From 796c7fc7b8f2f4d45bf60ad5c6057b098d667b5b Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Thu, 2 Apr 2026 09:46:33 +0200
Subject: [PATCH] fix: do not make internal secrets immutable

---
 CHANGELOG.md                                    | 5 +++++
 rust/operator-binary/src/crd/internal_secret.rs | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2c62643c..91f3702b 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,7 +6,12 @@
 
 - Document Helm deployed RBAC permissions and remove unnecessary permissions ([#767]).
 
+### Fixed
+
+- Do not make internal secrets immutable. Immutable secrets are cached and (accidental) deletes can render the cluster unusable ([#769]).
+
 - [#767]: https://github.com/stackabletech/airflow-operator/pull/767
+- [#769]: https://github.com/stackabletech/airflow-operator/pull/769
 
 ## [26.3.0] - 2026-03-16
 
diff --git a/rust/operator-binary/src/crd/internal_secret.rs b/rust/operator-binary/src/crd/internal_secret.rs
index ea6f54b1..33bf5b16 100644
--- a/rust/operator-binary/src/crd/internal_secret.rs
+++ b/rust/operator-binary/src/crd/internal_secret.rs
@@ -73,7 +73,10 @@ pub async fn create_random_secret(
     internal_secret.insert(secret_key.to_string(), get_random_base64(secret_byte_size)?);
 
     let secret = Secret {
-        immutable: Some(true),
+        // This secret used to be immutable but immutable secrets cannot be modified
+        // as they are heavily cached by Kubernetes.
+        // Different pods with different secrets will render the cluster unusable.
+        immutable: Some(false),
         metadata: ObjectMetaBuilder::new()
             .name(secret_name)
             .namespace_opt(airflow.namespace())