fix(vm): watch to provisioning secrets (#1820)

eofff · web-flow · commit e20f16735e4a · 2025-12-12T13:17:14.000+03:00
Signed-off-by: Valeriy Khorunzhin &lt;valeriy.khorunzhin@flant.com&gt;
diff --git a/images/virtualization-artifact/pkg/controller/indexer/indexer.go b/images/virtualization-artifact/pkg/controller/indexer/indexer.go
@@ -59,6 +59,8 @@ const (
 	IndexFieldVMMACLeaseByVMMAC = "spec.virtualMachineMACAddressRef.Name"
 
 	IndexFieldVMIPLeaseByVMIP = "spec.virtualMachineIPAddressRef"
+
+	IndexFieldVMByProvisioningSecret = "spec.provisioning.secretRef"
 )
 
 var IndexGetters = []IndexGetter{
@@ -67,6 +69,7 @@ var IndexGetters = []IndexGetter{
 	IndexVMByVI,
 	IndexVMByCVI,
 	IndexVMByNode,
+	IndexVMByProvisioningSecret,
 	IndexVMSnapshotByVM,
 	IndexVMSnapshotByVDSnapshot,
 	IndexVMRestoreByVMSnapshot,
@@ -134,6 +137,25 @@ func IndexVMByNode() (obj client.Object, field string, extractValue client.Index
 	}
 }
 
+func IndexVMByProvisioningSecret() (obj client.Object, field string, extractValue client.IndexerFunc) {
+	return &v1alpha2.VirtualMachine{}, IndexFieldVMByProvisioningSecret, func(object client.Object) []string {
+		vm, ok := object.(*v1alpha2.VirtualMachine)
+		if !ok || vm == nil || vm.Spec.Provisioning == nil {
+			return nil
+		}
+
+		var secrets []string
+		if vm.Spec.Provisioning.UserDataRef != nil && vm.Spec.Provisioning.UserDataRef.Kind == v1alpha2.UserDataRefKindSecret {
+			secrets = append(secrets, vm.Spec.Provisioning.UserDataRef.Name)
+		}
+		if vm.Spec.Provisioning.SysprepRef != nil && vm.Spec.Provisioning.SysprepRef.Kind == v1alpha2.SysprepRefKindSecret {
+			secrets = append(secrets, vm.Spec.Provisioning.SysprepRef.Name)
+		}
+
+		return secrets
+	}
+}
+
 func getBlockDeviceNamesByKind(obj client.Object, kind v1alpha2.BlockDeviceKind) []string {
 	vm, ok := obj.(*v1alpha2.VirtualMachine)
 	if !ok || vm == nil {
diff --git a/images/virtualization-artifact/pkg/controller/vm/internal/watcher/secret_watcher.go b/images/virtualization-artifact/pkg/controller/vm/internal/watcher/secret_watcher.go
@@ -0,0 +1,90 @@
+/*
+Copyright 2025 Flant JSC
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+     http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package watcher
+
+import (
+	"context"
+	"fmt"
+	"log/slog"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/fields"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/controller"
+	"sigs.k8s.io/controller-runtime/pkg/event"
+	"sigs.k8s.io/controller-runtime/pkg/handler"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
+	"sigs.k8s.io/controller-runtime/pkg/reconcile"
+	"sigs.k8s.io/controller-runtime/pkg/source"
+
+	"github.com/deckhouse/virtualization-controller/pkg/controller/indexer"
+	"github.com/deckhouse/virtualization/api/core/v1alpha2"
+)
+
+func NewSecretWatcher(client client.Client) *SecretWatcher {
+	return &SecretWatcher{
+		client: client,
+		logger: slog.Default().With("watcher", "secret"),
+	}
+}
+
+type SecretWatcher struct {
+	client client.Client
+	logger *slog.Logger
+}
+
+func (w *SecretWatcher) Watch(mgr manager.Manager, ctr controller.Controller) error {
+	if err := ctr.Watch(
+		source.Kind(
+			mgr.GetCache(),
+			&corev1.Secret{},
+			handler.TypedEnqueueRequestsFromMapFunc(w.enqueue),
+			predicate.TypedFuncs[*corev1.Secret]{
+				DeleteFunc: func(e event.TypedDeleteEvent[*corev1.Secret]) bool { return false },
+			},
+		),
+	); err != nil {
+		return fmt.Errorf("error setting watch on Secret: %w", err)
+	}
+	return nil
+}
+
+func (w *SecretWatcher) enqueue(ctx context.Context, secret *corev1.Secret) []reconcile.Request {
+	var vms v1alpha2.VirtualMachineList
+	err := w.client.List(ctx, &vms, &client.ListOptions{
+		Namespace:     secret.Namespace,
+		FieldSelector: fields.OneTermEqualSelector(indexer.IndexFieldVMByProvisioningSecret, secret.Name),
+	})
+	if err != nil {
+		w.logger.Error(fmt.Sprintf("failed to list virtual machines: %v", err))
+		return nil
+	}
+
+	var result []reconcile.Request
+	for _, vm := range vms.Items {
+		result = append(result, reconcile.Request{
+			NamespacedName: types.NamespacedName{
+				Name:      vm.GetName(),
+				Namespace: vm.GetNamespace(),
+			},
+		})
+	}
+
+	return result
+}
diff --git a/images/virtualization-artifact/pkg/controller/vm/vm_reconciler.go b/images/virtualization-artifact/pkg/controller/vm/vm_reconciler.go
@@ -73,6 +73,7 @@ func (r *Reconciler) SetupController(_ context.Context, mgr manager.Manager, ctr
 		watcher.NewVirtualMachineSnapshotWatcher(),
 		watcher.NewVMOPWatcher(),
 		watcher.NewVMMACWatcher(),
+		watcher.NewSecretWatcher(mgr.GetClient()),
 	} {
 		err := w.Watch(mgr, ctr)
 		if err != nil {
