Update Kubernetes Secret synchronization logic (#650)

Author: arybolovlev

.changes/unreleased/ENHANCEMENTS-650-20251028-125628.yaml

@@ -0,0 +1,5 @@
+kind: ENHANCEMENTS
+body: '`AgentPool`: Update Kubernetes Secret synchronization to perform batch updates at the end of agent token reconciliation, reducing API calls and preventing race conditions.'
+time: 2025-10-28T12:56:28.082375+01:00
+custom:
+    PR: "650"

internal/controller/agentpool_controller.go

@@ -68,7 +68,7 @@ func (r *AgentPoolReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return requeueAfter(requeueInterval)
 	}
 
-	if a, ok := ap.instance.GetAnnotations()[annotationPaused]; ok && a == annotationTrue {
+	if a, ok := ap.instance.GetAnnotations()[annotationPaused]; ok && a == metaTrue {
 		ap.log.Info("Agent Pool Controller", "msg", "reconciliation is paused for this resource")
 		return doNotRequeue()
 	}

internal/controller/agentpool_controller_deletion_policy.go

@@ -72,10 +72,7 @@ func (r *AgentPoolReconciler) deleteAgentPool(ctx context.Context, ap *agentPool
 					ap.log.Error(err, "Reconcile Agent Pool", "msg", fmt.Sprintf("failed to remove token %s", t.ID))
 					return err
 				}
-				err = r.removeToken(ctx, ap, t.ID)
-				if err != nil {
-					return err
-				}
+				ap.deleteTokenStatus(t.ID)
 			}
 			ap.log.Info("Reconcile Agent Pool", "msg", "successfully deleted tokens")
 		}

internal/controller/agentpool_controller_tokens.go

@@ -6,6 +6,7 @@ package controller
 import (
 	"context"
 	"fmt"
+	"slices"
 
 	tfc "github.com/hashicorp/go-tfe"
 	corev1 "k8s.io/api/core/v1"
@@ -16,7 +17,6 @@ import (
 
 	appv1alpha2 "github.com/hashicorp/hcp-terraform-operator/api/v1alpha2"
 	"github.com/hashicorp/hcp-terraform-operator/internal/pointer"
-	"github.com/hashicorp/hcp-terraform-operator/internal/slice"
 )
 
 func (ap *agentPoolInstance) getTokens(ctx context.Context) (map[string]string, error) {
@@ -33,86 +33,32 @@ func (ap *agentPoolInstance) getTokens(ctx context.Context) (map[string]string,
 	return tokens, nil
 }
 
-func (r *AgentPoolReconciler) createToken(ctx context.Context, ap *agentPoolInstance, token string) error {
-	nn := getAgentPoolNamespacedName(&ap.instance)
+func (r *AgentPoolReconciler) createToken(ctx context.Context, ap *agentPoolInstance, token string) (*tfc.AgentToken, error) {
+	// nn := getAgentPoolNamespacedName(&ap.instance)
 	ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("creating a new agent token %q", token))
-	at, err := ap.tfClient.Client.AgentTokens.Create(ctx, ap.instance.Status.AgentPoolID, tfc.AgentTokenCreateOptions{
+	t, err := ap.tfClient.Client.AgentTokens.Create(ctx, ap.instance.Status.AgentPoolID, tfc.AgentTokenCreateOptions{
 		Description: &token,
 	})
 	if err != nil {
 		ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to create a new token %q", token))
-		return err
-	}
-	ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully created a new agent token %q %q", token, at.ID))
-	// UPDATE SECRET
-	s := &corev1.Secret{}
-	ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("update Kubernets Secret %q with token %q", s.Name, token))
-	if err := r.Client.Get(ctx, nn, s); err != nil {
-		ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to get Kubernets Secret %q", s.Name))
-		return err
-	}
-	d := make(map[string][]byte)
-	if s.Data != nil {
-		d = s.DeepCopy().Data
-	}
-	d[at.Description] = []byte(at.Token)
-	_, err = controllerutil.CreateOrUpdate(ctx, r.Client, s, func() error {
-		s.Data = d
-		s.Labels = map[string]string{
-			"agentPoolID": ap.instance.Status.AgentPoolID,
-		}
-		return nil
-	})
-	if err != nil {
-		ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to update Kubernets Secret %q with token %q", s.Name, token))
-		return err
+		return nil, err
 	}
-	ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully updated Kubernets Secret %q with token %q", s.Name, token))
+	ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully created a new agent token %q %q", token, t.ID))
 
