Make sure MariaDBAccount gets created with MariaDBDatabase

Currently the MariaDBAccount gets created in an early step before
the password secret gets validated to be there. In case the service
password is missing the deployment stops after the MariaDBAccount
is there.
If one deletes the ctlplane at this point, the nova-api MariaDBAccount
won't be deleted because the loadDatabaseAndAccountCRs() will not
return the account because the MariaDBDatabase object was not created.
With this the nova-api MariaDBAccount remains with a finalizer.

When the password secret now is created with a new ctlplane, the
old nova-api MariaDBAccount conficts with the new deployment because
it will not be created in the db instance and all nova tasks to
initialize its DB fail with an access error.

This change moves creating the nova-api MariaDBAccount right before
creating the MariaDBDatabase. This reduces the situation that there
will be a MariaDBAccount for nova-api without its MariaDBDatabase.

Currently this situation could also happen when the service password
is there, but galera is not created properly, like DB root pwd missing.

Jira: OSPRH-10167

Signed-off-by: Martin Schuppert <[email protected]>

Author: stuggi

controllers/nova_controller.go

@@ -206,32 +206,6 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 		return rbacResult, nil
 	}
 
-	// ensure MariaDBAccount exists.  This account record may be created by
-	// openstack-operator or the cloud operator up front without a specific
-	// MariaDBDatabase configured yet.   Otherwise, a MariaDBAccount CR is
-	// created here with a generated username as well as a secret with
-	// generated password.   The MariaDBAccount is created without being
-	// yet associated with any MariaDBDatabase.
-	_, _, err = mariadbv1.EnsureMariaDBAccount(
-		ctx, h, instance.Spec.APIDatabaseAccount,
-		instance.Namespace, false, "nova_api",
-	)
-
-	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			mariadbv1.MariaDBAccountReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			mariadbv1.MariaDBAccountNotReadyMessage,
-			err.Error()))
-
-		return ctrl.Result{}, err
-	}
-	instance.Status.Conditions.MarkTrue(
-		mariadbv1.MariaDBAccountReadyCondition,
-		mariadbv1.MariaDBAccountReadyMessage,
-	)
-
 	// There is a webhook validation that ensures that there is always cell0 in
 	// the cellTemplates
 	cell0Template := instance.Spec.CellTemplates[novav1.Cell0Name]
@@ -275,6 +249,32 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 		return ctrl.Result{}, err
 	}
 
+	// ensure MariaDBAccount exists.  This account record may be created by
+	// openstack-operator or the cloud operator up front without a specific
+	// MariaDBDatabase configured yet.   Otherwise, a MariaDBAccount CR is
+	// created here with a generated username as well as a secret with
+	// generated password.   The MariaDBAccount is created without being
+	// yet associated with any MariaDBDatabase.
+	_, _, err = mariadbv1.EnsureMariaDBAccount(
+		ctx, h, instance.Spec.APIDatabaseAccount,
+		instance.Namespace, false, "nova_api",
+	)
+
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			mariadbv1.MariaDBAccountReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			mariadbv1.MariaDBAccountNotReadyMessage,
+			err.Error()))
+
+		return ctrl.Result{}, err
+	}
+	instance.Status.Conditions.MarkTrue(
+		mariadbv1.MariaDBAccountReadyCondition,
+		mariadbv1.MariaDBAccountReadyMessage,
+	)
+
 	// We create the API DB separately from the Cell DBs as we want to report
 	// its status separately and we need to pass the API DB around for Cells
 	// having up-call support