Skip to content

fix: garbage-collect API key Secret by setting an ownerReference#541

Open
shiavm006 wants to merge 1 commit into
Kuadrant:mainfrom
shiavm006:fix/apikey-secret-ownerref
Open

fix: garbage-collect API key Secret by setting an ownerReference#541
shiavm006 wants to merge 1 commit into
Kuadrant:mainfrom
shiavm006:fix/apikey-secret-ownerref

Conversation

@shiavm006

@shiavm006 shiavm006 commented Jun 5, 2026

Copy link
Copy Markdown
Contributor

Description

  • Create the APIKey first, then create the Secret with an ownerReference to it, so Kubernetes garbage-collects the Secret automatically when the APIKey is deleted.
  • Roll back the APIKey if Secret creation fails, so a partial failure doesn't leave a key without its Secret.

Reordering is safe: the APIKey references the Secret by name (secretRef.name), which is known up front.

Fixes #512

Summary by CodeRabbit

  • Bug Fixes
    • Improved API key request flow with better error recovery and automatic resource cleanup. The system now properly manages the lifecycle of API keys, ensuring associated resources are automatically removed when an API key is deleted.

@coderabbitai

coderabbitai Bot commented Jun 5, 2026

Copy link
Copy Markdown

Need the big picture first? Review this PR in Change Stack to see what changed before going file by file.

Review Change Stack

Warning

Review limit reached

@shiavm006, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 56 minutes and 38 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6a038694-50ac-402a-aae6-0f0f055f7796

📥 Commits

Reviewing files that changed from the base of the PR and between 7ec13ae and 0eab797.

📒 Files selected for processing (1)
  • src/components/apikey/RequestAPIKeyModal.tsx
📝 Walkthrough

Walkthrough

The API key request modal reorders resource creation to prevent credential orphaning. The flow now creates the APIKey first, then creates a Secret with ownerReferences pointing to the APIKey's UID so the Secret is garbage-collected when the APIKey is deleted. On Secret creation failure, the code rolls back by deleting the newly created APIKey before re-raising the error.

Changes

API Key request flow

Layer / File(s) Summary
Create APIKey first with owned Secret and rollback on failure
src/components/apikey/RequestAPIKeyModal.tsx
Adds k8sDelete import for rollback. The handleSubmit flow now creates APIKey first, then creates Secret with ownerReferences populated from the APIKey metadata; on Secret creation failure, the code attempts to delete the created APIKey before re-throwing the error, preventing orphaned credentials.

Sequence Diagram

sequenceDiagram
  participant handleSubmit as handleSubmit()
  participant k8sCreate as k8sCreate()
  participant k8sDelete as k8sDelete()
  
  handleSubmit->>k8sCreate: Create APIKey resource
  k8sCreate-->>handleSubmit: APIKey created with metadata.uid
  handleSubmit->>k8sCreate: Create Secret with ownerReferences pointing to APIKey.uid
  alt Secret creation succeeds
    k8sCreate-->>handleSubmit: Secret created
    handleSubmit-->>handleSubmit: Return success
  else Secret creation fails
    k8sCreate-->>handleSubmit: Error thrown
    handleSubmit->>k8sDelete: Delete the created APIKey (rollback)
    k8sDelete-->>handleSubmit: APIKey deleted
    handleSubmit-->>handleSubmit: Re-throw Secret creation error
  end
Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested reviewers

  • eguzki

Poem

🐰 Secrets once orphaned, now they have kin,
The APIKey's first, the Secret within,
With ownerReferences tying them tight,
And rollback to sweep up when things go not right! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: setting an ownerReference on the API key Secret to enable garbage collection when the API key is deleted.
Linked Issues check ✅ Passed The changes fully address issue #512 by creating the APIKey first, setting ownerReference on the Secret, and implementing rollback on Secret creation failure.
Out of Scope Changes check ✅ Passed All changes are directly scoped to the API key Secret ownership and rollback requirements. No unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Signed-off-by: shiavm006 <shivammittal42006@gmail.com>
@shiavm006 shiavm006 force-pushed the fix/apikey-secret-ownerref branch from 7ec13ae to 0eab797 Compare June 5, 2026 21:50
@eguzki

eguzki commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

The code looks good. However, I found an issue while testing that I reported in Kuadrant/developer-portal-controller#78

The issue is not in the code of this PR, but the changes of this PR activated the issue. We need to address Kuadrant/developer-portal-controller#78 before we merge this issue or the api creation workflow would be broken.

I also tested the edge case of pre-existing secret. The apikey is being deleted and the issue is notified to the user.
Screenshot 2026-07-01 at 15-00-39 My API Keys

I think it is correct to catch AlreadyExists and report as error. Before these errors were omitted.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

API Key Secret is orphaned on delete — no ownerReference and no rollback on partial failure

2 participants