 	ap.instance.Status.AgentTokens = append(ap.instance.Status.AgentTokens, &appv1alpha2.AgentAPIToken{
-		Name:       at.Description,
-		ID:         at.ID,
-		CreatedAt:  pointer.PointerOf(at.CreatedAt.Unix()),
-		LastUsedAt: pointer.PointerOf(at.LastUsedAt.Unix()),
+		Name:       t.Description,
+		ID:         t.ID,
+		CreatedAt:  pointer.PointerOf(t.CreatedAt.Unix()),
+		LastUsedAt: pointer.PointerOf(t.LastUsedAt.Unix()),
 	})
 
-	return nil
+	return t, nil
 }
 
-func (r *AgentPoolReconciler) removeToken(ctx context.Context, ap *agentPoolInstance, tokenID string) error {
-	nn := getAgentPoolNamespacedName(&ap.instance)
-	for i, token := range ap.instance.Status.AgentTokens {
-		if token.ID == tokenID {
-			// UPDATE SECRET
-			s := &corev1.Secret{}
-			ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("remove token %q from Kubernets Secret %q", tokenID, nn.Name))
-			if err := r.Client.Get(ctx, nn, s); err != nil {
-				ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to get Kubernets Secret %q", nn.Name))
-				return err
-			}
-			d := make(map[string][]byte)
-			if s.Data != nil {
-				d = s.DeepCopy().Data
-			}
-			delete(d, token.Name)
-			_, err := controllerutil.CreateOrUpdate(ctx, r.Client, s, func() error {
-				s.Data = d
-				s.Labels = map[string]string{
-					"agentPoolID": ap.instance.Status.AgentPoolID,
-				}
-				return nil
-			})
-			if err != nil {
-				ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to remove token %q from Kubernets Secret %q", tokenID, s.Name))
-				return err
-			}
-			ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully removed token %q from Kubernets Secret %q", tokenID, s.Name))
-			// UPDATE STATUS
-			ap.instance.Status.AgentTokens = slice.RemoveFromSlice(ap.instance.Status.AgentTokens, i)
-			return nil
-		}
-	}
-	return nil
+func (ap *agentPoolInstance) deleteTokenStatus(id string) {
+	ap.instance.Status.AgentTokens = slices.DeleteFunc(ap.instance.Status.AgentTokens, func(vs *appv1alpha2.AgentAPIToken) bool {
+		return vs.ID == id
+	})
 }
 
 func agentPoolOutputObjectName(name string) string {
@@ -126,7 +72,7 @@ func getAgentPoolNamespacedName(instance *appv1alpha2.AgentPool) types.Namespace
 	}
 }
 
-func (r *AgentPoolReconciler) createSecret(ctx context.Context, ap *agentPoolInstance) error {
+func (r *AgentPoolReconciler) createOrGetSecret(ctx context.Context, ap *agentPoolInstance) (*corev1.Secret, error) {
 	s := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      agentPoolOutputObjectName(ap.instance.Name),
@@ -138,32 +84,56 @@ func (r *AgentPoolReconciler) createSecret(ctx context.Context, ap *agentPoolIns
 	}
 	if err := controllerutil.SetControllerReference(&ap.instance, s, r.Scheme); err != nil {
 		ap.log.Error(err, "Reconcile Agent Tokens", "msg", "failed to set controller reference")
-		return err
+		return nil, err
 	}
 	if err := r.Client.Get(ctx, getAgentPoolNamespacedName(&ap.instance), s); err != nil {
 		if errors.IsNotFound(err) {
 			ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("creating a new Kubernetes Secret %q", s.Name))
 			if err = r.Client.Create(ctx, s); err != nil {
 				ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to create a new Kubernetes Secret %q", s.Name))
-				return err
+				return nil, err
 			}
 			ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully created a new Kubernetes Secret %q", s.Name))
-			return nil
+			return s, nil
 		}
 		ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to get Kubernetes Secret %q", s.Name))
-		return err
+		return nil, err
 	}
 
-	return nil
+	return s, nil
+}
+
+func deleteSecretKey(s *corev1.Secret, key string) {
+	delete(s.Data, key)
+	if s.Labels == nil {
+		return
+	}
+	s.Labels[labelHasChanged] = metaTrue
+}
+
+func setSecretKey(s *corev1.Secret, key, value string) {
+	s.Data[key] = []byte(value)
+	if s.Labels == nil {
+		return
+	}
+	s.Labels[labelHasChanged] = metaTrue
 }
 
 func (r *AgentPoolReconciler) reconcileAgentTokens(ctx context.Context, ap *agentPoolInstance) error {
 	ap.log.Info("Reconcile Agent Tokens", "msg", "new reconciliation event")
 
-	if err := r.createSecret(ctx, ap); err != nil {
+	s, err := r.createOrGetSecret(ctx, ap)
+	if err != nil {
 		ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to create a new Kubernetes Secret %s", agentPoolOutputObjectName(ap.instance.Name)))
 		return err
 	}
+	if s.Data == nil {
+		s.Data = make(map[string][]byte)
+	}
+	if s.Labels == nil {
+		s.Labels = make(map[string]string)
+	}
+	s.Labels[labelHasChanged] = metaFalse
 
 	agentTokens, err := ap.getTokens(ctx)
 	if err != nil {
@@ -176,39 +146,60 @@ func (r *AgentPoolReconciler) reconcileAgentTokens(ctx context.Context, ap *agen
 	}
 
 	for _, token := range ap.instance.Spec.AgentTokens {
-		if tokenID, ok := statusTokens[token.Name]; ok {
+		if id, ok := statusTokens[token.Name]; ok {
 			delete(statusTokens, token.Name)
-			if _, ok := agentTokens[tokenID]; ok {
-				delete(agentTokens, tokenID)
+			if _, ok := agentTokens[id]; ok {
+				delete(agentTokens, id)
 				continue
 			}
-			if err := r.removeToken(ctx, ap, tokenID); err != nil {
-				return err
-			}
+			deleteSecretKey(s, token.Name)
+			ap.deleteTokenStatus(id)
 		}
-		if err := r.createToken(ctx, ap, token.Name); err != nil {
+		t, err := r.createToken(ctx, ap, token.Name)
+		if err != nil {
 			return err
 		}
+		setSecretKey(s, t.Description, t.Token)
 	}
 
 	// Clean up.
-	for _, tokenID := range statusTokens {
-		if err := r.removeToken(ctx, ap, tokenID); err != nil {
-			return err
-		}
+	for name, id := range statusTokens {
+		deleteSecretKey(s, name)
+		ap.deleteTokenStatus(id)
 	}
 
-	for tokenID := range agentTokens {
-		ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("removing agent token %q", tokenID))
-		err := ap.tfClient.Client.AgentTokens.Delete(ctx, tokenID)
+	for id, name := range agentTokens {
+		ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("removing agent token name=%q id=%q", name, id))
+		err := ap.tfClient.Client.AgentTokens.Delete(ctx, id)
 		if err != nil && err != tfc.ErrResourceNotFound {
-			ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to remove agent token %q", tokenID))
-			return err
-		}
-		if err := r.removeToken(ctx, ap, tokenID); err != nil {
+			ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to remove agent token name=%q id=%q", name, id))
 			return err
 		}
+		deleteSecretKey(s, name)
+		ap.deleteTokenStatus(id)
 	}
 
+	// Use defer to ensure the Secret is always updated, even if token creation or deletion fails.
+	// This reduces the number of (Kubernetes) API calls and preserves the intermediate token state,
+	// minimizing unnecessary updates during retries.
+	defer func() {
+		// Handle unexpected nil Secret, e.g. failed to retrieve it (should not happen here).
+		if s == nil {
+			return
+		}
+		// Do not update if there are no changes.
+		if s.GetLabels()[labelHasChanged] == metaFalse {
+			delete(s.Labels, labelHasChanged)
+			ap.log.Info("Reconcile Agent Tokens", "msg", "no changes detected in Kubernetes Secret")
+			return
+		}
+		delete(s.Labels, labelHasChanged)
+		ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("updating Kubernetes Secret %q", s.Name))
+		if err := r.Client.Update(ctx, s); err != nil {
+			ap.log.Error(err, "Reconcile Agent Tokens", "msg", fmt.Sprintf("failed to update Kubernetes Secret %q", s.Name))
+		}
+		ap.log.Info("Reconcile Agent Tokens", "msg", fmt.Sprintf("successfully updated Kubernetes Secret %q", s.Name))
+	}()
+
 	return nil
 }

