Skip to content

APIKey stuck in Failed state when secret is created after the APIKey #78

Description

@eguzki

Problem

When an APIKey is created before its referenced secret exists, the status controller sets the Failed condition with reason SecretNotFound. If the secret is subsequently created, the APIKey status remains permanently stuck in Failed — the condition is never re-evaluated.

This is because the APIKeyStatusReconciler only reacts to changes in APIKey, APIProduct, APIKeyRequest, APIKeyApproval, and HTTPRoute resources. No event from outside that set will trigger a re-reconciliation of the APIKey status.

The same issue applies to any other transient Failed condition whose root cause can resolve itself without touching any watched resource (e.g. the Kuadrant CR or APIProduct appearing after the APIKey was created).

Expected behavior

Once the condition that caused the Failed state is resolved, the APIKey status should be re-evaluated and updated to reflect the current state.

Alternatives to consider

  • Watch additional resources: trigger reconciliation when the missing resource (secret, Kuadrant CR, APIProduct) is created. This is reactive but may be impractical depending on scope and permission implications.
  • Periodic retry: re-queue APIKey resources that are in Failed state with an appropriate backoff, so recovery is eventually detected without relying on external watch events.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions