Add reconciliation logic for NooBaa with external PostgreSQL for secret creation

[anisurrahman75]

Explaining the PR

When creating a NooBaa instance that references an external PostgreSQL secret, the secret may not exist at the time of creation. This change ensures that once the external secret is created, the NooBaa system receives a reconciliation request to process it accordingly.

Summary by CodeRabbit

• New Features

  • The system now watches Kubernetes Secrets referenced by NooBaa external Postgres settings and triggers reconciliation when those Secrets change, ensuring credential/config updates are applied.
  • RPC messages now enqueue a rate-limited reconcile for the NooBaa system so external events prompt timely refreshes and state convergence.

• Chores

  • Added .idea/ to .gitignore to exclude IDE project files from version control.

[coderabbitai]

Walkthrough

Adds a Secret watch to the NooBaa controller that maps Secret events to NooBaa reconcile requests, a utility to obtain/normalize a NooBaa external Postgres Secret reference, a mapping function to find NooBaa resources referencing a Secret, and RPC handling that enqueues a NooBaa system reconcile on each message.

Changes

Cohort / File(s)	Change Summary
Controller: Secret watch & RPC enqueue pkg/controller/noobaa/noobaa_controller.go	Added a watch for Secret resources that maps Secret events to NooBaa reconcile requests via system.MapSecretToNooBaa using logEventsPredicate; wires an EnqueueRequestsFromMapFunc handler and returns an error on watch setup failure. Updated global RPC handler to push a rate-limited reconcile.Request (NooBaa system NamespacedName) into notificationSource on each RPC message.
System: Secret-to-NooBaa Mapping pkg/system/system.go	Added exported MapSecretToNooBaa(types.NamespacedName) []reconcile.Request which lists NooBaa resources in the secret's namespace and returns reconcile requests for those whose external Postgres secret matches the provided Secret name. Returns nil on list errors.
Util: External Secret Reference Helper pkg/util/util.go	Added exported GetNooBaaExternalPgSecret(*nbv1.NooBaa) *corev1.SecretReference to construct/normalize the external Postgres SecretReference, defaulting namespace to the NooBaa resource's namespace when unset; returns nil when no external secret is configured.
Repository metadata .gitignore	Added .idea/ to .gitignore.

Sequence Diagram(s)

sequenceDiagram
    participant K8sAPI as K8s API Server
    participant Controller as NooBaa Controller
    participant System as system.MapSecretToNooBaa
    participant NooBaa as NooBaa CRs
    participant RPC as Global RPC handler
    participant Queue as notificationSource (rate-limited)

    K8sAPI->>Controller: Secret event (create/update/delete)
    Controller->>System: MapSecretToNooBaa(NamespacedName)
    System->>NooBaa: List NooBaa in namespace
    NooBaa-->>System: Return NooBaa list
    System->>Controller: Return matching reconcile.Requests
    Controller->>Controller: Enqueue reconciliations for matched NooBaa resources

    Note right of RPC: Separate RPC-triggered enqueue
    RPC->>Queue: Push reconcile.Request(NooBaa system NamespacedName)
    Queue->>Controller: Trigger reconciliation (rate-limited)

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2dbc98b and a522323.

📒 Files selected for processing (4)

• .gitignore (1 hunks)
• pkg/controller/noobaa/noobaa_controller.go (1 hunks)
• pkg/system/system.go (1 hunks)
• pkg/util/util.go (1 hunks)

✅ Files skipped from review due to trivial changes (1)

• .gitignore

🚧 Files skipped from review as they are similar to previous changes (3)

• pkg/util/util.go
• pkg/system/system.go
• pkg/controller/noobaa/noobaa_controller.go

Pre-merge checks (2 passed, 1 warning)

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description Check	⚠️ Warning	The current description gives a correct high-level summary aligned with the PR objectives but does not follow the repository template: it omits the "Issues: Fixed #xxx / Gap #xxx" section, the "Testing Instructions" section, and the required checklist for docs/tests. Because those required template sections are missing, the description is incomplete for repository standards and for reviewers to validate testing and linkage to issues.	Update the PR body to use the provided template: expand "Explain the changes" with a short list of key file changes and behavior, add any related issue numbers under "Issues" (or state none), and fill "Testing Instructions" with concrete steps to reproduce and verify the behavior plus mark the doc/tests checkboxes.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title is concise and directly reflects the main change — adding reconciliation logic so NooBaa reacts when an external PostgreSQL secret is created; this matches the changes in the diff (secret watch, MapSecretToNooBaa, util helper, and controller wiring). The phrasing is specific and readable for teammates scanning history.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (2)

pkg/system/system.go (2)

1297-1298: Fix inconsistent comment.

