fix: add restart annotation when TLS gateway secret name changes

[WentingWu666666]

Problem

When a user changes spec.tls.gateway.provided.secretName on an existing DocumentDB cluster, the operator updates the gatewayTLSSecret plugin parameter on the CNPG Cluster object but does not trigger a pod restart.

The sidecar injector mounts the TLS secret as a Kubernetes volume (SecretVolumeSource in sidecar-injector/internal/lifecycle/lifecycle.go), so changing the secret name requires pods to be recreated to mount the new secret. CNPG does not auto-restart pods for plugin parameter changes — only for PodSpec divergence like ImageVolume changes (see comment at documentdb_controller.go:867).

This means the gateway continues serving with the old TLS certificate until something else causes a pod restart.

Fix

Replace the documentdb.io/gateway-tls-rev annotation (which had no functional effect) with kubectl.kubernetes.io/restartedAt — the annotation CNPG watches to trigger rolling restarts. This is the same mechanism already used for gateway-only image updates (documentdb_controller.go:876).

The annotation is set in the same Update() call that writes the new plugin parameter, keeping it atomic.

Testing

• Added unit test: should add restart annotation when TLS secret name changes
• All 148 existing controller tests pass

Changes

• operator/src/internal/controller/documentdb_controller.go — Replace documentdb.io/gateway-tls-rev with kubectl.kubernetes.io/restartedAt when gatewayTLSSecret changes
• operator/src/internal/controller/documentdb_controller_test.go — Add test verifying restart annotation is set on TLS secret name change

[Copilot]

Pull request overview

This PR ensures a CNPG rolling restart is triggered when the configured gateway TLS Secret name changes, so gateway pods remount the new Secret volume and start serving the updated certificate.

Changes:

• Update CNPG Cluster plugin parameter gatewayTLSSecret and add a rolling-restart annotation when the TLS Secret name changes.
• Add a controller unit test that verifies the restart annotation is applied on TLS Secret changes.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
operator/src/internal/controller/documentdb_controller.go	Adds logic to force a CNPG rolling restart when gatewayTLSSecret changes.
operator/src/internal/controller/documentdb_controller_test.go	Adds a unit test asserting gatewayTLSSecret update and restart annotation behavior.

Comments suppressed due to low confidence (2)

operator/src/internal/controller/documentdb_controller.go:248

• If adding the restart annotation patch fails (marshal or Patch error), the reconciler still returns success and requeues. Because gatewayTLSSecret was already updated, the next reconcile will see no change and will not attempt to add the restart annotation again, leaving pods stuck mounting the old Secret. Treat patch failures as reconcile errors (or set kubectl.kubernetes.io/restartedAt on currentCnpgCluster.Annotations before the Update so it’s part of the same write) so the restart request is reliably applied.

	if slices.Contains(currentCnpgCluster.Status.InstancesStatus[cnpgv1.PodHealthy], currentCnpgCluster.Status.CurrentPrimary) && replicationContext.IsPrimary() {
		// Check if permissions have already been granted
		checkCommand := "SELECT 1 FROM pg_roles WHERE rolname = 'streaming_replica' AND pg_has_role('streaming_replica', 'documentdb_admin_role', 'USAGE');"
		output, err := r.SQLExecutor(ctx, currentCnpgCluster, checkCommand)
		if err != nil {
			logger.Error(err, "Failed to check if permissions already granted")
			return ctrl.Result{RequeueAfter: RequeueAfterLong}, nil

operator/src/internal/controller/documentdb_controller.go:240

• The restart-annotation patch construction here duplicates the same MergePatch logic used in upgradeDocumentDBIfNeeded (gateway-only update). Consider extracting a small helper to apply the rolling-restart annotation so future changes (annotation key, timestamp format, patch type, error handling) stay consistent across both call sites.

					return ctrl.Result{RequeueAfter: RequeueAfterShort}, nil
				} else {
					logger.Error(err, "Failed to update CNPG Cluster with TLS settings")
				}
			}
		}
	}