Current gap: the operator does not watch the Kubernetes Secrets referenced by ExternalDatabase.credentialsSecretRef. When credentials are rotated inside the Secret out-of-band, the user must manually bump the EDB spec (e.g. an annotation) to push fresh credentials to the aggregator. Implement: Watch on corev1.Secret, indexer 'Secret name -> []EDB', EnqueueRequestsFromMapFunc for Secret events. Reconcile pre-flight: hash credentials -> push to aggregator only on actual change to avoid noisy reconcile loops on irrelevant Secret updates. envtest coverage: Secret update triggers automatic reconcile and produces a fresh payload in the aggregator mock. RBAC: add 'secrets: list,watch' (only 'get' is granted today).
Parent: #452
Current gap: the operator does not watch the Kubernetes Secrets referenced by ExternalDatabase.credentialsSecretRef. When credentials are rotated inside the Secret out-of-band, the user must manually bump the EDB spec (e.g. an annotation) to push fresh credentials to the aggregator. Implement: Watch on corev1.Secret, indexer 'Secret name -> []EDB', EnqueueRequestsFromMapFunc for Secret events. Reconcile pre-flight: hash credentials -> push to aggregator only on actual change to avoid noisy reconcile loops on irrelevant Secret updates. envtest coverage: Secret update triggers automatic reconcile and produces a fresh payload in the aggregator mock. RBAC: add 'secrets: list,watch' (only 'get' is granted today).
Parent: #452