Add AC finalizer management

Signed-off-by: Veronika Fisarova <vfisarov@redhat.com>

Author: Deydra71

api/bases/barbican.openstack.org_barbicans.yaml

@@ -840,6 +840,13 @@ spec:
           status:
             description: BarbicanStatus defines the observed state of Barbican
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret barbican is currently
+                  consuming and protecting with the openstack.org/barbican-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               barbicanAPIReadyCount:
                 description: ReadyCount of Barbican API instances
                 format: int32

api/v1beta1/barbican_types.go

@@ -155,6 +155,12 @@ type BarbicanStatus struct {
 	// Barbican Database Hostname
 	DatabaseHostname string `json:"databaseHostname,omitempty"`
 
+	// ApplicationCredentialSecret - the AC secret barbican is currently
+	// consuming and protecting with the openstack.org/barbican-ac-consumer
+	// finalizer. Tracked so the controller can remove its finalizer from the
+	// old secret when the openstack-operator rotates the reference.
+	ApplicationCredentialSecret string `json:"applicationCredentialSecret,omitempty"`
+
 	// ObservedGeneration - the most recent generation observed for this
 	// service. If the observed generation is less than the spec generation,
 	// then the controller has not processed the latest changes injected by

config/crd/bases/barbican.openstack.org_barbicans.yaml

@@ -840,6 +840,13 @@ spec:
           status:
             description: BarbicanStatus defines the observed state of Barbican
             properties:
+              applicationCredentialSecret:
+                description: |-
+                  ApplicationCredentialSecret - the AC secret barbican is currently
+                  consuming and protecting with the openstack.org/barbican-ac-consumer
+                  finalizer. Tracked so the controller can remove its finalizer from the
+                  old secret when the openstack-operator rotates the reference.
+                type: string
               barbicanAPIReadyCount:
                 description: ReadyCount of Barbican API instances
                 format: int32

internal/barbican/const.go

@@ -70,4 +70,6 @@ const (
 	BarbicanUID int64 = 42403
 	// BarbicanGID - based on https://github.com/openstack-k8s-operators/tcib/blob/main/container-images/kolla/base/uid_gid_manage.sh
 	BarbicanGID int64 = 42403
+	// ACConsumerFinalizer is added to AC secrets that barbican is actively consuming
+	ACConsumerFinalizer = "openstack.org/barbican-ac-consumer"
 )

internal/controller/barbican_controller.go

@@ -391,6 +391,11 @@ func (r *BarbicanReconciler) reconcileNormal(ctx context.Context, instance *barb
 
 	instance.Status.Conditions.MarkTrue(condition.ServiceConfigReadyCondition, condition.ServiceConfigReadyMessage)
 
+	// Manage consumer finalizer, the AC data was already read and rendered to the service config secret
+	if err := r.manageACSecretFinalizer(ctx, helper, instance); err != nil {
+		return ctrl.Result{}, err
+	}
+
 	// networks to attach to
 	nadList := []networkv1.NetworkAttachmentDefinition{}
 	for _, netAtt := range instance.Spec.BarbicanAPI.NetworkAttachments {
@@ -611,13 +616,78 @@ func (r *BarbicanReconciler) reconcileDelete(ctx context.Context, instance *barb
 		}
 	}
 
+	// Remove consumer finalizer from the AC secret barbican was consuming.
+	if instance.Status.ApplicationCredentialSecret != "" {
+		acSecret := &corev1.Secret{}
+		acKey := types.NamespacedName{
+			Name:      instance.Status.ApplicationCredentialSecret,
+			Namespace: instance.Namespace,
+		}
+		if err := r.Get(ctx, acKey, acSecret); err != nil {
+			if !k8s_errors.IsNotFound(err) {
+				return ctrl.Result{}, err
+			}
+			Log.Info("AC secret already deleted, skipping consumer finalizer removal",
+				"secret", instance.Status.ApplicationCredentialSecret)
+		} else if err := object.RemoveConsumerFinalizer(ctx, helper, acSecret, barbican.ACConsumerFinalizer); err != nil {
+			return ctrl.Result{}, err
+		}
+	}
+
 	// Service is deleted so remove the finalizer.
 	controllerutil.RemoveFinalizer(instance, helper.GetFinalizer())
 	Log.Info(fmt.Sprintf("Reconciled Service '%s' delete successfully", instance.Name))
 
 	return ctrl.Result{}, nil
 }
 
+// manageACSecretFinalizer ensures barbican's consumer finalizer is present on
+// the AC secret it is currently consuming and absent from any previously-used
+// AC secret. Status.ApplicationCredentialSecret tracks which secret currently
+// carries the finalizer.
+func (r *BarbicanReconciler) manageACSecretFinalizer(
+	ctx context.Context,
+	h *helper.Helper,
+	instance *barbicanv1beta1.Barbican,
+) error {
+	newSecretName := instance.Spec.Auth.ApplicationCredentialSecret
+	oldSecretName := instance.Status.ApplicationCredentialSecret
+
+	if newSecretName == oldSecretName {
+		return nil
+	}
+
+	var newObj, oldObj client.Object
+
+	if newSecretName != "" {
+		secret := &corev1.Secret{}
+		key := types.NamespacedName{Name: newSecretName, Namespace: instance.Namespace}
+		if err := h.GetClient().Get(ctx, key, secret); err != nil {
+			return fmt.Errorf("failed to get new AC secret %s: %w", newSecretName, err)
+		}
+		newObj = secret
+	}
+
+	if oldSecretName != "" {
+		secret := &corev1.Secret{}
+		key := types.NamespacedName{Name: oldSecretName, Namespace: instance.Namespace}
+		if err := h.GetClient().Get(ctx, key, secret); err != nil {
+			if !k8s_errors.IsNotFound(err) {
+				return fmt.Errorf("failed to get old AC secret %s: %w", oldSecretName, err)
+			}
+		} else {
+			oldObj = secret
+		}
+	}
+
+	if err := object.ManageConsumerFinalizer(ctx, h, newObj, oldObj, barbican.ACConsumerFinalizer); err != nil {
+		return err
+	}
+
+	instance.Status.ApplicationCredentialSecret = newSecretName
+	return nil
+}
+
 // fields to index to reconcile when change
 const (
 	passwordSecretField                 = ".spec.secret"

test/functional/barbican_controller_test.go

@@ -1803,6 +1803,164 @@ var _ = Describe("Barbican controller", func() {
 		})
 	})
 
