fix: sync provisioned user credential rotation#168
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f432ae47df
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| previous.observed_secret_resource_version.as_deref() != Some(resource_version) | ||
| || previous.last_applied_access_key_hash.as_deref() != Some(current_hash.as_str()) |
There was a problem hiding this comment.
Preserve adopted users' credentials during backfill
For upgraded Tenants that previously reconciled an already-existing RustFS user, status only has reason=UserAlreadyExistsPolicySet/observedSecretResourceVersion and no lastAppliedAccessKeyHash. This condition treats the missing hash as needing a credential apply, so the next reconcile calls add_user for that pre-existing user and overwrites its secret key with the Kubernetes Secret even though the old code only applied policy mappings for adopted users. Gate the hash backfill so adopted users are not converted into operator-managed credentials without an explicit rotation.
Useful? React with 👍 / 👎.
Type of Change
Related Issues
Closes rustfs/backlog#1073
Summary of Changes
Checklist
make pre-commit(fmt-check + clippy + test + console-lint + console-fmt-check)[Unreleased](N/A: no release-note policy applies)Impact
Verification
Additional Notes
N/A