Fix- Update Docdb storage logic (issue #1178)

[ngelman1]

This PR fixes issue #1178
The issue was that the DocDB watcher in Tekton Chains did not reliably detect changes to the storage.docdb.mongo-server-url-dir path because it was matching fsnotify events only on exact file names (slices.Contains), but when a secret rotates, only the symlink changes. This prevented the backend from being reconfigured when Kubernetes rotated mounted secrets, since fsnotify emits events on the underlying symlinked directories rather than the exact watched filename.

Motivation

Kubernetes secrets are updated by creating new timestamped directories and atomically switching a ..data symlink rather than modifying the file path in place. The old watcher logic used exact name matching, so fsnotify events for these symlinked paths were ignored, resulting in missed reconfiguration and broken behavior for the DocDB storage backend. With prefix matching, fsnotify events inside the watched directory are detected properly.

Changes

• Updated watcher logic in WatchBackend to use prefix matching (strings.HasPrefix) instead of exact path containment for filtering fsnotify events on watched paths.

• Re-enabled the previously commented test in TestWatchBackend to verify that updates to MongoServerURLDir are watched and trigger backend reconfiguration.

• Added critical case to the TestBackend_StorePayload function to test the PATH scenario, to assure it gets the highest priority

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs included if any changes are user facing
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fixed DocDB backend watcher to correctly detect file system changes under MongoServerURLDir, enabling reliable secret rotation support without requiring restarts.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: ngelman1 / name: Naomi Gelman (55f0357)

[anithapriyanatarajan]

/kind bug

[anithapriyanatarajan]

@ngelman1 - Thanks for the PR! A few thoughts:

On HasPrefix approach: Though it might capture additional events and retrigger backend configuration updates unlike contains, I am ok to merge this PR since it's still a safe option. The key benefit is reliability over efficiency.

On test flakiness: The main concern for test failures based on fsnotify events would be timing - specifically, the delay between the secret edit and the test assertion. If we observe further flakiness in the tests, it could be due to delays in fsnotify events when a file change is identified. In that case, we should introduce a minimal number of retries before the test asserts as failed.

Let us monitor the issue #1178 for a few more days and then close.

Would it be possible to include a MongoDB-based storage tutorial as a separate PR to the docs section. Please refer to the gist for reference

[anithapriyanatarajan]

/approve
/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: anithapriyanatarajan

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [anithapriyanatarajan]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment