https://ferkakta.dev/tags/kopf/Recent content in Kopf on ferkakta.devHugoen-USCopyright fizz.Fri, 20 Feb 2026 12:00:00 -0500https://ferkakta.dev/kopf-operator-idempotency-three-layer-check/Fri, 20 Feb 2026 12:00:00 -0500https://ferkakta.dev/kopf-operator-idempotency-three-layer-check/<p>Our tenant operator provisions databases, cache users, and credentials for each tenant in a multi-tenant SaaS platform. PostgreSQL roles on shared RDS, ElastiCache RBAC users, SSM parameters with generated passwords. It worked exactly once per tenant. The second time it ran, it regenerated every password and overwrote every SSM parameter. Running services holding the old credentials immediately lost their database and cache connections.</p> <p>This was the blocker for auto-deploy.</p> <h2 id="every-deploy-was-a-coordinated-outage">Every deploy was a coordinated outage</h2> <p>The orchestrator runs <code>terraform apply</code> for each tenant on every deploy. Terraform reconciles the Tenant CRD, which fires Kopf&rsquo;s <code>on_tenant_create</code> handler. The handler doesn&rsquo;t distinguish between &ldquo;new tenant&rdquo; and &ldquo;existing tenant whose CRD was re-applied.&rdquo; It generates fresh passwords, creates new PostgreSQL roles (which fail because the role exists, or worse, succeed and orphan the old one), and overwrites SSM parameters with credentials that no running pod knows about.</p>