj.Annotations["openstack.k-orc.cloud/password-secret-version"] = secretVersion
+
+	return actuator.k8sClient.Patch(ctx, obj, patch)
+}
+
+func (actuator userActuator) handlePasswordUpdate(ctx context.Context, updateOpts *users.UpdateOpts, obj orcObjectPT) (secretResourceVersion string, reconcileStatus progress.ReconcileStatus) {
+	resource := obj.Spec.Resource
+	if resource == nil {
+		return "", nil
+	}
+
+	if resource.Password != nil && resource.Password.SecretRef != nil {
+		secret, secretReconcileStatus := dependency.FetchDependency(
+			ctx, actuator.k8sClient, obj.Namespace,
+			resource.Password.SecretRef, "Secret",
+			func(*corev1.Secret) bool { return true },
+		)
+		if secretReconcileStatus != nil {
+			return "", secretReconcileStatus
+		}
+
+		// Check if password Secret has changed by comparing ResourceVersion
+		currentSecretVersion := secret.ResourceVersion
+		storedSecretVersion := obj.Annotations["openstack.k-orc.cloud/password-secret-version"]
+
+		// Only update password if Secret ResourceVersion changed
+		if storedSecretVersion != currentSecretVersion {
+			if passwordBytes, ok := secret.Data["password"]; ok {
+				password := string(passwordBytes)
+				updateOpts.Password = password
+				return currentSecretVersion, nil
+			}
+		}
+	}
+
+	return "", nil
+}
+
 func (actuator userActuator) GetResourceReconcilers(ctx context.Context, orcObject orcObjectPT, osResource *osResourceT, controller interfaces.ResourceController) ([]resourceReconciler, progress.ReconcileStatus) {
 	return []resourceReconciler{
 		actuator.updateResource,

internal/controllers/user/tests/user-update-password/00-assert.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+resourceRefs:
+    - apiVersion: openstack.k-orc.cloud/v1alpha1
+      kind: User
+      name: user-update-password
+      ref: user
+assertAll:
+    - celExpr: "user.status.id != ''"
+    - celExpr: "user.status.resource.domainID == 'default'"
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: User
+metadata:
+  name: user-update-password
+status:
+  resource:
+    name: user-update-password
+    enabled: true
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
+

internal/controllers/user/tests/user-update-password/00-create-resource.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: User
+metadata:
+  name: user-update-password
+spec:
+  cloudCredentialsRef:
+    cloudName: openstack-admin
+    secretName: openstack-clouds
+  managementPolicy: managed
+  resource:
+    password:
+      secretRef: user-update-password

internal/controllers/user/tests/user-update-password/00-secret.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - command: kubectl create secret generic openstack-clouds --from-file=clouds.yaml=${E2E_KUTTL_OSCLOUDS} ${E2E_KUTTL_CACERT_OPT}
+    namespaced: true
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: user-update-password
+type: Opaque
+stringData:
+  password: "user-update"

internal/controllers/user/tests/user-update-password/01-assert.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: User
+metadata:
+  name: user-update-password
+status:
+  resource:
+    name: user-update-password
+    enabled: true
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
+

internal/controllers/user/tests/user-update-password/01-update-password.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: user-update-password
+type: Opaque
+stringData:
+  password: "user-update-updated"

internal/controllers/user/tests/user-update-password/02-assert.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: openstack.k-orc.cloud/v1alpha1
+kind: User
+metadata:
+  name: user-update-password
+status:
+  resource:
+    name: user-update-password
+    enabled: true
+  conditions:
+  - type: Available
+    status: "True"
+    reason: Success
+  - type: Progressing
+    status: "False"
+    reason: Success
+

internal/controllers/user/tests/user-update-password/02-revert-password.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: user-update-password
+type: Opaque
+stringData:
+  password: "user-update"

internal/controllers/user/tests/user-update-password/README.md

@@ -0,0 +1,27 @@
+# Update User Password
+
+This test verifies that a User's password can be updated by changing the referenced Secret.
+
+## Step 00
+
+Create a User with a password Secret containing "InitialPassword123".
+
+## Step 01
+
+Update the password Secret to contain "UpdatedPassword456". Verify that the User reconciles and remains Available.
+
+## Step 02
+
+Revert the password Secret back to "InitialPassword123". Verify that the User reconciles and remains Available.
+
+## What This Tests
+
+- Password is set during creation
+- Password can be updated by changing the Secret
+- Password updates trigger reconciliation
+- User remains Available throughout password updates
+- Password can be changed multiple times
+
+## Note
+
+The password value itself is write-only in OpenStack, so we cannot verify the actual password value in the status. This test only verifies that password updates don't cause errors and the User remains Available.