From e1cb34259f01c1cd15587ded01075a933724132a Mon Sep 17 00:00:00 2001
From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com>
Date: Thu, 2 Apr 2026 09:30:53 +0200
Subject: [PATCH] fix: do not recreate immutable secrets with different values

---
 CHANGELOG.md                           | 6 ++++++
 rust/operator-binary/src/controller.rs | 5 ++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 47d2bf5c..bf4428b5 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Fixed
+
+- Do not make internal secrets immutable. Immutable secrets are cached and (accidental) deletes can render the cluster unusable ([#875]).
+
+[#875]: https://github.com/stackabletech/trino-operator/pull/875
+
 ## [26.3.0] - 2026-03-16
 
 ## [26.3.0-rc1] - 2026-03-16
diff --git a/rust/operator-binary/src/controller.rs b/rust/operator-binary/src/controller.rs
index 33acaa97..db31fc2b 100644
--- a/rust/operator-binary/src/controller.rs
+++ b/rust/operator-binary/src/controller.rs
@@ -1536,7 +1536,10 @@ async fn create_random_secret(
     internal_secret.insert(secret_key.to_string(), get_random_base64(secret_byte_size));
 
     let secret = Secret {
-        immutable: Some(true),
+        // This secret used to be immutable but immutable secrets cannot be modified
+        // as they are heavily cached by Kubernetes.
+        // Different pods with different secrets will render the cluster unusable.
+        immutable: Some(false),
         metadata: ObjectMetaBuilder::new()
             .name(secret_name)
             .namespace_opt(trino.namespace())