add secret watch for reconciliation on the key rotation cases

Author: mabulgu

internal/controller/metal3.io/baremetalhost_controller.go

@@ -40,17 +40,22 @@ import (
 	k8serrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/tools/record"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/controller"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 )
 
 const (
+	hostImageAuthSecretIndexField = ".spec.image.authSecretName"
+
 	hostErrorRetryDelay           = time.Second * 10
 	unmanagedRetryDelay           = time.Minute * 10
 	preprovImageRetryDelay        = time.Minute * 5
@@ -2428,14 +2433,37 @@ func (r *BareMetalHostReconciler) updateEventHandler(e event.UpdateEvent) bool {
 // SetupWithManager registers the reconciler to be run by the manager.
 func (r *BareMetalHostReconciler) SetupWithManager(mgr ctrl.Manager, preprovImgEnable bool, maxConcurrentReconcile int) error {
 	r.Recorder = mgr.GetEventRecorderFor("baremetalhost-controller")
+
+	// Add index for image auth secret name to enable efficient secret-to-BMH lookups
+	if err := mgr.GetFieldIndexer().IndexField(
+		context.Background(),
+		&metal3api.BareMetalHost{},
+		hostImageAuthSecretIndexField,
+		func(obj client.Object) []string {
+			host := obj.(*metal3api.BareMetalHost)
+			if host.Spec.Image != nil && host.Spec.Image.AuthSecretName != nil && *host.Spec.Image.AuthSecretName != "" {
+				return []string{*host.Spec.Image.AuthSecretName}
+			}
+			return nil
+		},
+	); err != nil {
+		return fmt.Errorf("failed to create image auth secret index: %w", err)
+	}
+
 	controller := ctrl.NewControllerManagedBy(mgr).
 		For(&metal3api.BareMetalHost{}).
 		WithEventFilter(
 			predicate.Funcs{
 				UpdateFunc: r.updateEventHandler,
 			}).
 		WithOptions(controller.Options{MaxConcurrentReconciles: maxConcurrentReconcile}).
-		Owns(&corev1.Secret{}, builder.MatchEveryOwner)
+		Owns(&corev1.Secret{}, builder.MatchEveryOwner).
+		// Watch Secrets to trigger reconciliation when auth secrets are updated (key rotation)
+		Watches(
+			&corev1.Secret{},
+			handler.EnqueueRequestsFromMapFunc(r.findBMHsForAuthSecret),
+			builder.WithPredicates(predicate.ResourceVersionChangedPredicate{}),
+		)
 
 	if preprovImgEnable {
 		// We use SetControllerReference() to set the owner reference, so no
@@ -2446,6 +2474,38 @@ func (r *BareMetalHostReconciler) SetupWithManager(mgr ctrl.Manager, preprovImgE
 	return controller.Complete(r)
 }
 
+// findBMHsForAuthSecret returns a list of reconcile requests for BareMetalHosts
+// that reference the given Secret as their image auth secret.
+// This enables auto-reconciliation when auth secrets are updated (key rotation).
+func (r *BareMetalHostReconciler) findBMHsForAuthSecret(ctx context.Context, secret client.Object) []reconcile.Request {
+	// Only process secrets in the same namespace as BMHs
+	hosts := &metal3api.BareMetalHostList{}
+	if err := r.Client.List(
+		ctx,
+		hosts,
+		client.InNamespace(secret.GetNamespace()),
+		client.MatchingFields{hostImageAuthSecretIndexField: secret.GetName()},
+	); err != nil {
+		r.Log.Error(err, "failed to list BareMetalHosts for secret", "secret", secret.GetName())
+		return nil
+	}
+
+	requests := make([]reconcile.Request, len(hosts.Items))
+	for i, host := range hosts.Items {
+		requests[i] = reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      host.Name,
+				Namespace: host.Namespace,
+			},
+		}
+		r.Log.Info("queuing BMH reconcile due to auth secret change",
+			"baremetalhost", host.Name,
+			"secret", secret.GetName())
+	}
+
+	return requests
+}
+
 func (r *BareMetalHostReconciler) reconcileHostData(ctx context.Context, host *metal3api.BareMetalHost, request ctrl.Request) (result ctrl.Result, err error) {
 	reqLogger := r.Log.WithValues("baremetalhost", request.NamespacedName)