Skip to content

Prevent credential Secret drift in DBaaS Harvester VM provisioning #120

Description

@Yohansenanayake

Description:

The DBaaS operator currently has a VM provisioning edge case where the credentials/cloud-init Secret can be created before the Harvester VirtualMachineImage is resolved and validated.

This can lead to two related problems:

  1. If image resolution fails after the Secret is created, the Secret may be left behind before status.resources.secretName is recorded.
  2. On a later reconcile retry, the operator may generate a fresh CA/password set, ignore AlreadyExists for the existing Secret, and return the newly generated CA. The existing Secret still contains the original CA, so status.caCertPem can drift from the Secret actually consumed by the VM.

This issue was identified during review of the Harvester VM creation path in the DBaaS operator.

Affected area:

  • database/internal/harvester/client.go
  • CreatePostgresVM
  • Credentials/cloud-init Secret creation
  • DBInstance status CA reporting

Expected behavior:

  • The operator should resolve and validate the Harvester VM image before creating the credentials Secret.
  • If the credentials Secret already exists, the operator should treat it as the source of truth and return the stored ca_cert.
  • If the existing Secret is malformed and does not contain ca_cert, VM creation should fail clearly instead of publishing unrelated newly generated CA material.

Proposed fix:

  • Move resolveVMImage(ctx, p.OSImage) before credential generation and Secret creation.
  • Add create-or-reuse behavior for the credentials Secret.
  • When the Secret already exists, read and return data.ca_cert.
  • Do not overwrite, rotate, or repair existing credentials as part of this fix.
  • Add unit tests for:
    • image resolution failure does not create a Secret
    • first successful create returns the CA stored in the Secret
    • retry with existing Secret reuses existing CA
    • malformed existing Secret fails before VM creation
    • existing Kube-OVN VM settings remain preserved

Validation:

  • Unit tests should pass for internal/harvester.
  • Full make test should pass after envtest setup.
  • Manual Harvester validation:
    • creating a DBInstance with an invalid image should not create pg-<name>-credentials
    • creating a DBInstance with a valid image should create a credentials Secret
    • .status.caCertPem should match Secret.data.ca_cert

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type/BugIdentifies a bug in the project

    Type

    Fields

    No fields configured for Bug.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions