Rename TLSSecretMissing condition to TLSSecretsReady with positive type and negative status

myJamong · myJamong · commit 4968ab635d36 · 2026-03-09T17:49:21.000+09:00
diff --git a/e2e-tests/cert-management-policy/run b/e2e-tests/cert-management-policy/run
@@ -41,14 +41,14 @@ test_user_provided_only() {
 	fi
 	echo "PASS: operator did not recreate SSL secrets"
 
-	desc 'verify TLSSecretMissing status condition is set'
+	desc 'verify TLSSecretsReady condition is false'
 	local condition
-	condition=$(kubectl_bin get psmdb ${cluster} -o jsonpath='{.status.conditions[?(@.type=="TLSSecretMissing")].status}')
-	if [[ "$condition" != "True" ]]; then
-		echo "FAIL: TLSSecretMissing condition is not set (got: '$condition')"
+	condition=$(kubectl_bin get psmdb ${cluster} -o jsonpath='{.status.conditions[?(@.type=="TLSSecretsReady")].status}')
+	if [[ "$condition" != "False" ]]; then
+		echo "FAIL: TLSSecretsReady condition should be False (got: '$condition')"
 		exit 1
 	fi
-	echo "PASS: TLSSecretMissing condition is set"
+	echo "PASS: TLSSecretsReady condition is False"
 
 	desc 'verify pods are still running (no restart, skip cluster readiness check)'
 	wait_for_running $cluster-rs0 3 false
@@ -61,14 +61,14 @@ test_user_provided_only() {
 	sleep 10
 	wait_for_running $cluster-rs0 3
 
-	desc 'verify TLSSecretMissing condition is removed after secret restore'
+	desc 'verify TLSSecretsReady condition is true after secret restore'
 	local condition_after
-	condition_after=$(kubectl_bin get psmdb ${cluster} -o jsonpath='{.status.conditions[?(@.type=="TLSSecretMissing")].status}')
-	if [[ -n "$condition_after" ]]; then
-		echo "FAIL: TLSSecretMissing condition should be removed after secret restore (got: '$condition_after')"
+	condition_after=$(kubectl_bin get psmdb ${cluster} -o jsonpath='{.status.conditions[?(@.type=="TLSSecretsReady")].status}')
+	if [[ "$condition_after" != "True" ]]; then
+		echo "FAIL: TLSSecretsReady condition should be True after secret restore (got: '$condition_after')"
 		exit 1
 	fi
-	echo "PASS: TLSSecretMissing condition is removed after secret restore"
+	echo "PASS: TLSSecretsReady condition is True after secret restore"
 
 	desc 'cleanup cluster'
 	kubectl_bin delete psmdb $cluster
diff --git a/pkg/apis/psmdb/v1/psmdb_types.go b/pkg/apis/psmdb/v1/psmdb_types.go
@@ -385,7 +385,7 @@ const (
 
 	ConditionTypePBMReady AppState = "PBMReady"
 
-	ConditionTypeTLSSecretMissing AppState = "TLSSecretMissing"
+	ConditionTypeTLSSecretsReady AppState = "TLSSecretsReady"
 )
 
 type ClusterCondition struct {
diff --git a/pkg/controller/perconaservermongodb/psmdb_controller.go b/pkg/controller/perconaservermongodb/psmdb_controller.go
@@ -1637,8 +1637,8 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a
 			if isUserProvidedOnly {
 				logf.FromContext(ctx).Error(nil, "TLS secret not found, skipping annotation update since certManagementPolicy is userProvidedOnly", "secret", api.SSLSecretName(cr))
 				cr.Status.AddCondition(api.ClusterCondition{
-					Status:  api.ConditionTrue,
-					Type:    api.ConditionTypeTLSSecretMissing,
+					Status:  api.ConditionFalse,
+					Type:    api.ConditionTypeTLSSecretsReady,
 					Reason:  "TLSSecretNotFound",
 					Message: fmt.Sprintf("TLS secret %s is missing, certManagementPolicy is userProvidedOnly", api.SSLSecretName(cr)),
 				})
@@ -1663,8 +1663,8 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a
 			if isUserProvidedOnly {
 				logf.FromContext(ctx).Error(nil, "TLS secret not found, skipping annotation update since certManagementPolicy is userProvidedOnly", "secret", api.SSLInternalSecretName(cr))
 				cr.Status.AddCondition(api.ClusterCondition{
-					Status:  api.ConditionTrue,
-					Type:    api.ConditionTypeTLSSecretMissing,
+					Status:  api.ConditionFalse,
+					Type:    api.ConditionTypeTLSSecretsReady,
 					Reason:  "TLSSecretNotFound",
 					Message: fmt.Sprintf("TLS secret %s is missing, certManagementPolicy is userProvidedOnly", api.SSLInternalSecretName(cr)),
 				})
@@ -1676,7 +1676,10 @@ func (r *ReconcilePerconaServerMongoDB) sslAnnotation(ctx context.Context, cr *a
 	}
 	annotation["percona.com/ssl-internal-hash"] = getHash(sslInternalSecret)
 
-	cr.Status.RemoveCondition(api.ConditionTypeTLSSecretMissing)
+	cr.Status.AddCondition(api.ClusterCondition{
+		Status: api.ConditionTrue,
+		Type:   api.ConditionTypeTLSSecretsReady,
+	})
 
 	return annotation, nil
 }
diff --git a/pkg/controller/perconaservermongodb/ssl_test.go b/pkg/controller/perconaservermongodb/ssl_test.go
@@ -107,8 +107,8 @@ func TestSSLAnnotation_UserProvidedOnly_SecretMissing(t *testing.T) {
 	assert.Equal(t, "existing-hash", annotation["percona.com/ssl-hash"])
 	assert.Equal(t, "existing-internal-hash", annotation["percona.com/ssl-internal-hash"])
 
-	// Verify TLSSecretMissing condition is set
-	assert.True(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretMissing))
+	// Verify TLSSecretsReady condition is false
+	assert.False(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretsReady))
 }
 
 func TestSSLAnnotation_UserProvidedOnly_SecretPresent(t *testing.T) {
@@ -145,8 +145,8 @@ func TestSSLAnnotation_UserProvidedOnly_SecretPresent(t *testing.T) {
 	assert.NotEmpty(t, annotation["percona.com/ssl-hash"])
 	assert.NotEmpty(t, annotation["percona.com/ssl-internal-hash"])
 
-	// Verify TLSSecretMissing condition is NOT set
-	assert.False(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretMissing))
+	// Verify TLSSecretsReady condition is true
+	assert.True(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretsReady))
 }
 
 func TestSSLAnnotation_UserProvidedOnly_ConditionRemovedAfterRestore(t *testing.T) {
@@ -155,13 +155,13 @@ func TestSSLAnnotation_UserProvidedOnly_ConditionRemovedAfterRestore(t *testing.
 		CertManagementPolicy: api.CertManagementUserProvidedOnly,
 	}
 
-	// First call without secrets - condition should be set
+	// First call without secrets - TLSSecretsReady should be false
 	r := buildFakeClient(cr)
 	_, err := r.sslAnnotation(context.Background(), cr)
 	require.NoError(t, err)
-	assert.True(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretMissing))
+	assert.False(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretsReady))
 
-	// Now create secrets and call again - condition should be removed
+	// Now create secrets and call again - TLSSecretsReady should be true
 	sslSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:      "test-cluster-ssl",
@@ -186,7 +186,7 @@ func TestSSLAnnotation_UserProvidedOnly_ConditionRemovedAfterRestore(t *testing.
 	r2 := buildFakeClient(cr, sslSecret, sslInternalSecret)
 	_, err = r2.sslAnnotation(context.Background(), cr)
 	require.NoError(t, err)
-	assert.False(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretMissing))
+	assert.True(t, cr.Status.IsStatusConditionTrue(api.ConditionTypeTLSSecretsReady))
 }
 
 func TestReconcileSSL_UserProvidedOnly_SkipsCertCreation(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -385,7 +385,7 @@ const (`
`385`	`385`
`386`	`386`	`ConditionTypePBMReady AppState = "PBMReady"`
`387`	`387`
`388`		`- ConditionTypeTLSSecretMissing AppState = "TLSSecretMissing"`
	`388`	`+ ConditionTypeTLSSecretsReady AppState = "TLSSecretsReady"`
`389`	`389`	`)`
`390`	`390`
`391`	`391`	`type ClusterCondition struct {`