Access TLS secrets directly (without cache)

Now that we cache only specific objects from the API,
we don't see TLS secrets that don't have the
"app.kubernetes.io/part-of=rabbitmq" label.

To check if the desired secrets exist, use the APIReader
which checks the API directly.

Author: mkuratczyk

Diff for: controllers/rabbitmqcluster_controller.go

@@ -59,6 +59,7 @@ const (
 // RabbitmqClusterReconciler reconciles a RabbitmqCluster object
 type RabbitmqClusterReconciler struct {
 	client.Client
+	APIReader               client.Reader
 	Scheme                  *runtime.Scheme
 	Namespace               string
 	Recorder                record.EventRecorder

Diff for: controllers/reconcile_tls.go

@@ -39,9 +39,10 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 	secretName := rabbitmqCluster.Spec.TLS.SecretName
 	logger.V(1).Info("TLS enabled, looking for secret", "secret", secretName)
 
-	// check if secret exists
+	// check if secret exists - we need to use the APIReader because if the Secret doesn't have
+	// "app.kubernetes.io/part-of" label set to "rabbitmq", it's not cached by the controller
 	secret := &corev1.Secret{}
-	if err := r.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
+	if err := r.APIReader.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
 		r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 			fmt.Sprintf("Failed to get TLS secret %s in namespace %s: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 		logger.Error(err, "Error setting up TLS")
@@ -65,7 +66,7 @@ func (r *RabbitmqClusterReconciler) checkTLSSecrets(ctx context.Context, rabbitm
 
 			// check if secret exists
 			secret = &corev1.Secret{}
-			if err := r.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
+			if err := r.APIReader.Get(ctx, types.NamespacedName{Namespace: rabbitmqCluster.Namespace, Name: secretName}, secret); err != nil {
 				r.Recorder.Event(rabbitmqCluster, corev1.EventTypeWarning, "TLSError",
 					fmt.Sprintf("Failed to get CA certificate secret %v in namespace %v: %v", secretName, rabbitmqCluster.Namespace, err.Error()))
 				logger.Error(err, "Error setting up TLS")

Diff for: controllers/suite_test.go

@@ -13,9 +13,10 @@ package controllers_test
 import (
 	"context"
 	"path/filepath"
-	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"testing"
 
+	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
 	"k8s.io/client-go/util/retry"
 
 	. "github.com/onsi/ginkgo/v2"
@@ -95,6 +96,7 @@ var _ = BeforeSuite(func() {
 	fakeExecutor = &fakePodExecutor{}
 	err = (&controllers.RabbitmqClusterReconciler{
 		Client:                  mgr.GetClient(),
+		APIReader:               mgr.GetAPIReader(),
 		Scheme:                  mgr.GetScheme(),
 		Recorder:                mgr.GetEventRecorderFor(controllerName),
 		Namespace:               "rabbitmq-system",

Diff for: main.go

@@ -194,6 +194,7 @@ func main() {
 
 	err = (&controllers.RabbitmqClusterReconciler{
 		Client:                  mgr.GetClient(),
+		APIReader:               mgr.GetAPIReader(),
 		Scheme:                  mgr.GetScheme(),
 		Recorder:                mgr.GetEventRecorderFor(controllerName),
 		Namespace:               operatorNamespace,

Diff for: system_tests/utils.go

@@ -766,19 +766,6 @@ func k8sCreateTLSSecret(secretName, secretNamespace, certPath, keyPath string) e
 		return fmt.Errorf("Failed with error: %w\nOutput: %v\n", err, string(output))
 	}
 
-	output, err = kubectl(
-		"-n",
-		secretNamespace,
-		"label",
-		"secrets",
-		secretName,
-		"app.kubernetes.io/part-of=rabbitmq",
-	)
-
-	if err != nil {
-		return fmt.Errorf("Failed with error: %w\nOutput: %v\n", err, string(output))
-	}
-
 	return nil
 }