From 0b9e1deac0b01356724cb10f343655d89ba5fc01 Mon Sep 17 00:00:00 2001
From: Vlad Gusev <vlad.esten@gmail.com>
Date: Wed, 23 Oct 2024 17:47:10 +0300
Subject: [PATCH] K8SPXC-1462 Restart PXC pods only if sidecars have secrets

---
 pkg/apis/pxc/v1/pxc_types.go           | 29 ++++++++++++++++++++++++++
 pkg/controller/pxc/users.go            |  7 ++++++-
 pkg/controller/pxc/users_without_dp.go |  7 ++++++-
 3 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/pkg/apis/pxc/v1/pxc_types.go b/pkg/apis/pxc/v1/pxc_types.go
index dc895f52f..7136d3d80 100644
--- a/pkg/apis/pxc/v1/pxc_types.go
+++ b/pkg/apis/pxc/v1/pxc_types.go
@@ -484,6 +484,35 @@ type PodSpec struct {
 	TopologySpreadConstraints    []corev1.TopologySpreadConstraint `json:"topologySpreadConstraints,omitempty"`
 }
 
+func (spec *PodSpec) HasSidecarInternalSecret(secret *corev1.Secret) bool {
+	if spec.Sidecars != nil {
+		for _, container := range spec.Sidecars {
+			for _, env := range container.Env {
+				if env.ValueFrom != nil && env.ValueFrom.SecretKeyRef != nil {
+					if env.ValueFrom.SecretKeyRef.Name == secret.Name {
+						return true
+					}
+				}
+			}
+		}
+	}
+	if spec.SidecarVolumes != nil {
+		for _, volume := range spec.SidecarVolumes {
+			if volume.Secret != nil && volume.Secret.SecretName == secret.Name {
+				return true
+			}
+			if volume.Projected != nil {
+				for _, source := range volume.Projected.Sources {
+					if source.Secret != nil && source.Secret.Name == secret.Name {
+						return true
+					}
+				}
+			}
+		}
+	}
+	return false
+}
+
 type ProxySQLSpec struct {
 	PodSpec `json:",inline"`
 	Expose  ServiceExpose `json:"expose,omitempty"`
diff --git a/pkg/controller/pxc/users.go b/pkg/controller/pxc/users.go
index c527c7330..f2d5ef266 100644
--- a/pkg/controller/pxc/users.go
+++ b/pkg/controller/pxc/users.go
@@ -472,7 +472,12 @@ func (r *ReconcilePerconaXtraDBCluster) handleMonitorUser(ctx context.Context, c
 		}
 
 		actions.restartProxySQL = true
-		actions.restartPXC = true
+		if cr.Spec.PMM != nil && cr.Spec.PMM.IsEnabled(internalSecrets) {
+			actions.restartPXC = true
+		}
+		if cr.Spec.PXC.Sidecars != nil && cr.Spec.PXC.HasSidecarInternalSecret(internalSecrets) {
+			actions.restartPXC = true
+		}
 
 		err = r.discardOldPassword(cr, secrets, internalSecrets, user)
 		if err != nil {
diff --git a/pkg/controller/pxc/users_without_dp.go b/pkg/controller/pxc/users_without_dp.go
index 1c0ff972a..381d9979f 100644
--- a/pkg/controller/pxc/users_without_dp.go
+++ b/pkg/controller/pxc/users_without_dp.go
@@ -246,7 +246,12 @@ func (r *ReconcilePerconaXtraDBCluster) handleMonitorUserWithoutDP(ctx context.C
 	actions.restartHAProxy = true
 
 	actions.restartProxySQL = true
-	actions.restartPXC = true
+	if cr.Spec.PMM != nil && cr.Spec.PMM.IsEnabled(internalSecrets) {
+		actions.restartPXC = true
+	}
+	if cr.Spec.PXC.Sidecars != nil && cr.Spec.PXC.HasSidecarInternalSecret(internalSecrets) {
+		actions.restartPXC = true
+	}
 
 	orig := internalSecrets.DeepCopy()
 	internalSecrets.Data[user.Name] = secrets.Data[user.Name]