Add per-node secret rotation tracking with drift detection

lmiccini · claude · lmiccini · commit ceeb53549fac · 2026-04-24T18:19:34.000+02:00
Track secret deployment progress across nodeset nodes using a ConfigMap
to store detailed per-secret version info and a summary in the CR status.
This enables credential rotation safety by blocking deletion of old
credentials until all nodes have been updated with the new version.

Key capabilities:
- Per-node tracking of which secret versions are deployed
- Drift detection comparing cluster secrets vs deployed versions
- Gradual rollout support via AnsibleLimit-aware node tracking
- Stale deployment detection to prevent flip-flop during rotation
- Fail-safe defaults (assume drift when tracking is unavailable)

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml b/api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml
@@ -1987,6 +1987,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string
diff --git a/api/dataplane/v1beta1/openstackdataplanenodeset_types.go b/api/dataplane/v1beta1/openstackdataplanenodeset_types.go
@@ -163,6 +163,28 @@ type OpenStackDataPlaneNodeSetStatus struct {
 
 	//DeployedBmhHash - Hash of BMHs deployed
 	DeployedBmhHash string `json:"deployedBmhHash,omitempty"`
+
+	// SecretDeployment tracks secret deployment progress across nodeset nodes
+	// Details are stored in a ConfigMap to avoid bloating the CR status
+	SecretDeployment *SecretDeploymentStatus `json:"secretDeployment,omitempty"`
+}
+
+// SecretDeploymentStatus tracks secret deployment progress across nodeset nodes
+type SecretDeploymentStatus struct {
+	// AllNodesUpdated indicates all nodes have current versions of all tracked secrets
+	AllNodesUpdated bool `json:"allNodesUpdated"`
+
+	// TotalNodes is the total number of nodes in the nodeset
+	TotalNodes int `json:"totalNodes"`
+
+	// UpdatedNodes is count of nodes with all current secret versions
+	UpdatedNodes int `json:"updatedNodes"`
+
+	// ConfigMapName references the ConfigMap containing detailed per-secret tracking
+	ConfigMapName string `json:"configMapName,omitempty"`
+
+	// LastUpdateTime is when this status was last updated
+	LastUpdateTime *metav1.Time `json:"lastUpdateTime,omitempty"`
 }
 
 // +kubebuilder:object:root=true
@@ -183,6 +205,14 @@ func (instance OpenStackDataPlaneNodeSet) IsReady() bool {
 	return instance.Status.Conditions.IsTrue(condition.ReadyCondition)
 }
 
+// AreAllNodesUpdated returns true if all nodes in the nodeset have been updated
+// with current versions of all tracked secrets. Returns false if secret deployment
+// tracking is not initialized or if any nodes have pending updates.
+func (instance OpenStackDataPlaneNodeSet) AreAllNodesUpdated() bool {
+	return instance.Status.SecretDeployment != nil &&
+		instance.Status.SecretDeployment.AllNodesUpdated
+}
+
 // InitConditions - Initializes Status Conditons
 func (instance *OpenStackDataPlaneNodeSet) InitConditions() {
 	instance.Status.Conditions = condition.Conditions{}
diff --git a/api/dataplane/v1beta1/zz_generated.deepcopy.go b/api/dataplane/v1beta1/zz_generated.deepcopy.go
diff --git a/bindata/crds/crds.yaml b/bindata/crds/crds.yaml
@@ -21193,6 +21193,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string
diff --git a/bindata/rbac/infra-operator-rbac.yaml b/bindata/rbac/infra-operator-rbac.yaml
@@ -159,6 +159,14 @@ rules:
     - get
     - list
     - watch
+- apiGroups:
+    - dataplane.openstack.org
+  resources:
+    - openstackdataplanenodesets
+  verbs:
+    - get
+    - list
+    - watch
 - apiGroups:
     - frrk8s.metallb.io
   resources:
diff --git a/cmd/main.go b/cmd/main.go
@@ -344,9 +344,10 @@ func main() {
 		os.Exit(1)
 	}
 	if err := (&dataplanecontroller.OpenStackDataPlaneNodeSetReconciler{
-		Client:  mgr.GetClient(),
-		Scheme:  mgr.GetScheme(),
-		Kclient: kclient,
+		Client:    mgr.GetClient(),
+		APIReader: mgr.GetAPIReader(),
+		Scheme:    mgr.GetScheme(),
+		Kclient:   kclient,
 	}).SetupWithManager(ctx, mgr); err != nil {
 		setupLog.Error(err, "unable to create controller", "controller", "OpenStackDataPlaneNodeSet")
 		os.Exit(1)
diff --git a/config/crd/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml b/config/crd/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml
@@ -1987,6 +1987,35 @@ spec:
                   generation, then the controller has not processed the latest changes.
                 format: int64
                 type: integer
+              secretDeployment:
+                description: |-
+                  SecretDeployment tracks secret deployment progress across nodeset nodes
+                  Details are stored in a ConfigMap to avoid bloating the CR status
+                properties:
+                  allNodesUpdated:
+                    description: AllNodesUpdated indicates all nodes have current
+                      versions of all tracked secrets
+                    type: boolean
+                  configMapName:
+                    description: ConfigMapName references the ConfigMap containing
+                      detailed per-secret tracking
+                    type: string
+                  lastUpdateTime:
+                    description: LastUpdateTime is when this status was last updated
+                    format: date-time
+                    type: string
+                  totalNodes:
+                    description: TotalNodes is the total number of nodes in the nodeset
+                    type: integer
+                  updatedNodes:
+                    description: UpdatedNodes is count of nodes with all current secret
+                      versions
+                    type: integer
+                required:
+                - allNodesUpdated
+                - totalNodes
+                - updatedNodes
+                type: object
               secretHashes:
                 additionalProperties:
                   type: string
diff --git a/internal/controller/dataplane/credentials_test.go b/internal/controller/dataplane/credentials_test.go
diff --git a/internal/controller/dataplane/openstackdataplanenodeset_controller.go b/internal/controller/dataplane/openstackdataplanenodeset_controller.go
