K8SPG-833: watch envFrom secrets (#1306)

pooknull · web-flow · commit a1852ac4cffe · 2025-10-03T12:31:41.000+03:00
diff --git a/cmd/postgres-operator/main.go b/cmd/postgres-operator/main.go
@@ -163,6 +163,15 @@ func addControllersToManager(ctx context.Context, mgr manager.Manager) error {
 		return errors.New("missing controller in manager")
 	}
 
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&v2.PerconaPGCluster{},
+		v2.IndexFieldEnvFromSecrets,
+		v2.EnvFromSecretsIndexerFunc,
+	); err != nil {
+		return err
+	}
+
 	externalEvents := make(chan event.GenericEvent)
 	stopChan := make(chan event.DeleteEvent)
 
diff --git a/percona/controller/pgcluster/controller.go b/percona/controller/pgcluster/controller.go
@@ -106,6 +106,7 @@ func (r *PGClusterReconciler) SetupWithManager(mgr manager.Manager) error {
 		For(&v2.PerconaPGCluster{}).
 		Owns(&v1beta1.PostgresCluster{}).
 		WatchesRawSource(source.Kind(mgr.GetCache(), &corev1.Service{}, r.watchServices())).
+		Watches(&corev1.Secret{}, r.watchEnvFromSecrets()).
 		WatchesRawSource(source.Kind(mgr.GetCache(), &corev1.Secret{}, r.watchSecrets())).
 		WatchesRawSource(source.Kind(mgr.GetCache(), &batchv1.Job{}, r.watchBackupJobs())).
 		WatchesRawSource(source.Kind(mgr.GetCache(), &v2.PerconaPGBackup{}, r.watchPGBackups())).
@@ -165,6 +166,33 @@ func (r *PGClusterReconciler) watchPGBackups() handler.TypedFuncs[*v2.PerconaPGB
 	}
 }
 
+func (r *PGClusterReconciler) watchEnvFromSecrets() handler.TypedEventHandler[client.Object, reconcile.Request] {
+	return handler.EnqueueRequestsFromMapFunc(func(ctx context.Context, obj client.Object) []reconcile.Request {
+		log := logf.FromContext(ctx).WithName("watchEnvFromSecrets")
+
+		secret, ok := obj.(*corev1.Secret)
+		if !ok {
+			return nil
+		}
+
+		var clusters v2.PerconaPGClusterList
+		if err := r.Client.List(ctx, &clusters, client.MatchingFields{
+			v2.IndexFieldEnvFromSecrets: secret.Name,
+		}, client.InNamespace(secret.Namespace)); err != nil {
+			log.Error(err, "Failed to list clusters by env from secrets index failed", "key", client.ObjectKeyFromObject(secret).String())
+			return nil
+		}
+
+		reqs := make([]reconcile.Request, 0, len(clusters.Items))
+		for _, cr := range clusters.Items {
+			reqs = append(reqs, reconcile.Request{
+				NamespacedName: client.ObjectKeyFromObject(&cr),
+			})
+		}
+		return reqs
+	})
+}
+
 func (r *PGClusterReconciler) watchSecrets() handler.TypedFuncs[*corev1.Secret, reconcile.Request] {
 	return handler.TypedFuncs[*corev1.Secret, reconcile.Request]{
 		UpdateFunc: func(ctx context.Context, e event.TypedUpdateEvent[*corev1.Secret], q workqueue.TypedRateLimitingInterface[reconcile.Request]) {
@@ -281,7 +309,7 @@ func (r *PGClusterReconciler) Reconcile(ctx context.Context, request reconcile.R
 		return reconcile.Result{}, errors.Wrap(err, "failed to handle monitor user password change")
 	}
 
-	if err := r.handleEnvFromSecrets(ctx, cr); err != nil {
+	if err := r.reconcileEnvFromSecrets(ctx, cr); err != nil {
 		return reconcile.Result{}, errors.Wrap(err, "failed to handle envFrom secrets")
 	}
 
@@ -721,7 +749,7 @@ func (r *PGClusterReconciler) reconcilePMM(ctx context.Context, cr *v2.PerconaPG
 	return nil
 }
 
-func (r *PGClusterReconciler) handleEnvFromSecrets(ctx context.Context, cr *v2.PerconaPGCluster) error {
+func (r *PGClusterReconciler) reconcileEnvFromSecrets(ctx context.Context, cr *v2.PerconaPGCluster) error {
 	m := make(map[*[]corev1.EnvFromSource]*v1beta1.Metadata)
 
 	for i := 0; i < len(cr.Spec.InstanceSets); i++ {
@@ -759,7 +787,7 @@ func (r *PGClusterReconciler) handleEnvFromSecrets(ctx context.Context, cr *v2.P
 			metadata.Annotations = make(map[string]string)
 		}
 
-		// If the currentHash is the same  is the on the STS, restart will not  happen
+		// If the currentHash is the same on the STS, restart will not happen
 		metadata.Annotations[pNaming.AnnotationEnvVarsSecretHash] = getSecretHash(secrets...)
 	}
 
diff --git a/percona/controller/pgcluster/secret.go b/percona/controller/pgcluster/secret.go
@@ -6,27 +6,20 @@ import (
 	"fmt"
 
 	corev1 "k8s.io/api/core/v1"
-	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
-	"github.com/percona/percona-postgresql-operator/internal/logging"
 	v2 "github.com/percona/percona-postgresql-operator/pkg/apis/pgv2.percona.com/v2"
 )
 
 func getEnvFromSecrets(ctx context.Context, cl client.Client, cr *v2.PerconaPGCluster, envFromSource []corev1.EnvFromSource) ([]corev1.Secret, error) {
-	log := logging.FromContext(ctx)
 	var secrets []corev1.Secret
 	for _, source := range envFromSource {
 		var secret corev1.Secret
 		if err := cl.Get(ctx, types.NamespacedName{
 			Name:      source.SecretRef.Name,
 			Namespace: cr.Namespace,
 		}, &secret); err != nil {
-			if k8serrors.IsNotFound(err) {
-				log.V(1).Info(fmt.Sprintf("Secret %s not found", secret.Name))
-				continue
-			}
 			return nil, err
 		}
 		secrets = append(secrets, secret)
diff --git a/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go b/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go
@@ -8,6 +8,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 
 	"github.com/percona/percona-postgresql-operator/internal/config"
@@ -1080,3 +1081,49 @@ const (
 func (pgc PerconaPGCluster) UserMonitoring() string {
 	return pgc.Name + "-" + naming.RolePostgresUser + "-" + UserMonitoring
 }
+
+func (cr *PerconaPGCluster) EnvFromSecrets() []string {
+	secrets := []string{}
+
+	for i := 0; i < len(cr.Spec.InstanceSets); i++ {
+		set := &cr.Spec.InstanceSets[i]
+		if len(set.EnvFrom) == 0 {
+			continue
+		}
+		for _, envFrom := range set.EnvFrom {
+			if envFrom.SecretRef == nil {
+				continue
+			}
+			secrets = append(secrets, envFrom.SecretRef.Name)
+		}
+	}
+
+	if len(cr.Spec.Proxy.PGBouncer.EnvFrom) > 0 {
+		for _, envFrom := range cr.Spec.Proxy.PGBouncer.EnvFrom {
+			if envFrom.SecretRef == nil {
+				continue
+			}
+			secrets = append(secrets, envFrom.SecretRef.Name)
+		}
+	}
+
+	if len(cr.Spec.Backups.PGBackRest.EnvFrom) > 0 {
+		for _, envFrom := range cr.Spec.Backups.PGBackRest.EnvFrom {
+			if envFrom.SecretRef == nil {
+				continue
+			}
+			secrets = append(secrets, envFrom.SecretRef.Name)
+		}
+	}
+	return secrets
+}
+
+const IndexFieldEnvFromSecrets = "pgCluster.envFromSecrets" //nolint:gosec
+
+var EnvFromSecretsIndexerFunc client.IndexerFunc = func(obj client.Object) []string {
+	cr, ok := obj.(*PerconaPGCluster)
+	if !ok {
+		return nil
+	}
+	return cr.EnvFromSecrets()
+}
