K8SPSMDB-1610 handle user updates when no changes happen#2435
Merged
Conversation
917f07a to
04ee1d5
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses ClusterSync reconcile behavior that was re-applying MongoDB updateUser password/role updates on every reconcile even when the target user was already converged, reducing unnecessary admin writes and avoiding transient update failures in steady state.
Changes:
- Tracks the Secret’s password via a SHA-256 annotation to avoid no-op
UpdateUserPasscalls. - Compares MongoDB user roles against the desired roles (order-insensitive) and skips
UpdateUserRoleswhen already matching. - Updates unit tests to cover steady-state no-op behavior, password-hash mismatch behavior, and role-order tolerance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/controller/perconaservermongodbclustersync/target_user.go | Adds password-hash annotation logic and role comparison to skip no-op MongoDB user updates; updates secret handling to return the Secret object. |
| pkg/controller/perconaservermongodbclustersync/psmdb_clustersync_controller_test.go | Expands tests for the new “no-op when converged” behavior and annotation/role drift scenarios. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+181
to
185
| func passwordAnnotationMAC(data []byte) string { | ||
| mac := hmac.New(sha256.New, []byte(targetUserPasswordMACKey)) | ||
| mac.Write(data) | ||
| return hex.EncodeToString(mac.Sum(nil)) | ||
| } |
Comment on lines
+31
to
+33
|
|
||
| targetUserPasswordMACAnnotation = "psmdb.percona.com/target-user-password-mac" | ||
| targetUserPasswordMACKey = "psmdb-target-user-password-annotation-v1" |
Comment on lines
4
to
+7
| "context" | ||
| "crypto/hmac" | ||
| "crypto/sha256" | ||
| "encoding/hex" |
| // ref, kept its old password. | ||
| func ensureTargetMongoUser(ctx context.Context, mc mongo.Client, creds psmdb.Credentials) error { | ||
| existing, err := mc.GetUserInfo(ctx, creds.Username, "admin") | ||
| func ensureTargetMongoUser(ctx context.Context, mc mongo.Client, sec *corev1.Secret) (bool, error) { |
egegunes
previously approved these changes
Jul 7, 2026
| targetUserSecretUsernameKey = "username" | ||
| targetUserSecretPasswordKey = "password" | ||
|
|
||
| admin = "admin" |
Member
There was a problem hiding this comment.
can we use a more descriptive name, like adminDBName
mayankshah1607
approved these changes
Jul 7, 2026
egegunes
approved these changes
Jul 7, 2026
Collaborator
commit: 6101778 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CHANGE DESCRIPTION
Problem:
Related issue: #2430
Cause:
Short explanation of the root cause of the issue if applicable.
Solution:
Short explanation of the solution we are providing with this PR.
CHECKLIST
Jira
Needs Doc) and QA (Needs QA)?Tests
compare/*-oc.yml)?Config/Logging/Testability