Implement rabbitmquser finalizer management for edpm nodes

Author: lmiccini

api/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1973,6 +1973,14 @@ spec:
                 items:
                   type: string
                 type: array
+              finalizerHash:
+                description: |-
+                  FinalizerHash is a short, deterministic hash derived from the nodeset name.
+                  Used to create unique, collision-free finalizer names for RabbitMQ users.
+                  Format: first 8 characters of SHA256(nodeset.metadata.name)
+                  Example: "a3f2b5c8"
+                  This allows easy lookup of which nodeset owns a specific finalizer.
+                type: string
               inventorySecretName:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory

api/core/v1beta1/openstackcontrolplane_webhook.go

@@ -881,11 +881,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Cinder.Template.MessagingBus.Cluster == "" {
 			r.Spec.Cinder.Template.MessagingBus.Cluster = "rabbitmq"
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Cinder.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Cinder.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Cinder.Template.Default()
 		initializeOverrideSpec(&r.Spec.Cinder.APIOverride.Route, true)
 		r.Spec.Cinder.Template.SetDefaultRouteAnnotations(r.Spec.Cinder.APIOverride.Route.Annotations)
@@ -915,11 +913,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Glance.Template == nil {
 			r.Spec.Glance.Template = &glancev1.GlanceSpecCore{}
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Glance.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Glance.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Glance.Template.Default()
 		// initialize the main APIOverride struct
 		if r.Spec.Glance.APIOverride == nil {
@@ -984,11 +980,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Keystone.Template == nil {
 			r.Spec.Keystone.Template = &keystonev1.KeystoneAPISpecCore{}
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Keystone.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Keystone.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Keystone.Template.Default()
 		initializeOverrideSpec(&r.Spec.Keystone.APIOverride.Route, true)
 		r.Spec.Keystone.Template.SetDefaultRouteAnnotations(r.Spec.Keystone.APIOverride.Route.Annotations)
@@ -1003,11 +997,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Manila.Template.MessagingBus.Cluster == "" {
 			r.Spec.Manila.Template.MessagingBus.Cluster = "rabbitmq"
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Manila.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Manila.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Manila.Template.Default()
 		initializeOverrideSpec(&r.Spec.Manila.APIOverride.Route, true)
 		r.Spec.Manila.Template.SetDefaultRouteAnnotations(r.Spec.Manila.APIOverride.Route.Annotations)
@@ -1035,11 +1027,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Neutron.Template.MessagingBus.Cluster == "" {
 			r.Spec.Neutron.Template.MessagingBus.Cluster = "rabbitmq"
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Neutron.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Neutron.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Neutron.Template.Default()
 		initializeOverrideSpec(&r.Spec.Neutron.APIOverride.Route, true)
 		r.Spec.Neutron.Template.SetDefaultRouteAnnotations(r.Spec.Neutron.APIOverride.Route.Annotations)
@@ -1055,11 +1045,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Nova.Template.MessagingBus.Cluster == "" {
 			r.Spec.Nova.Template.MessagingBus.Cluster = "rabbitmq"
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Nova.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Nova.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Nova.Template.Default()
 		initializeOverrideSpec(&r.Spec.Nova.APIOverride.Route, true)
 		r.Spec.Nova.Template.SetDefaultRouteAnnotations(r.Spec.Nova.APIOverride.Route.Annotations)
@@ -1211,11 +1199,9 @@ func (r *OpenStackControlPlane) DefaultServices() {
 		if r.Spec.Watcher.Template.MessagingBus.Cluster == "" {
 			r.Spec.Watcher.Template.MessagingBus.Cluster = "rabbitmq"
 		}
-		// Propagate top-level NotificationsBus to template if not already set
-		// This prevents the service operator's Default() from using the deprecated field
-		if r.Spec.Watcher.Template.NotificationsBus == nil && r.Spec.NotificationsBus != nil {
-			r.Spec.Watcher.Template.NotificationsBus = r.Spec.NotificationsBus
-		}
+		// NotificationsBus propagation is handled in the reconcile loop to properly support
+		// both inheritance and clearing. The webhook doesn't have access to the old object
+		// to distinguish between user overrides and inherited values.
 		r.Spec.Watcher.Template.Default()
 
 		if r.Spec.Watcher.Enabled {

api/dataplane/v1beta1/openstackdataplanenodeset_types.go

@@ -160,6 +160,13 @@ type OpenStackDataPlaneNodeSetStatus struct {
 
 	//DeployedBmhHash - Hash of BMHs deployed
 	DeployedBmhHash string `json:"deployedBmhHash,omitempty"`
+
+	// FinalizerHash is a short, deterministic hash derived from the nodeset name.
+	// Used to create unique, collision-free finalizer names for RabbitMQ users.
+	// Format: first 8 characters of SHA256(nodeset.metadata.name)
+	// Example: "a3f2b5c8"
+	// This allows easy lookup of which nodeset owns a specific finalizer.
+	FinalizerHash string `json:"finalizerHash,omitempty"`
 }
 
 // +kubebuilder:object:root=true

bindata/crds/crds.yaml

@@ -19734,6 +19734,11 @@ spec:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory
                 type: string
+              novaCellSecretHash:
+                description: |-
+                  NovaCellSecretHash - Hash of nova-cellX-compute-config secrets to detect changes.
+                  When this hash changes, UpdatedNodesAfterSecretChange is reset.
+                type: string
               observedGeneration:
                 description: ObservedGeneration - the most recent generation observed
                   for this NodeSet. If the observed generation is less than the spec
@@ -19745,6 +19750,15 @@ spec:
                   type: string
                 description: SecretHashes
                 type: object
+              updatedNodesAfterSecretChange:
+                description: |-
+                  UpdatedNodesAfterSecretChange - List of node names that have been successfully
+                  updated after the most recent nova cell secret change. This is used to track
+                  progress across multiple AnsibleLimit deployments and ensure all nodes are
+                  updated before removing RabbitMQ user finalizers.
+                items:
+                  type: string
+                type: array
             type: object
         type: object
     served: true

bindata/rbac/rbac.yaml

@@ -645,6 +645,23 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers/finalizers
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources:

config/crd/bases/dataplane.openstack.org_openstackdataplanenodesets.yaml

@@ -1973,6 +1973,14 @@ spec:
                 items:
                   type: string
                 type: array
+              finalizerHash:
+                description: |-
+                  FinalizerHash is a short, deterministic hash derived from the nodeset name.
+                  Used to create unique, collision-free finalizer names for RabbitMQ users.
+                  Format: first 8 characters of SHA256(nodeset.metadata.name)
+                  Example: "a3f2b5c8"
+                  This allows easy lookup of which nodeset owns a specific finalizer.
+                type: string
               inventorySecretName:
                 description: InventorySecretName Name of a secret containing the ansible
                   inventory

config/operator/deployment/kustomization.yaml

@@ -27,3 +27,9 @@ patches:
     kind: Deployment
     name: openstack-operator-controller-init
     namespace: system
+- patch: '[{"op": "replace", "path": "/spec/template/spec/containers/0/env/0", "value":
+    {"name": "OPENSTACK_RELEASE_VERSION", "value": "0.1.17-1768984468"}}]'
+  target:
+    kind: Deployment
+    name: openstack-operator-controller-operator
+    namespace: system

config/rbac/role.yaml

@@ -596,6 +596,23 @@ rules:
   - patch
   - update
   - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers
+  verbs:
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - rabbitmq.openstack.org
+  resources:
+  - rabbitmqusers/finalizers
+  verbs:
+  - patch
+  - update
 - apiGroups:
   - rbac.authorization.k8s.io
   resources: