feat: Add type in ACL Secret by deepakpunjabi · Pull Request #117 · valkey-io/valkey-operator

deepakpunjabi · 2026-03-20T05:28:21Z

Currently, valkeycluster_controller watches over all secrets for which it has access to. As current default deployment manifests provide access to clusterRole, this can end up watching over thousands of secrets in production kubernetes clusters.

...
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "bootstrap-signer-token-6sqwv"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "cloud-controller-manager-token-2pfcm"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "root-ca-cert-publisher-token-95fzk"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "openebs-lvm-node-sa-token-664mh"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "secret-scorpius-admin-password"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "gatekeeper-admin-token-tsjmn"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "disruption-controller-token-2qv7b"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "persistent-volume-binder-token-5g867"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "service-account-controller-token-dndbn"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "token-cleaner-token-xjtrl"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "node-problem-detector-sa-token-8lxmp"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "sh.helm.release.v1.aerospike-workload-ns.v4"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-dbljw"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "kubernetes-dashboard-key-holder"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "legacy-service-account-token-cleaner-token-tbn92"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "sh.helm.release.v1.aerospike-workload-ns.v5"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "cert-manager-webhook-ca"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "lb-csi-node-sa-token-db8xm"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "argocd-manager-token"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "endpoint-controller-token-vrx4z"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "pvc-protection-controller-token-k5kdl"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "sh.helm.release.v1.aerospike-workload-ns.v1"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "sh.helm.release.v1.aerospike-workload-ns.v2"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "csi-driver-jwt"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-rfhfc"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-tk8sv"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-l8fx2"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-v4z8q"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "service-cidrs-controller-token-ml852"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "authn-secret"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "cert-manager-token-sg62j"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-l4tjt"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-x9nmh"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "default-token-pv4kk"}
2026-03-18T11:12:34+05:30	DEBUG	findReferencedClusters	{"modified": "gatekeeper-webhook-server-cert-pods"}
...

Apart from that, this forces controller to do busy work which is not relevant to the controller goals.

This PR add a secret type valkey.io/acl to only reconcile secrets of interest to address above concerns. This can also be used with future filtering and validation usecases.

Signed-off-by: Deepak Punjabi <deepakpunjabi13@gmail.com>

jdheyburn · 2026-03-20T11:13:56Z

Thanks for raising this! I think it makes complete sense. Is it possible to introduce a test for this?

Signed-off-by: Deepak Punjabi <deepakpunjabi13@gmail.com>

deepakpunjabi · 2026-03-20T13:31:49Z

Thanks for raising this! I think it makes complete sense. Is it possible to introduce a test for this?

My bad. Added test for validating reconcileUsersAcl() - controller should create secret with the correct type.
Locally Tested/Validated:

go test ./...
ok      valkey.io/valkey-operator/api/v1alpha1  (cached)
?       valkey.io/valkey-operator/cmd   [no test files]
ok      valkey.io/valkey-operator/internal/controller   (cached)
ok      valkey.io/valkey-operator/internal/valkey       (cached)
?       valkey.io/valkey-operator/test/utils    [no test files]

utdrmac

Nice job!

jdheyburn

Thank you!

deepakpunjabi force-pushed the feat/type-acl-secret branch from 298c5b8 to 86e7af1 Compare March 20, 2026 06:06

feat: Add type in ACL Secret

812dffe

Signed-off-by: Deepak Punjabi <deepakpunjabi13@gmail.com>

deepakpunjabi force-pushed the feat/type-acl-secret branch from 86e7af1 to 812dffe Compare March 20, 2026 06:14

Add unit test for reconcileUsersAcl

12223b4

Signed-off-by: Deepak Punjabi <deepakpunjabi13@gmail.com>

sandeepkunusoth approved these changes Mar 21, 2026

View reviewed changes

utdrmac approved these changes Mar 27, 2026

View reviewed changes

jdheyburn approved these changes Mar 27, 2026

View reviewed changes

jdheyburn merged commit 6b6047f into valkey-io:main Mar 27, 2026
7 checks passed

jdheyburn mentioned this pull request Apr 10, 2026

Add default system users (#110) #129

Merged

deepakpunjabi mentioned this pull request May 15, 2026

[bug] High operator memory in large clusters #176

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Add type in ACL Secret#117

feat: Add type in ACL Secret#117
jdheyburn merged 2 commits into
valkey-io:mainfrom
deepakpunjabi:feat/type-acl-secret

deepakpunjabi commented Mar 20, 2026

Uh oh!

jdheyburn commented Mar 20, 2026

Uh oh!

deepakpunjabi commented Mar 20, 2026

Uh oh!

utdrmac left a comment

Uh oh!

jdheyburn left a comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

deepakpunjabi commented Mar 20, 2026

Uh oh!

jdheyburn commented Mar 20, 2026

Uh oh!

deepakpunjabi commented Mar 20, 2026

Uh oh!

utdrmac left a comment

Choose a reason for hiding this comment

Uh oh!

jdheyburn left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants