Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions apis/bases/rabbitmq.openstack.org_transporturls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,12 @@ spec:
finalizer removal was deferred during a credential rotation, pending
deployment verification. Only set while a rotation is in progress.
type: string
previousSecretName:
description: |-
PreviousSecretName - name of the previous TransportURL secret retained
during credential rotation, pending consumer finalization.
Cleared when the old secret is cleaned up after all consumers release it.
type: string
queueType:
description: QueueType - the queue type from the associated RabbitMq
instance
Expand All @@ -153,6 +159,12 @@ spec:
rabbitmqVhost:
description: RabbitmqVhost - the actual vhost name used
type: string
secretHash:
description: |-
SecretHash - hash of the current TransportURL secret content.
Consuming services compare this with the hash they computed to
confirm credential rotation is complete.
type: string
secretName:
description: SecretName - name of the secret containing the rabbitmq
transport URL
Expand Down
29 changes: 9 additions & 20 deletions apis/rabbitmq/v1beta1/conditions.go
Original file line number Diff line number Diff line change
Expand Up @@ -62,28 +62,17 @@ const (
// completion, so the user controller can safely auto-delete the CR on sight.
RabbitMQUserOrphanedLabel = "rabbitmq.openstack.org/orphaned"

// EDPMServiceAnnotation overrides the automatic owner-based EDPM detection
// for a TransportURL. When set to "true", the controller always uses the
// two-phase NodeSet sync check. When "false", it releases the old user
// immediately. When unset, the controller infers EDPM status from the
// ownerReference Kind (Nova and NeutronAPI are EDPM; everything else is not).
EDPMServiceAnnotation = "rabbitmq.openstack.org/edpm-service"
// TransportSecretProtectionFinalizer prevents a transport URL secret from
// being deleted while it is referenced by a TransportURL (current or previous).
// Added atomically at secret creation; removed during cleanup.
TransportSecretProtectionFinalizer = "openstack.org/transport-secret-protection"

// TransportSecretConsumerSuffix is the suffix appended to the operator name
// to form the consumer finalizer on transport URL secrets.
// Example: "openstack.org/keystone-transport-consumer"
TransportSecretConsumerSuffix = "-transport-consumer"
)

// edpmOwnerKinds lists the owner CR Kinds whose TransportURLs serve
// EDPM-deployed agents and therefore require NodeSet hash-sync gating
// during credential rotation.
var edpmOwnerKinds = map[string]bool{
"Nova": true,
"NeutronAPI": true,
}

// IsEDPMOwnerKind reports whether the given owner Kind serves
// EDPM-deployed agents that require NodeSet hash-sync gating.
func IsEDPMOwnerKind(kind string) bool {
return edpmOwnerKinds[kind]
}

// TransportURLFinalizerFor returns the per-consumer finalizer for a TransportURL.
// If the name fits within Kubernetes' 63-char name segment limit, it is used directly
// (preserving human readability and reverse mapping). For longer names, the suffix
Expand Down
10 changes: 10 additions & 0 deletions apis/rabbitmq/v1beta1/transporturl_types.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,16 @@ type TransportURLStatus struct {
// Empty if using default cluster admin credentials (no dedicated RabbitMQUser CR)
RabbitmqUserRef string `json:"rabbitmqUserRef,omitempty"`

// SecretHash - hash of the current TransportURL secret content.
// Consuming services compare this with the hash they computed to
// confirm credential rotation is complete.
SecretHash string `json:"secretHash,omitempty"`

// PreviousSecretName - name of the previous TransportURL secret retained
// during credential rotation, pending consumer finalization.
// Cleared when the old secret is cleaned up after all consumers release it.
PreviousSecretName string `json:"previousSecretName,omitempty"`

// PreviousRabbitmqUserRef - the name of a previous RabbitMQUser CR whose
// finalizer removal was deferred during a credential rotation, pending
// deployment verification. Only set while a rotation is in progress.
Expand Down
12 changes: 12 additions & 0 deletions config/crd/bases/rabbitmq.openstack.org_transporturls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,12 @@ spec:
finalizer removal was deferred during a credential rotation, pending
deployment verification. Only set while a rotation is in progress.
type: string
previousSecretName:
description: |-
PreviousSecretName - name of the previous TransportURL secret retained
during credential rotation, pending consumer finalization.
Cleared when the old secret is cleaned up after all consumers release it.
type: string
queueType:
description: QueueType - the queue type from the associated RabbitMq
instance
Expand All @@ -153,6 +159,12 @@ spec:
rabbitmqVhost:
description: RabbitmqVhost - the actual vhost name used
type: string
secretHash:
description: |-
SecretHash - hash of the current TransportURL secret content.
Consuming services compare this with the hash they computed to
confirm credential rotation is complete.
type: string
secretName:
description: SecretName - name of the secret containing the rabbitmq
transport URL
Expand Down
23 changes: 0 additions & 23 deletions config/rbac/role.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,29 +73,6 @@ rules:
- patch
- update
- watch
- apiGroups:
- barbican.openstack.org
- cinder.openstack.org
- designate.openstack.org
- glance.openstack.org
- heat.openstack.org
- horizon.openstack.org
- ironic.openstack.org
- keystone.openstack.org
- manila.openstack.org
- neutron.openstack.org
- nova.openstack.org
- octavia.openstack.org
- ovn.openstack.org
- placement.openstack.org
- swift.openstack.org
- telemetry.openstack.org
- watcher.openstack.org
resources:
- '*'
verbs:
- get
- list
- apiGroups:
- config.openshift.io
resources:
Expand Down
Loading
Loading