fix: Use NonCachingClient to look up user-provided secrets

svor · claude · svor · commit d440ad1d5f41 · 2026-06-17T14:38:13.000+03:00
The cached client only tracks operator-managed secrets, so
user-created secrets were not visible during reconciliation.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml b/bundle/next/eclipse-che/manifests/che-operator.clusterserviceversion.yaml
@@ -86,7 +86,7 @@ metadata:
     categories: Developer Tools
     certified: "false"
     containerImage: quay.io/eclipse/che-operator:next
-    createdAt: "2026-06-16T12:46:18Z"
+    createdAt: "2026-06-17T11:32:24Z"
     description: A Kube-native development solution that delivers portable and collaborative
       developer workspaces.
     features.operators.openshift.io/cnf: "false"
@@ -108,7 +108,7 @@ metadata:
     operatorframework.io/arch.amd64: supported
     operatorframework.io/arch.arm64: supported
     operatorframework.io/os.linux: supported
-  name: eclipse-che.v7.119.0-1020.next
+  name: eclipse-che.v7.119.0-1021.next
   namespace: placeholder
 spec:
   apiservicedefinitions: {}
@@ -1166,7 +1166,7 @@ spec:
       name: openvsx
     - image: quay.io/sclorg/postgresql-16-c9s:20260319
       name: openvsx-postgres
-  version: 7.119.0-1020.next
+  version: 7.119.0-1021.next
   webhookdefinitions:
     - admissionReviewVersions:
         - v1
diff --git a/pkg/deploy/openvsx/database/openvsx_database.go b/pkg/deploy/openvsx/database/openvsx_database.go
@@ -96,27 +96,35 @@ var requiredSecretKeys = []string{
 func (p *OpenVSXDatabaseReconciler) syncSecret(ctx *chetypes.DeployContext) (bool, error) {
 	secretName := GetCredentialsSecretName(ctx)
 
+	if isUserProvidedSecret(ctx) {
+		secret := &corev1.Secret{}
+		err := ctx.ClusterAPI.NonCachingClient.Get(context.TODO(), types.NamespacedName{
+			Name:      secretName,
+			Namespace: ctx.CheCluster.Namespace,
+		}, secret)
+		if err != nil {
+			if errors.IsNotFound(err) {
+				return false, fmt.Errorf("credentials secret '%s' not found", secretName)
+			}
+			return false, err
+		}
+		return validateSecretKeys(secret)
+	}
+
 	secret := &corev1.Secret{}
 	err := ctx.ClusterAPI.Client.Get(context.TODO(), types.NamespacedName{
 		Name:      secretName,
 		Namespace: ctx.CheCluster.Namespace,
 	}, secret)
 
 	if err == nil {
-		if isUserProvidedSecret(ctx) {
-			return validateSecretKeys(secret)
-		}
 		return true, nil
 	}
 
 	if !errors.IsNotFound(err) {
 		return false, err
 	}
 
-	if isUserProvidedSecret(ctx) {
-		return false, fmt.Errorf("credentials secret '%s' not found", secretName)
-	}
-
 	secret = &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			Kind:       "Secret",
