Merge pull request #280 from lmiccini/quorum2

Use quorum queues if enabled

Author: openshift-merge-bot[bot]

api/go.mod

@@ -5,7 +5,7 @@ go 1.21
 require (
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.1
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250730071847-837b07f8d72f
 	k8s.io/api v0.29.15
 	k8s.io/apimachinery v0.29.15

api/go.sum

@@ -72,8 +72,8 @@ github.com/onsi/ginkgo/v2 v2.20.1 h1:YlVIbqct+ZmnEph770q9Q7NVAz4wwIiVNahee6JyUzo
 github.com/onsi/ginkgo/v2 v2.20.1/go.mod h1:lG9ey2Z29hR41WMVthyJBGUBcBhGOtoPF2VFMvBXFCI=
 github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec h1:Jvz2BuTWCvjeCbDzpPzlPMrUQpEe04Rzi8LPNxeW0Ts=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec/go.mod h1:Dv8qpmBIQy3Jv/EyQnOyc0w61X8vyfxpjcIQONP5CwY=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f h1:chuu4iBT5sXHYw8aPeP/pWC+S3yGo6hdy39foP7c5vs=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f/go.mod h1:Dv8qpmBIQy3Jv/EyQnOyc0w61X8vyfxpjcIQONP5CwY=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250730071847-837b07f8d72f h1:DW8aNjEtDFrWiZ6vWuOXwdRB4eBD0n+bA9foQkOEx6U=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250730071847-837b07f8d72f/go.mod h1:P+7F1wiwZUxOy4myYXFyc/uBtGATDFpk3yAllXe1Vzk=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=

controllers/barbican_controller.go

@@ -550,14 +550,15 @@ func (r *BarbicanReconciler) reconcileDelete(ctx context.Context, instance *barb
 
 // fields to index to reconcile when change
 const (
-	passwordSecretField             = ".spec.secret"
-	caBundleSecretNameField         = ".spec.tls.caBundleSecretName"
-	tlsAPIInternalField             = ".spec.tls.api.internal.secretName"
-	tlsAPIPublicField               = ".spec.tls.api.public.secretName"
-	pkcs11LoginSecretField          = ".spec.pkcs11.loginSecret"
-	pkcs11ClientDataSecretField     = ".spec.pkcs11.clientDataSecret"
-	topologyField                   = ".spec.topologyRef.Name"
-	customServiceConfigSecretsField = ".spec.customServiceConfigSecrets"
+	passwordSecretField                 = ".spec.secret"
+	caBundleSecretNameField             = ".spec.tls.caBundleSecretName"
+	tlsAPIInternalField                 = ".spec.tls.api.internal.secretName"
+	tlsAPIPublicField                   = ".spec.tls.api.public.secretName"
+	pkcs11LoginSecretField              = ".spec.pkcs11.loginSecret"
+	pkcs11ClientDataSecretField         = ".spec.pkcs11.clientDataSecret"
+	topologyField                       = ".spec.topologyRef.Name"
+	customServiceConfigSecretsField     = ".spec.customServiceConfigSecrets"
+	parentBarbicanConfigDataSecretField = ".status.parentBarbicanConfigDataSecret"
 )
 
 var (
@@ -568,6 +569,7 @@ var (
 		pkcs11ClientDataSecretField,
 		topologyField,
 		customServiceConfigSecretsField,
+		parentBarbicanConfigDataSecretField,
 	}
 	apiWatchFields = []string{
 		passwordSecretField,
@@ -578,12 +580,14 @@ var (
 		pkcs11ClientDataSecretField,
 		topologyField,
 		customServiceConfigSecretsField,
+		parentBarbicanConfigDataSecretField,
 	}
 	listenerWatchFields = []string{
 		passwordSecretField,
 		caBundleSecretNameField,
 		topologyField,
 		customServiceConfigSecretsField,
+		parentBarbicanConfigDataSecretField,
 	}
 )
 
@@ -709,6 +713,9 @@ func (r *BarbicanReconciler) generateServiceConfig(
 	// This gets overridden in the PKCS11 section below if needed.
 	templateParameters["PKCS11ClientDataPath"] = barbicanv1beta1.DefaultPKCS11ClientDataPath
 
+	// Set transportURL quorum queues
+	templateParameters["QuorumQueues"] = string(transportURLSecret.Data["quorumqueues"]) == "true"
+
 	// Set secret store parameters
 	secretStoreTemplateMap, err := GenerateSecretStoreTemplateMap(
 		instance.Spec.EnabledSecretStores,

controllers/barbicanapi_controller.go

@@ -994,6 +994,19 @@ func (r *BarbicanAPIReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return err
 	}
 
+	// index parentBarbicanConfigDataSecretField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &barbicanv1beta1.BarbicanAPI{}, parentBarbicanConfigDataSecretField, func(rawObj client.Object) []string {
+		// Extract the parent barbican config-data secret name
+		cr := rawObj.(*barbicanv1beta1.BarbicanAPI)
+		owner := barbican.GetOwningBarbicanName(cr)
+		if owner == "" {
+			return nil
+		}
+		return []string{owner + "-config-data"}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&barbicanv1beta1.BarbicanAPI{}).
 		Owns(&corev1.Service{}).

controllers/barbicankeystonelistener_controller.go

@@ -704,6 +704,19 @@ func (r *BarbicanKeystoneListenerReconciler) SetupWithManager(mgr ctrl.Manager)
 		return err
 	}
 
+	// index parentBarbicanConfigDataSecretField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &barbicanv1beta1.BarbicanKeystoneListener{}, parentBarbicanConfigDataSecretField, func(rawObj client.Object) []string {
+		// Extract the parent barbican config-data secret name
+		cr := rawObj.(*barbicanv1beta1.BarbicanKeystoneListener)
+		owner := barbican.GetOwningBarbicanName(cr)
+		if owner == "" {
+			return nil
+		}
+		return []string{owner + "-config-data"}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&barbicanv1beta1.BarbicanKeystoneListener{}).
 		// Owns(&corev1.Service{}).

controllers/barbicanworker_controller.go

@@ -726,6 +726,19 @@ func (r *BarbicanWorkerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		return err
 	}
 
+	// index parentBarbicanConfigDataSecretField
+	if err := mgr.GetFieldIndexer().IndexField(context.Background(), &barbicanv1beta1.BarbicanWorker{}, parentBarbicanConfigDataSecretField, func(rawObj client.Object) []string {
+		// Extract the parent barbican config-data secret name
+		cr := rawObj.(*barbicanv1beta1.BarbicanWorker)
+		owner := barbican.GetOwningBarbicanName(cr)
+		if owner == "" {
+			return nil
+		}
+		return []string{owner + "-config-data"}
+	}); err != nil {
+		return err
+	}
+
 	return ctrl.NewControllerManagedBy(mgr).
 		For(&barbicanv1beta1.BarbicanWorker{}).
 		// Owns(&corev1.Service{}).

go.mod

@@ -9,7 +9,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.20.1
 	github.com/onsi/gomega v1.34.1
 	github.com/openstack-k8s-operators/barbican-operator/api v0.0.0-00010101000000-000000000000
-	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec
+	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f
 	github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250818180001-057253e3d233
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250730071847-837b07f8d72f
 	github.com/openstack-k8s-operators/lib-common/modules/storage v0.6.1-0.20250730071847-837b07f8d72f

go.sum

@@ -78,8 +78,8 @@ github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
 github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094 h1:J1wuGhVxpsHykZBa6Beb1gQ96Ptej9AE/BvwCBiRj1E=
 github.com/openshift/api v0.0.0-20240830023148-b7d0481c9094/go.mod h1:CxgbWAlvu2iQB0UmKTtRu1YfepRg1/vJ64n2DlIEVz4=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec h1:Jvz2BuTWCvjeCbDzpPzlPMrUQpEe04Rzi8LPNxeW0Ts=
-github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250821143610-c8ef7b9a21ec/go.mod h1:Dv8qpmBIQy3Jv/EyQnOyc0w61X8vyfxpjcIQONP5CwY=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f h1:chuu4iBT5sXHYw8aPeP/pWC+S3yGo6hdy39foP7c5vs=
+github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20250909143828-e33d35ffd64f/go.mod h1:Dv8qpmBIQy3Jv/EyQnOyc0w61X8vyfxpjcIQONP5CwY=
 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250818180001-057253e3d233 h1:1Kuny36wIpijE4RsFu8e+b0uUK8Gh0PgvlEVOOhG+uo=
 github.com/openstack-k8s-operators/keystone-operator/api v0.6.1-0.20250818180001-057253e3d233/go.mod h1:qevkmDP/Yr7FTM0ZVe2fABjSjrfkkdZkYeMho71OVG0=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20250730071847-837b07f8d72f h1:DW8aNjEtDFrWiZ6vWuOXwdRB4eBD0n+bA9foQkOEx6U=

templates/barbican/config/00-default.conf

@@ -25,6 +25,12 @@ interface = internal
 
 [oslo_messaging_notifications]
 driver=messagingv2
+{{ if (index . "QuorumQueues") -}}
+[oslo_messaging_rabbit]
+rabbit_quorum_queue=true
+rabbit_transient_quorum_queue=true
+amqp_durable_queues=true
+{{- end }}
 
 {{- if (index . "EnableSecureRBAC") }}
 [oslo_policy]

tests/functional/barbican_controller_test.go

@@ -859,6 +859,105 @@ var _ = Describe("Barbican controller", func() {
 		})
 	})
 
