Skip to content

Comments

Fix Octavia ApplicationCredentialSecret set on wrong spec path#1821

Closed
millevy wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
millevy:fix-octavia-appcred-auth-path
Closed

Fix Octavia ApplicationCredentialSecret set on wrong spec path#1821
millevy wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
millevy:fix-octavia-appcred-auth-path

Conversation

@millevy
Copy link

@millevy millevy commented Feb 19, 2026
edited by openshift-ci bot
Loading

The ApplicationCredentialSecret was being set on OctaviaAPI.Auth (sub-spec level) instead of Auth (top-level OctaviaSpecBase). The octavia-operator reads the secret from spec.auth, which is populated from OctaviaSpecBase via DeepCopyInto, not from the OctaviaAPI sub-spec.

This caused Octavia to silently fall back to password auth when ZDPR (application credentials) was enabled, because the secret name never reached the Octavia CR's spec.auth field.

Co-authored-by: AI Assistant (Cursor/Claude)
JIRA: OSPRH-21647

@openshift-ci openshift-ci bot requested review from dprince and rabi February 19, 2026 18:14
@millevy
Fix Octavia ApplicationCredentialSecret set on wrong spec path
e6859a7 
The ApplicationCredentialSecret was being set on OctaviaAPI.Auth
(sub-spec level) instead of Auth (top-level OctaviaSpecBase).
The octavia-operator reads the secret from spec.auth, which is
populated from OctaviaSpecBase via DeepCopyInto, not from the
OctaviaAPI sub-spec.

This caused Octavia to silently fall back to password auth when
ZDPR (application credentials) was enabled, because the secret
name never reached the Octavia CR's spec.auth field.

Verified manually by patching the controlplane CR to set
spec.octavia.template.auth.applicationCredentialSecret, which
confirmed Octavia correctly switches to v3applicationcredential
auth_type when the secret is at the correct spec level.

Co-authored-by: AI Assistant (Cursor/Claude)
JIRA: OSPRH-26817
@millevy millevy force-pushed the fix-octavia-appcred-auth-path branch from 3f32806 to e6859a7 Compare February 19, 2026 18:21
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 19, 2026

@millevy: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/functional e6859a7 link true /test functional

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@millevy
Copy link
Author

millevy commented Feb 19, 2026

recheck

@millevy
Copy link
Author

millevy commented Feb 19, 2026

/cc @Deydra71
/cc @stuggi
/cc @gthiemonge

@gthiemonge
Copy link
Contributor

gthiemonge commented Feb 23, 2026

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Feb 23, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: gthiemonge, millevy
Once this PR has been reviewed and has the lgtm label, please assign stuggi for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

Deydra71
Deydra71 reviewed Feb 23, 2026
View reviewed changes
internal/openstack/octavia.go
// Only call if AC enabled or currently configured
if isACEnabled(instance.Spec.ApplicationCredential, instance.Spec.Octavia.ApplicationCredential) ||
instance.Spec.Octavia.Template.OctaviaAPI.Auth.ApplicationCredentialSecret != "" {
instance.Spec.Octavia.Template.Auth.ApplicationCredentialSecret != "" {
Copy link
Contributor

@Deydra71 Deydra71 Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should first fix octavia-operator - right now octavia has incorectly Auth type and nested ApplicationCredentialSecret in OctaviaAPI and at the same time Auth type in OctaviaSpecBase, but the Auth and nested ApplicationCredentialSecret should be in the parent octavia_types.go file.

https://github.com/openstack-k8s-operators/octavia-operator/blob/main/api/v1beta1/octavia_types.go#L248 (this one is correct, we just need to add the ApplicatioCredentialSecret and delete them from OctaviaAPI)

@millevy agreed to take care of this.

@millevy
Copy link
Author

millevy commented Feb 24, 2026

The change is redundant.

@millevy millevy closed this Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Deydra71 Deydra71 Deydra71 left review comments

@dprince dprince Awaiting requested review from dprince

@rabi rabi Awaiting requested review from rabi

@gthiemonge gthiemonge Awaiting requested review from gthiemonge

@stuggi stuggi Awaiting requested review from stuggi

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@millevy @gthiemonge @Deydra71