Skip to content

Fix TaskSpawner Deployment not updated when secret type changes#440

Merged
gjkim42 merged 1 commit intomainfrom
axon-task-439
Feb 26, 2026
Merged

Fix TaskSpawner Deployment not updated when secret type changes#440
gjkim42 merged 1 commit intomainfrom
axon-task-439

Conversation

@axon-agent
Copy link

@axon-agent axon-agent bot commented Feb 26, 2026
edited
Loading

Summary

  • Watch Secret and Workspace changes: Added Watches for Secret and Workspace resources in SetupWithManager using handler.EnqueueRequestsFromMapFunc, so that the TaskSpawner controller is reconciled when the underlying secret data or workspace spec changes (e.g. switching from PAT to GitHub App credentials or vice versa).
  • Sync full pod template in updateDeployment(): Extended the drift detection to also compare and sync InitContainers, Volumes, and VolumeMounts on the main container. Previously only Image, Args, and Env were checked, so switching auth modes left the Deployment stale.
  • Add missing RBAC marker: Added +kubebuilder:rbac annotation for workspaces on the TaskSpawner controller, which was missing despite the controller already fetching Workspace resources.

Test plan

Unit tests (internal/controller/taskspawner_deployment_builder_test.go)

  • TestUpdateDeployment_PATToGitHubApp: Verifies switching from PAT to GitHub App adds the token-refresher init container, volumes, and volume mounts
  • TestUpdateDeployment_GitHubAppToPAT: Verifies switching back removes init containers, volumes, and volume mounts
  • TestFindTaskSpawnersForSecret: Verifies the Secret mapper correctly maps Secret → Workspace → TaskSpawner
  • TestFindTaskSpawnersForWorkspace: Verifies the Workspace mapper correctly maps Workspace → TaskSpawner

Integration tests (test/integration/taskspawner_test.go)

  • PAT → GitHub App: Updating secret data from PAT to GitHub App credentials triggers reconciliation via the Secret watch, and the Deployment gains a token-refresher init container, volumes, and volume mounts

  • GitHub App → PAT: The reverse path removes the sidecar configuration

  • Workspace secretRef change: Updating the workspace to point to a different secret triggers reconciliation via the Workspace watch and updates the Deployment accordingly

  • All existing tests pass (make test)

  • All verification checks pass (make verify)

  • All integration tests pass (make test-integration)

Fixes #439

🤖 Generated with Claude Code

@github-actions github-actions bot added needs-kind Indicates an issue or PR lacks a kind/* label needs-triage needs-priority needs-actor labels Feb 26, 2026
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Feb 26, 2026
View reviewed changes
Copy link

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@axon-agent axon-agent bot mentioned this pull request Feb 26, 2026
Closed
gjkim42
gjkim42 requested changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@gjkim42 gjkim42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

add tests for this

@gjkim42
Copy link
Collaborator

gjkim42 commented Feb 26, 2026

/reset-worker

1 similar comment
@gjkim42
Copy link
Collaborator

gjkim42 commented Feb 26, 2026

/reset-worker

gjkim42
gjkim42 requested changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@gjkim42 gjkim42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

p0: add tests. you don't have to add extra commit but just commit ammend

@gjkim42
Copy link
Collaborator

gjkim42 commented Feb 26, 2026

/reset-worker

@gjkim42 gjkim42 added priority/important-soon triage-accepted kind/bug Categorizes issue or PR as related to a bug labels Feb 26, 2026
@github-actions github-actions bot removed needs-priority needs-triage needs-kind Indicates an issue or PR lacks a kind/* label labels Feb 26, 2026
gjkim42
gjkim42 requested changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@gjkim42 gjkim42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add integration tests as well
/reset-worker

gjkim42
gjkim42 approved these changes Feb 26, 2026
View reviewed changes
Copy link
Collaborator

@gjkim42 gjkim42 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm
/squash-commits

@gjkim42 gjkim42 added this pull request to the merge queue Feb 26, 2026
Merged via the queue into main with commit dde114f Feb 26, 2026
6 checks passed
@gjkim42 gjkim42 deleted the axon-task-439 branch February 26, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@gjkim42 gjkim42 gjkim42 approved these changes

Assignees

No one assigned

Labels

generated-by-kelos kind/bug Categorizes issue or PR as related to a bug needs-actor ok-to-test priority/important-soon triage-accepted

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

TaskSpawner Deployment not updated when Workspace secret type changes

1 participant

@gjkim42