+	When("ApplicationCredential consumer finalizer is managed", func() {
+		var (
+			acSecretName          string
+			servicePasswordSecret string
+		)
+
+		BeforeEach(func() {
+			servicePasswordSecret = "ac-test-osp-secret" //nolint:gosec // G101
+
+			DeferCleanup(k8sClient.Delete, ctx,
+				CreateBarbicanMessageBusSecret(
+					barbicanTest.Instance.Namespace,
+					barbicanTest.RabbitmqSecretName,
+				),
+			)
+			DeferCleanup(k8sClient.Delete, ctx,
+				CreateBarbicanSecret(
+					barbicanTest.Instance.Namespace, servicePasswordSecret))
+
+			acSecretName = "ac-barbican-a1b2c-secret" //nolint:gosec // G101
+			secret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      acSecretName,
+				},
+				Data: map[string][]byte{
+					keystonev1.ACIDSecretKey:     []byte("a1b2ctest-ac-id"),
+					keystonev1.ACSecretSecretKey: []byte("test-ac-secret"),
+				},
+			}
+			DeferCleanup(k8sClient.Delete, ctx, secret)
+			Expect(k8sClient.Create(ctx, secret)).To(Succeed())
+
+			spec := GetDefaultBarbicanSpec()
+			spec["secret"] = servicePasswordSecret
+			spec["simpleCryptoBackendSecret"] = servicePasswordSecret
+			spec["auth"] = map[string]any{
+				"applicationCredentialSecret": acSecretName,
+			}
+			DeferCleanup(th.DeleteInstance,
+				CreateBarbican(barbicanTest.Instance, spec))
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					barbicanTest.Instance.Namespace,
+					GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}}}))
+
+			DeferCleanup(keystone.DeleteKeystoneAPI,
+				keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
+
+			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
+			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
+			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
+			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
+			keystone.SimulateKeystoneEndpointReady(barbicanTest.BarbicanKeystoneEndpoint)
+		})
+
+		It("should add the consumer finalizer to the AC secret", func() {
+			Eventually(func(g Gomega) {
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      acSecretName,
+				})
+				g.Expect(secret.Finalizers).To(
+					ContainElement(barbican.ACConsumerFinalizer))
+			}, timeout, interval).Should(Succeed())
+		})
+
+		It("should track the consumed AC secret in status", func() {
+			Eventually(func(g Gomega) {
+				b := GetBarbican(barbicanTest.Instance)
+				g.Expect(b.Status.ApplicationCredentialSecret).To(Equal(acSecretName))
+			}, timeout, interval).Should(Succeed())
+		})
+
+		It("should move the finalizer from the old to the new secret on rotation", func() {
+			// Wait for the initial finalizer to appear
+			Eventually(func(g Gomega) {
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      acSecretName,
+				})
+				g.Expect(secret.Finalizers).To(
+					ContainElement(barbican.ACConsumerFinalizer))
+			}, timeout, interval).Should(Succeed())
+
+			// Create a new AC secret
+			newACSecretName := "ac-barbican-x9y8z-secret" //nolint:gosec // G101
+			newSecret := &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      newACSecretName,
+				},
+				Data: map[string][]byte{
+					keystonev1.ACIDSecretKey:     []byte("x9y8zrotated-ac-id"),
+					keystonev1.ACSecretSecretKey: []byte("rotated-ac-secret"),
+				},
+			}
+			DeferCleanup(k8sClient.Delete, ctx, newSecret)
+			Expect(k8sClient.Create(ctx, newSecret)).To(Succeed())
+
+			// Update the Barbican CR to reference the new AC secret
+			Eventually(func(g Gomega) {
+				b := GetBarbican(barbicanTest.Instance)
+				b.Spec.Auth.ApplicationCredentialSecret = newACSecretName
+				g.Expect(k8sClient.Update(ctx, b)).Should(Succeed())
+			}, timeout, interval).Should(Succeed())
+
+			// New secret should gain the consumer finalizer
+			Eventually(func(g Gomega) {
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      newACSecretName,
+				})
+				g.Expect(secret.Finalizers).To(
+					ContainElement(barbican.ACConsumerFinalizer))
+			}, timeout, interval).Should(Succeed())
+
+			// Old secret should lose the consumer finalizer
+			Eventually(func(g Gomega) {
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      acSecretName,
+				})
+				g.Expect(secret.Finalizers).NotTo(
+					ContainElement(barbican.ACConsumerFinalizer))
+			}, timeout, interval).Should(Succeed())
+
+			// Status should reflect the new secret
+			Eventually(func(g Gomega) {
+				b := GetBarbican(barbicanTest.Instance)
+				g.Expect(b.Status.ApplicationCredentialSecret).To(Equal(newACSecretName))
+			}, timeout, interval).Should(Succeed())
+		})
+
+		It("should remove the consumer finalizer from AC secret on CR deletion", func() {
+			Eventually(func(g Gomega) {
+				secret := th.GetSecret(types.NamespacedName{
+					Namespace: barbicanTest.Instance.Namespace,
+					Name:      acSecretName,
+				})
+				g.Expect(secret.Finalizers).To(
+					ContainElement(barbican.ACConsumerFinalizer))
+			}, timeout, interval).Should(Succeed())
+
+			th.DeleteInstance(GetBarbican(barbicanTest.Instance))
+
+			secret := th.GetSecret(types.NamespacedName{
+				Namespace: barbicanTest.Instance.Namespace,
+				Name:      acSecretName,
+			})
+			Expect(secret.Finalizers).NotTo(
+				ContainElement(barbican.ACConsumerFinalizer))
+		})
+	})
+
 	// Run MariaDBAccount suite tests.  these are pre-packaged ginkgo tests
 	// that exercise standard account create / update patterns that should be
 	// common to all controllers that ensure MariaDBAccount CRs.