Problem
When an APIKey is created before its referenced secret exists, the status controller sets the Failed condition with reason SecretNotFound. If the secret is subsequently created, the APIKey status remains permanently stuck in Failed — the condition is never re-evaluated.
This is because the APIKeyStatusReconciler only reacts to changes in APIKey, APIProduct, APIKeyRequest, APIKeyApproval, and HTTPRoute resources. No event from outside that set will trigger a re-reconciliation of the APIKey status.
The same issue applies to any other transient Failed condition whose root cause can resolve itself without touching any watched resource (e.g. the Kuadrant CR or APIProduct appearing after the APIKey was created).
Expected behavior
Once the condition that caused the Failed state is resolved, the APIKey status should be re-evaluated and updated to reflect the current state.
Alternatives to consider
- Watch additional resources: trigger reconciliation when the missing resource (secret, Kuadrant CR, APIProduct) is created. This is reactive but may be impractical depending on scope and permission implications.
- Periodic retry: re-queue
APIKey resources that are in Failed state with an appropriate backoff, so recovery is eventually detected without relying on external watch events.
Problem
When an
APIKeyis created before its referenced secret exists, the status controller sets theFailedcondition with reasonSecretNotFound. If the secret is subsequently created, theAPIKeystatus remains permanently stuck inFailed— the condition is never re-evaluated.This is because the
APIKeyStatusReconcileronly reacts to changes inAPIKey,APIProduct,APIKeyRequest,APIKeyApproval, andHTTPRouteresources. No event from outside that set will trigger a re-reconciliation of theAPIKeystatus.The same issue applies to any other transient
Failedcondition whose root cause can resolve itself without touching any watched resource (e.g. the Kuadrant CR or APIProduct appearing after theAPIKeywas created).Expected behavior
Once the condition that caused the
Failedstate is resolved, theAPIKeystatus should be re-evaluated and updated to reflect the current state.Alternatives to consider
APIKeyresources that are inFailedstate with an appropriate backoff, so recovery is eventually detected without relying on external watch events.