rabbitmq · Martinif · Oct 23, 2024 · Oct 31, 2024
diff --git a/api/v1beta1/user_types.go b/api/v1beta1/user_types.go
@@ -37,6 +37,10 @@ type UserSpec struct {
 	//
 	// Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
 	ImportCredentialsSecret *corev1.LocalObjectReference `json:"importCredentialsSecret,omitempty"`
+	// Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+	// Defaults to false if omitted.
+	// +kubebuilder:validation:Optional
+	AutoUpdateCredentialsSecret bool `json:"autoUpdateCredentialsSecret,omitempty"`
 }
 
 // UserStatus defines the observed state of User.

diff --git a/config/crd/bases/rabbitmq.com_users.yaml b/config/crd/bases/rabbitmq.com_users.yaml
@@ -41,6 +41,11 @@ spec:
           spec:
             description: Spec configures the desired state of the User object.
             properties:
+              autoUpdateCredentialsSecret:
+                description: |-
+                  Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+                  Defaults to false if omitted.
+                type: boolean
               importCredentialsSecret:
                 description: |-
                   Defines a Secret containing the credentials for the User. If this field is omitted, random a username and

diff --git a/controllers/user_controller.go b/controllers/user_controller.go
@@ -98,6 +98,7 @@ func (r *UserReconciler) declareCredentials(ctx context.Context, user *topology.
 			for i := range credentialSecret.ObjectMeta.OwnerReferences {
 				credentialSecret.ObjectMeta.OwnerReferences[i].BlockOwnerDeletion = ptr.To(false)
 			}
+			credentialSecret.Data = credentialSecretData
 			return nil
 		})
 		return apiError
@@ -188,7 +189,7 @@ func (r *UserReconciler) setUserStatus(ctx context.Context, user *topology.User,
 func (r *UserReconciler) DeclareFunc(ctx context.Context, client rabbitmqclient.Client, obj topology.TopologyResource) error {
 	logger := ctrl.LoggerFrom(ctx)
 	user := obj.(*topology.User)
-	if user.Status.Credentials == nil || user.Status.Username == "" {
+	if user.Status.Credentials == nil || user.Status.Username == "" || user.Spec.AutoUpdateCredentialsSecret {
 		var username string
 		if user.Status.Credentials != nil && user.Status.Username == "" {
 			// Only run once for migration to set user.Status.Username on existing resources
@@ -198,7 +199,7 @@ func (r *UserReconciler) DeclareFunc(ctx context.Context, client rabbitmqclient.
 			}
 			username = string(credentials.Data["username"])
 		} else {
-			logger.Info("User does not yet have a Credentials Secret; generating", "user", user.Name)
+			logger.Info("User does not yet have a Credentials Secret or AutoUpdateCredentialsSecret is enabled; generating Credentials Secret", "user", user.Name)
 			var err error
 			if username, err = r.declareCredentials(ctx, user); err != nil {
 				return err

diff --git a/docs/api/rabbitmq.com.ref.asciidoc b/docs/api/rabbitmq.com.ref.asciidoc
@@ -1422,6 +1422,8 @@ password will be generated. The Secret must have the following keys in its Data
 
 
 Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
+| *`autoUpdateCredentialsSecret`* __boolean__ | Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+Defaults to false if omitted.
 |===
-Original file line number
+Diff line change
@@ Expand Up @@
     Note that this import only occurs at creation time, and is ignored once a password has been set on a User.
+    | *`autoUpdateCredentialsSecret`* __boolean__ | Feature flag to always regenerate the `-user-credentials` Secret from the ImportCredentialsSecret.
+    Defaults to false if omitted.
     |===
@@ Expand Down @@