internal/controller/agenttoken_controller_test.go

@@ -92,7 +92,7 @@ var _ = Describe("AgentToken Controller", Ordered, func() {
 		It("should successfully manage tokens with merge policy", func() {
 			// CREATE AGENT POOL WITH ONE TOKEN
 			pool := createAgentPoolWithToken(poolName)
-			// CREATE KUBERNETS ITEM
+			// CREATE KUBERNETES ITEM
 			instance.Spec.AgentPool = appv1alpha2.AgentPoolRef{
 				ID: pool.ID,
 			}
@@ -126,7 +126,7 @@ var _ = Describe("AgentToken Controller", Ordered, func() {
 		It("should successfully manage tokens with owner policy", func() {
 			// CREATE AGENT POOL WITH ONE TOKEN
 			pool := createAgentPoolWithToken(poolName)
-			// CREATE KUBERNETS ITEM
+			// CREATE KUBERNETES ITEM
 			instance.Spec.AgentPool = appv1alpha2.AgentPoolRef{
 				ID: pool.ID,
 			}

internal/controller/consts.go

@@ -10,12 +10,14 @@ import (
 // SHARED CONSTANTS
 const (
 	annotationPaused = "app.terraform.io/paused"
-	annotationTrue   = "true"
-	annotationFalse  = "false"
-	initPageNumber   = 1
-	maxPageSize      = 100
-	requeueInterval  = 15 * time.Second
-	runMessage       = "Triggered by HCP Terraform Operator"
+	labelHasChanged  = "app.terraform.io/has-changed"
+	metaTrue         = "true"
+	metaFalse        = "false"
+
+	initPageNumber  = 1
+	maxPageSize     = 100
+	requeueInterval = 15 * time.Second
+	runMessage      = "Triggered by HCP Terraform Operator"
 )
 
 // AGENT POOL CONTROLLER'S CONSTANTS

internal/controller/module_controller.go

@@ -83,7 +83,7 @@ func (r *ModuleReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 		return requeueAfter(requeueInterval)
 	}
 
-	if a, ok := m.instance.GetAnnotations()[annotationPaused]; ok && a == annotationTrue {
+	if a, ok := m.instance.GetAnnotations()[annotationPaused]; ok && a == metaTrue {
 		m.log.Info("Module Controller", "msg", "reconciliation is paused for this resource")
 		return doNotRequeue()
 	}

internal/controller/predicates.go

@@ -81,7 +81,7 @@ func workspacePredicates() predicate.Predicate {
 			}
 			// Validate if a certain annotation persists in a new object and does not match the old one.
 			// In that case, it is a new or updated annotation and we need to trigger a reconciliation cycle.
-			if a, ok := e.ObjectNew.GetAnnotations()[workspaceAnnotationRunNew]; ok && a == annotationTrue {
+			if a, ok := e.ObjectNew.GetAnnotations()[workspaceAnnotationRunNew]; ok && a == metaTrue {
 				return true
 			}
 

internal/controller/project_controller.go

@@ -65,7 +65,7 @@ func (r *ProjectReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ct
 		return requeueAfter(requeueInterval)
 	}
 
-	if a, ok := p.instance.GetAnnotations()[annotationPaused]; ok && a == annotationTrue {
+	if a, ok := p.instance.GetAnnotations()[annotationPaused]; ok && a == metaTrue {
 		p.log.Info("Project Controller", "msg", "reconciliation is paused for this resource")
 		return doNotRequeue()
 	}

internal/controller/runscollector_controller.go

@@ -105,7 +105,7 @@ func (r *RunsCollectorReconciler) Reconcile(ctx context.Context, req ctrl.Reques
 		return doNotRequeue()
 	}
 
-	if a, ok := rc.instance.GetAnnotations()[annotationPaused]; ok && a == annotationTrue {
+	if a, ok := rc.instance.GetAnnotations()[annotationPaused]; ok && a == metaTrue {
 		rc.log.Info("Runs Collector Controller", "msg", "reconciliation is paused for this resource")
 		return doNotRequeue()
 	}