From 8f1d826f0d23a92b86d032005401778567a58baa Mon Sep 17 00:00:00 2001
From: rabi <ramishra@redhat.com>
Date: Wed, 11 Mar 2026 08:35:14 +0530
Subject: [PATCH] Fix stale SecretHashes on nodeset status after node removal

When a node is removed from a nodeset and a full deployment
(no ServicesOverride) succeeds, overwrite the nodeset's
SecretHashes with the deployment's hashes instead of merging.
This drops stale TLS cert secret hash entries for the removed
node. Partial deployments (with ServicesOverride) continue to
merge additively to preserve hashes from other deployments.

Change-Id: I12abffa18af63b14630f80f5a0e6235158f4a9ef
Signed-off-by: rabi <ramishra@redhat.com>
---
 .../dataplane/openstackdataplanenodeset_controller.go          | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/internal/controller/dataplane/openstackdataplanenodeset_controller.go b/internal/controller/dataplane/openstackdataplanenodeset_controller.go
index b0f77ebac..c625a9335 100644
--- a/internal/controller/dataplane/openstackdataplanenodeset_controller.go
+++ b/internal/controller/dataplane/openstackdataplanenodeset_controller.go
@@ -592,6 +592,9 @@ func checkDeployment(ctx context.Context, helper *helper.Helper,
 			for k, v := range deployment.Status.ConfigMapHashes {
 				instance.Status.ConfigMapHashes[k] = v
 			}
+			if len(deployment.Spec.ServicesOverride) == 0 {
+				instance.Status.SecretHashes = make(map[string]string, len(deployment.Status.SecretHashes))
+			}
 			for k, v := range deployment.Status.SecretHashes {
 				instance.Status.SecretHashes[k] = v
 			}