test: Enable hot reloading in password files

CHANGELOG.md

@@ -4,6 +4,13 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Fixed
+
+- Re-enable hot-reloading in password file Secrets with the annotation
+  `restarter.stackable.tech/ignore: "true"` ([#868]).
+
+[#868]: https://github.com/stackabletech/trino-operator/pull/868
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16

docs/modules/trino/examples/usage-guide/trino-file-auth-snippet.yaml

@@ -17,6 +17,8 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: trino-users
+  annotations:
+    restarter.stackable.tech/ignore: "true"
 type: kubernetes.io/opaque
 stringData:
   admin: admin

docs/modules/trino/pages/usage-guide/security.adoc

@@ -52,6 +52,7 @@ IMPORTANT: Due to Kubernetes restrictions, the name of the AuthenticationClass m
 
 Changes to the referenced user Secret (e.g. adding or removing a user) are updated in Trino without restarts but after a small delay.
 This heavily depends on Kubernetes and may take a couple of minutes.
+To prevent restarts triggered by the restart controller, the Secret must be annotated with `restarter.stackable.tech/ignore: "true"`.
 
 Adding or removing an AuthenticationClass will however result in a Pod restart.
 

tests/templates/kuttl/authentication/11-create-authentication-classes.yaml

@@ -5,4 +5,6 @@ metadata:
   name: create-ldap-user
 commands:
   # We need to replace $NAMESPACE (by KUTTL) in the create-authentication-classes.yaml(.j2)
-  - script: eval "echo \"$(cat create-authentication-classes.yaml)\"" | kubectl apply -f -
+  - script: >
+      envsubst '$NAMESPACE' < create-authentication-classes.yaml |
+      kubectl apply --filename=-

tests/templates/kuttl/authentication/30-hot-reloading-add-user.yaml

@@ -3,4 +3,6 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   # We need to replace $NAMESPACE (by KUTTL) in the add_user.yaml(.j2)
-  - script: eval "echo \"$(cat add_user.yaml)\"" | kubectl replace -f -
+  - script: >
+      envsubst '$NAMESPACE' < add_user.yaml |
+      kubectl replace --filename=-

tests/templates/kuttl/authentication/32-hot-reloading-remove-user.yaml

@@ -3,4 +3,6 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestStep
 commands:
   # We need to replace $NAMESPACE (by KUTTL) in the remove_user.yaml(.j2)
-  - script: eval "echo \"$(cat remove_user.yaml)\"" | kubectl replace -f -
+  - script: >
+      envsubst '$NAMESPACE' < remove_user.yaml |
+      kubectl replace --filename=-

tests/templates/kuttl/authentication/33-assert.yaml

@@ -5,4 +5,12 @@ timeout: 600
 commands:
   # We use the check-active-workers script for the login. Since we do want to wait until we cannot log in anymore
   # we flip the return value in the end.
-  - script: kubectl exec -n $NAMESPACE trino-test-helper-0 -- python /tmp/check-active-workers.py -u hot_reloaded -p hot_reloaded -c trino-coordinator-default-headless.$NAMESPACE.svc.cluster.local -w 1; if [ $? -eq 0 ]; then exit 1; fi
+  - script: |
+      set +e
+      kubectl exec -n $NAMESPACE trino-test-helper-0 -- \
+        python /tmp/check-active-workers.py -u hot_reloaded -p hot_reloaded -c trino-coordinator-default-headless.$NAMESPACE.svc.cluster.local -w 1
+      if [ $? -eq 1 ]; then
+        exit 0
+      else
+        exit 1
+      fi

tests/templates/kuttl/authentication/add_user.yaml.j2

@@ -4,6 +4,8 @@ kind: Secret
 metadata:
   name: password-file-users
   namespace: $NAMESPACE
+  annotations:
+    restarter.stackable.tech/ignore: "true"
 stringData:
   test_user_1: test_user_1
   test_user_2: test_user_2

tests/templates/kuttl/authentication/create-authentication-classes.yaml.j2

@@ -43,6 +43,8 @@ kind: Secret
 metadata:
   name: password-file-users
   namespace: $NAMESPACE
+  annotations:
+    restarter.stackable.tech/ignore: "true"
 stringData:
   test_user_1: test_user_1
   test_user_2: test_user_2

tests/templates/kuttl/authentication/remove_user.yaml.j2

@@ -4,6 +4,8 @@ kind: Secret
 metadata:
   name: password-file-users
   namespace: $NAMESPACE
+  annotations:
+    restarter.stackable.tech/ignore: "true"
 stringData:
   test_user_1: test_user_1
   test_user_2: test_user_2