Description:
The DBaaS operator currently has a VM provisioning edge case where the credentials/cloud-init Secret can be created before the Harvester VirtualMachineImage is resolved and validated.
This can lead to two related problems:
- If image resolution fails after the Secret is created, the Secret may be left behind before
status.resources.secretName is recorded.
- On a later reconcile retry, the operator may generate a fresh CA/password set, ignore
AlreadyExists for the existing Secret, and return the newly generated CA. The existing Secret still contains the original CA, so status.caCertPem can drift from the Secret actually consumed by the VM.
This issue was identified during review of the Harvester VM creation path in the DBaaS operator.
Affected area:
database/internal/harvester/client.go
CreatePostgresVM
- Credentials/cloud-init Secret creation
- DBInstance status CA reporting
Expected behavior:
- The operator should resolve and validate the Harvester VM image before creating the credentials Secret.
- If the credentials Secret already exists, the operator should treat it as the source of truth and return the stored
ca_cert.
- If the existing Secret is malformed and does not contain
ca_cert, VM creation should fail clearly instead of publishing unrelated newly generated CA material.
Proposed fix:
- Move
resolveVMImage(ctx, p.OSImage) before credential generation and Secret creation.
- Add create-or-reuse behavior for the credentials Secret.
- When the Secret already exists, read and return
data.ca_cert.
- Do not overwrite, rotate, or repair existing credentials as part of this fix.
- Add unit tests for:
- image resolution failure does not create a Secret
- first successful create returns the CA stored in the Secret
- retry with existing Secret reuses existing CA
- malformed existing Secret fails before VM creation
- existing Kube-OVN VM settings remain preserved
Validation:
- Unit tests should pass for
internal/harvester.
- Full
make test should pass after envtest setup.
- Manual Harvester validation:
- creating a DBInstance with an invalid image should not create
pg-<name>-credentials
- creating a DBInstance with a valid image should create a credentials Secret
.status.caCertPem should match Secret.data.ca_cert
Description:
The DBaaS operator currently has a VM provisioning edge case where the credentials/cloud-init Secret can be created before the Harvester
VirtualMachineImageis resolved and validated.This can lead to two related problems:
status.resources.secretNameis recorded.AlreadyExistsfor the existing Secret, and return the newly generated CA. The existing Secret still contains the original CA, sostatus.caCertPemcan drift from the Secret actually consumed by the VM.This issue was identified during review of the Harvester VM creation path in the DBaaS operator.
Affected area:
database/internal/harvester/client.goCreatePostgresVMExpected behavior:
ca_cert.ca_cert, VM creation should fail clearly instead of publishing unrelated newly generated CA material.Proposed fix:
resolveVMImage(ctx, p.OSImage)before credential generation and Secret creation.data.ca_cert.Validation:
internal/harvester.make testshould pass after envtest setup.pg-<name>-credentials.status.caCertPemshould matchSecret.data.ca_cert