+	When("A Barbican with quorum queues is created", func() {
+		BeforeEach(func() {
+			DeferCleanup(k8sClient.Delete, ctx, infra.CreateTransportURLSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret", true))
+			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetDefaultBarbicanSpec()))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
+
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					barbicanTest.Instance.Namespace,
+					GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}},
+					},
+				),
+			)
+			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
+			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
+			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
+			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
+			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
+		})
+
+		It("should configure quorum queues when enabled", func() {
+			cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
+			Expect(cf).ShouldNot(BeNil())
+			conf := string(cf.Data["00-default.conf"])
+			Expect(conf).To(ContainSubstring("rabbit_quorum_queue=true"))
+			Expect(conf).To(ContainSubstring("rabbit_transient_quorum_queue=true"))
+			Expect(conf).To(ContainSubstring("amqp_durable_queues=true"))
+			Expect(conf).To(ContainSubstring("[oslo_messaging_rabbit]"))
+		})
+	})
+
+	When("A Barbican starts with quorum queues disabled and then enables them", func() {
+		BeforeEach(func() {
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanMessageBusSecret(barbicanTest.Instance.Namespace, "rabbitmq-secret"))
+			DeferCleanup(th.DeleteInstance, CreateBarbican(barbicanTest.Instance, GetDefaultBarbicanSpec()))
+			DeferCleanup(k8sClient.Delete, ctx, CreateBarbicanSecret(barbicanTest.Instance.Namespace, SecretName))
+
+			DeferCleanup(
+				mariadb.DeleteDBService,
+				mariadb.CreateDBService(
+					barbicanTest.Instance.Namespace,
+					GetBarbican(barbicanTest.Instance).Spec.DatabaseInstance,
+					corev1.ServiceSpec{
+						Ports: []corev1.ServicePort{{Port: 3306}},
+					},
+				),
+			)
+			infra.SimulateTransportURLReady(barbicanTest.BarbicanTransportURL)
+			DeferCleanup(keystone.DeleteKeystoneAPI, keystone.CreateKeystoneAPI(barbicanTest.Instance.Namespace))
+			mariadb.SimulateMariaDBAccountCompleted(barbicanTest.BarbicanDatabaseAccount)
+			mariadb.SimulateMariaDBDatabaseCompleted(barbicanTest.BarbicanDatabaseName)
+			th.SimulateJobSuccess(barbicanTest.BarbicanDBSync)
+		})
+
+		It("should initially configure without quorum queues", func() {
+			cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
+			Expect(cf).ShouldNot(BeNil())
+			conf := string(cf.Data["00-default.conf"])
+			Expect(conf).ToNot(ContainSubstring("rabbit_quorum_queue=true"))
+			Expect(conf).ToNot(ContainSubstring("rabbit_transient_quorum_queue=true"))
+			Expect(conf).ToNot(ContainSubstring("amqp_durable_queues=true"))
+			Expect(conf).ToNot(ContainSubstring("[oslo_messaging_rabbit]"))
+		})
+
+		It("should configure quorum queues when enabled dynamically", func() {
+			// Initially verify quorum queues are disabled
+			cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
+			Expect(cf).ShouldNot(BeNil())
+			conf := string(cf.Data["00-default.conf"])
+			Expect(conf).ToNot(ContainSubstring("rabbit_quorum_queue=true"))
+
+			// Update the message bus secret to enable quorum queues
+			messageBusSecretName := types.NamespacedName{
+				Namespace: barbicanTest.Instance.Namespace,
+				Name:      "rabbitmq-secret",
+			}
+			messageBusSecret := th.GetSecret(messageBusSecretName)
+			Expect(messageBusSecret).ShouldNot(BeNil())
+
+			// Add the quorumqueues field to enable them
+			messageBusSecret.Data["quorumqueues"] = []byte("true")
+			Expect(k8sClient.Update(ctx, &messageBusSecret)).Should(Succeed())
+
+			// Wait for the configuration to be updated
+			Eventually(func(g Gomega) {
+				cf := th.GetSecret(barbicanTest.BarbicanConfigSecret)
+				g.Expect(cf).ShouldNot(BeNil())
+				conf := string(cf.Data["00-default.conf"])
+				g.Expect(conf).To(ContainSubstring("rabbit_quorum_queue=true"))
+				g.Expect(conf).To(ContainSubstring("rabbit_transient_quorum_queue=true"))
+				g.Expect(conf).To(ContainSubstring("amqp_durable_queues=true"))
+				g.Expect(conf).To(ContainSubstring("[oslo_messaging_rabbit]"))
+			}, timeout, interval).Should(Succeed())
+		})
+	})
+
 	When("A Barbican with pkcs11 plugin is created", func() {
 		BeforeEach(func() {
 			DeferCleanup(k8sClient.Delete, ctx, CreatePKCS11LoginSecret(barbicanTest.Instance.Namespace, PKCS11LoginSecret))