Add per-node secret rotation tracking with drift detection

Implements persistent tracking of secret versions deployed to each node
in OpenStackDataPlaneNodeSet to coordinate safe deletion of old
credentials during gradual rollouts.

Implementation:

- ConfigMap-based storage (`<nodeset-name>-secret-tracking`) records
  which secret versions are deployed to each node

- Tracks "Current" (deployed) vs "Expected" (cluster) secret states:
  - Current: Hash of secrets actually deployed to nodes
  - Expected: Hash of secrets currently in cluster
  - Drift detected when Current != Expected

- Deployment processing updates tracking data per node with secret
  hashes, skipping stale deployments (hash != cluster hash)

- Drift detection runs after each reconciliation, comparing cluster
  secrets against tracking ConfigMap, using APIReader to bypass cache

- Status field SecretDeployment reports:
  - UpdatedNodes: count of nodes on current secret versions
  - AllNodesUpdated: whether all nodes have current versions
  - ConfigMapName, TotalNodes, LastUpdateTime

- APIReader field added to reconciler to read directly from Kubernetes
  API, bypassing controller-runtime cache for accurate drift detection

This enables safe credential deletion only when all nodes across all
nodesets sharing the credentials have been updated.

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: lmiccini

api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1987,6 +1987,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string

api/dataplane/v1beta1/openstackdataplanenodeset_types.go

@@ -163,6 +163,28 @@ type OpenStackDataPlaneNodeSetStatus struct {
 
 	//DeployedBmhHash - Hash of BMHs deployed
 	DeployedBmhHash string `json:"deployedBmhHash,omitempty"`
+
+	// SecretDeployment tracks secret deployment progress across nodeset nodes
+	// Details are stored in a ConfigMap to avoid bloating the CR status
+	SecretDeployment *SecretDeploymentStatus `json:"secretDeployment,omitempty"`
+}
+
+// SecretDeploymentStatus tracks secret deployment progress across nodeset nodes
+type SecretDeploymentStatus struct {
+	// AllNodesUpdated indicates all nodes have current versions of all tracked secrets
+	AllNodesUpdated bool `json:"allNodesUpdated"`
+
+	// TotalNodes is the total number of nodes in the nodeset
+	TotalNodes int `json:"totalNodes"`
+
+	// UpdatedNodes is count of nodes with all current secret versions
+	UpdatedNodes int `json:"updatedNodes"`
+
+	// ConfigMapName references the ConfigMap containing detailed per-secret tracking
+	ConfigMapName string `json:"configMapName,omitempty"`
+
+	// LastUpdateTime is when this status was last updated
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -183,6 +205,14 @@ func (instance OpenStackDataPlaneNodeSet) IsReady() bool {
 	return instance.Status.Conditions.IsTrue(condition.ReadyCondition)
 }
 
+// AreAllNodesUpdated returns true if all nodes in the nodeset have been updated
+// with current versions of all tracked secrets. Returns false if secret deployment
+// tracking is not initialized or if any nodes have pending updates.
+func (instance OpenStackDataPlaneNodeSet) AreAllNodesUpdated() bool {
+	return instance.Status.SecretDeployment != nil &&
+		instance.Status.SecretDeployment.AllNodesUpdated
+}
+
 // InitConditions - Initializes Status Conditons
 func (instance *OpenStackDataPlaneNodeSet) InitConditions() {
 	instance.Status.Conditions = condition.Conditions{}

api/dataplane/v1beta1/zz_generated.deepcopy.go

@@ -21193,6 +21193,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string

bindata/crds/crds.yaml

@@ -159,6 +159,14 @@ rules:
     - get
     - list
     - watch
+- apiGroups:
+    - dataplane.openstack.org
+  resources:
+    - openstackdataplanenodesets
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - frrk8s.metallb.io
   resources:

bindata/rbac/infra-operator-rbac.yaml

@@ -728,6 +728,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

bindata/rbac/rbac.yaml

@@ -344,9 +344,10 @@ func main() {
 		os.Exit(1)
 	}
 	if err := (&dataplanecontroller.OpenStackDataPlaneNodeSetReconciler{
-		Client:  mgr.GetClient(),
-		Scheme:  mgr.GetScheme(),
-		Kclient: kclient,
+		Client:    mgr.GetClient(),
+		APIReader: mgr.GetAPIReader(),
+		Scheme:    mgr.GetScheme(),
+		Kclient:   kclient,
 	}).SetupWithManager(ctx, mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "OpenStackDataPlaneNodeSet")
 		os.Exit(1)

cmd/main.go

@@ -1987,6 +1987,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string

config/crd/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -679,6 +679,14 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - watch
 - apiGroups:
   - rbac.authorization.k8s.io
   resources: