Make sure MariaDBAccount gets created with MariaDBDatabase

Currently the MariaDBAccount gets created in an early step before the password secret gets validated to be there. In case the service password is missing the deployment stops after the MariaDBAccount is there. If one deletes the ctlplane at this point, the nova-api MariaDBAccount won't be deleted because the loadDatabaseAndAccountCRs() will not return the account because the MariaDBDatabase object was not created. With this the nova-api MariaDBAccount remains with a finalizer. When the password secret now is created with a new ctlplane, the old nova-api MariaDBAccount conficts with the new deployment because it will not be created in the db instance and all nova tasks to initialize its DB fail with an access error. This change moves creating the nova-api MariaDBAccount right before creating the MariaDBDatabase. This reduces the situation that there will be a MariaDBAccount for nova-api without its MariaDBDatabase. Currently this situation could also happen when the service password is there, but galera is not created properly, like DB root pwd missing. Jira: OSPRH-10167 Signed-off-by: Martin Schuppert <[email protected]>
stuggi · Sep 13, 2024 · b4fc90c · b4fc90c
1 parent b05427a
commit b4fc90c
Showing 1 changed file with 26 additions and 26 deletions.
diff --git a/controllers/nova_controller.go b/controllers/nova_controller.go
@@ -206,32 +206,6 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 		return rbacResult, nil
 	}
 
-	// ensure MariaDBAccount exists.  This account record may be created by
-	// openstack-operator or the cloud operator up front without a specific
-	// MariaDBDatabase configured yet.   Otherwise, a MariaDBAccount CR is
-	// created here with a generated username as well as a secret with
-	// generated password.   The MariaDBAccount is created without being
-	// yet associated with any MariaDBDatabase.
-	_, _, err = mariadbv1.EnsureMariaDBAccount(
-		ctx, h, instance.Spec.APIDatabaseAccount,
-		instance.Namespace, false, "nova_api",
-	)
-
-	if err != nil {
-		instance.Status.Conditions.Set(condition.FalseCondition(
-			mariadbv1.MariaDBAccountReadyCondition,
-			condition.ErrorReason,
-			condition.SeverityWarning,
-			mariadbv1.MariaDBAccountNotReadyMessage,
-			err.Error()))
-
-		return ctrl.Result{}, err
-	}
-	instance.Status.Conditions.MarkTrue(
-		mariadbv1.MariaDBAccountReadyCondition,
-		mariadbv1.MariaDBAccountReadyMessage,
-	)
-
 	// There is a webhook validation that ensures that there is always cell0 in
 	// the cellTemplates
 	cell0Template := instance.Spec.CellTemplates[novav1.Cell0Name]
@@ -275,6 +249,32 @@ func (r *NovaReconciler) Reconcile(ctx context.Context, req ctrl.Request) (resul
 		return ctrl.Result{}, err
 	}
 
+	// ensure MariaDBAccount exists.  This account record may be created by
+	// openstack-operator or the cloud operator up front without a specific
+	// MariaDBDatabase configured yet.   Otherwise, a MariaDBAccount CR is
+	// created here with a generated username as well as a secret with
+	// generated password.   The MariaDBAccount is created without being
+	// yet associated with any MariaDBDatabase.
+	_, _, err = mariadbv1.EnsureMariaDBAccount(
+		ctx, h, instance.Spec.APIDatabaseAccount,
+		instance.Namespace, false, "nova_api",
+	)
+
+	if err != nil {
+		instance.Status.Conditions.Set(condition.FalseCondition(
+			mariadbv1.MariaDBAccountReadyCondition,
+			condition.ErrorReason,
+			condition.SeverityWarning,
+			mariadbv1.MariaDBAccountNotReadyMessage,
+			err.Error()))
+
+		return ctrl.Result{}, err
+	}
+	instance.Status.Conditions.MarkTrue(
+		mariadbv1.MariaDBAccountReadyCondition,
+		mariadbv1.MariaDBAccountReadyMessage,
+	)
+
 	// We create the API DB separately from the Cell DBs as we want to report
 	// its status separately and we need to pass the API DB around for Cells
 	// having up-call support