Skip to content

fix: sync provisioned user credential rotation#168

Merged
GatewayJ merged 1 commit into
mainfrom
fix/1073-user-secret-rotation
Jul 10, 2026
Merged

fix: sync provisioned user credential rotation#168
GatewayJ merged 1 commit into
mainfrom
fix/1073-user-secret-rotation

Conversation

@overtrue

Copy link
Copy Markdown
Contributor

Type of Change

  • Bug Fix

Related Issues

Closes rustfs/backlog#1073

Summary of Changes

  • Reapply user credentials when the referenced Secret version changes.
  • Keep normal reconciles idempotent and reject access-key changes after provisioning.
  • Record the applied access-key hash in status and document the rotation contract.

Checklist

  • I have read and followed the CONTRIBUTING.md guidelines
  • Passed make pre-commit (fmt-check + clippy + test + console-lint + console-fmt-check)
  • Added/updated necessary tests
  • Documentation updated (if needed)
  • CHANGELOG.md updated under [Unreleased] (N/A: no release-note policy applies)
  • CI/CD passed (if applicable)

Impact

  • Breaking change (CRD/API compatibility)
  • Requires doc/config/deployment update
  • Other impact: existing user access keys are now immutable after successful provisioning.

Verification

make pre-commit

Additional Notes

N/A

Copilot AI review requested due to automatic review settings July 10, 2026 02:01

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f432ae47df

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +912 to +913
previous.observed_secret_resource_version.as_deref() != Some(resource_version)
|| previous.last_applied_access_key_hash.as_deref() != Some(current_hash.as_str())

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Preserve adopted users' credentials during backfill

For upgraded Tenants that previously reconciled an already-existing RustFS user, status only has reason=UserAlreadyExistsPolicySet/observedSecretResourceVersion and no lastAppliedAccessKeyHash. This condition treats the missing hash as needing a credential apply, so the next reconcile calls add_user for that pre-existing user and overwrites its secret key with the Kubernetes Secret even though the old code only applied policy mappings for adopted users. Gate the hash backfill so adopted users are not converted into operator-managed credentials without an explicit rotation.

Useful? React with 👍 / 👎.

@overtrue overtrue requested a review from GatewayJ July 10, 2026 02:27
@GatewayJ GatewayJ added this pull request to the merge queue Jul 10, 2026
Merged via the queue into main with commit d67b4ed Jul 10, 2026
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants