oadp-1.5: fix(controller): prevent NodeAgent restarts from ESO metadata updates

[kaovilai]

Fixes ESO-234: NodeAgent was restarting every ~30s when External Secrets
Operator managed the cloud-credentials secret. ESO's metadata-only updates
were triggering unnecessary DPA reconciliations.

Changes:

• Updated labelHandler.Update() to skip reconciliation for Secret objects
  when only metadata changes (ResourceVersion, annotations, etc.)
• Added comprehensive unit tests for labelHandler covering all scenarios
• Maintains backward compatibility for non-Secret resources

This prevents unnecessary NodeAgent daemonset updates while preserving
reconciliation for actual data or label changes.

🤖 Generated with Claude Code

Co-Authored-By: Claude noreply@anthropic.com

Why the changes were made

How to test the changes made

[kaovilai]

/cherry-pick oadp-dev

[openshift-cherrypick-robot]

@kaovilai: once the present PR merges, I will cherry-pick it on top of oadp-dev in a new PR and assign it to you.

Details

In response to this:

/cherry-pick oadp-dev

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[kaovilai]

/retest

[mpryc]

Why not to use predicate around line 158 and do the predicate:

return !equality.Semantic.DeepEqual(oldSecret.Data, newSecret.Data) ||
			!equality.Semantic.DeepEqual(oldSecret.StringData, newSecret.StringData) ||
			!equality.Semantic.DeepEqual(oldSecret.Labels, newSecret.Labels)

[kaovilai]

We only want this applied to secret watcher. The change is specific to secret. Doing secret type comparison for every reconcile when its not necessarily a secret event is imo not necessary.

Now if we didn't have labelHandler added to secret watch, perhaps it would be easier to modify existing "global" predicate.

Since we already have labelHandler, I rather scope it to that handler.

[kaovilai]

The semantic.deepequal is cool..

[weshayutin]

HOLD

[kaovilai]

we will still fix, wes don't want accidental merge during code-freeze. reopen later and/or new pr.

current change will go to oadp-dev

[openshift-ci]

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[weshayutin]

thank you @kaovilai

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shubham-pampattiwar]

/lgtm

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}