The comment mentions "backingstores" but the function is clearly designed to map secrets to NooBaa resources, not backing stores.

-// MapSecretToBackingStores returns a list of backingstores that uses the secret in their secretReference
-// used by backingstore_controller to watch secrets changes
+// MapSecretToNooBaa returns a list of NooBaa resources that reference the secret as their external Postgres secret
+// used by noobaa_controller to watch secret changes

---

1306-1306: Fix grammatical error in log message.

-		log.Infof("Could not found NooBaa in namespace %q, while trying to find NooBaa that uses %s secret", secret.Namespace, secret.Name)
+		log.Infof("Could not find NooBaa resources in namespace %q, while trying to find NooBaa that uses %s secret", secret.Namespace, secret.Name)

📜 Review details

Configuration used: .coderabbit.yaml
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e52237f and c642a9c.

📒 Files selected for processing (3)

• pkg/controller/noobaa/noobaa_controller.go (1 hunks)
• pkg/system/system.go (1 hunks)
• pkg/util/util.go (1 hunks)

🧰 Additional context used

🧠 Learnings (1)

📓 Common learnings

Learnt from: Neon-White
PR: noobaa/noobaa-operator#1587
File: pkg/system/reconciler.go:287-291
Timestamp: 2025-07-14T10:59:21.959Z
Learning: NooBaa operator design constraint: Multiple NooBaa instances are not supported in the same namespace, only across different namespaces. This means hard-coded resource names like ConfigMaps are acceptable within a namespace scope.

🔇 Additional comments (2)

pkg/controller/noobaa/noobaa_controller.go (1)

138-147: LGTM! Well-integrated Secret watch implementation.

The Secret watch implementation follows the established pattern used by other resource watches in this controller:

• Uses EnqueueRequestsFromMapFunc handler pattern consistent with the StorageClass watch
• Properly extracts the secret's namespaced name and delegates to system.MapSecretToNooBaa
• Applies logging predicate consistently with other watches
• Includes proper error handling

This enables the NooBaa controller to react to changes in external PostgreSQL secrets, supporting the PR objective of reconciliation logic for external secret creation.

pkg/system/system.go (1)

1312-1324: LGTM! Core logic is well implemented.

The function correctly:

• Iterates through NooBaa resources in the namespace
• Uses the utility function to get external Postgres secret references
• Handles nil checks appropriately
• Matches secret names accurately
• Builds proper reconcile requests

This will enable the controller to properly trigger reconciliation when external Postgres secrets are created or updated.

[nimrod-becker]

@dannyzaken @jackyalbo

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/system/system.go (1)

1297-1299: Fix misleading doc comment (mentions BackingStores and wrong controller).

This exported function maps Secrets to NooBaa reconciles, not BackingStores. Update the comment so godoc and readers don’t get misled.

-// MapSecretToBackingStores returns a list of backingstores that uses the secret in their secretReference
-// used by backingstore_controller to watch secrets changes
-//
+// MapSecretToNooBaa maps a Secret event to NooBaa reconciliations.
+// It returns requests for NooBaa CRs whose Spec.ExternalPgSecret matches the Secret.
+// Used by the NooBaa controller's Secret watch.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between c642a9c and 2a09666.

📒 Files selected for processing (3)

• pkg/controller/noobaa/noobaa_controller.go (1 hunks)
• pkg/system/system.go (1 hunks)
• pkg/util/util.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• pkg/util/util.go
• pkg/controller/noobaa/noobaa_controller.go

🧰 Additional context used

🧬 Code graph analysis (1)

pkg/system/system.go (2)

pkg/util/util.go (3)

• Logger (902-904)
• KubeList (645-666)
• GetNooBaaExternalPgSecret (1866-1875)

pkg/apis/noobaa/v1alpha1/noobaa_types.go (1)

• NooBaaList (59-70)

[anisurrahman75]

@dannyzaken, Brother, can you review this PR?

[dannyzaken]

Hi @anisurrahman75, thanks for your PR!

Can you please open an issue that explains the problem this PR is resolving? Please put a reference to the issue in the Pr description.