From 640af1a04a6aac6072d0bfa361e48f1366ad68cf Mon Sep 17 00:00:00 2001
From: Anders Stigaard <andersstigaard@gmail.com>
Date: Wed, 1 Apr 2026 12:38:53 +0200
Subject: [PATCH 1/2] no panic, no error, if no UserCredentialHandler in config

---
 cmd/main.go                                    | 10 ++++++----
 internal/controller/styra/system_controller.go |  5 +++++
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/cmd/main.go b/cmd/main.go
index fb4b3f8b..9b67c54d 100644
--- a/cmd/main.go
+++ b/cmd/main.go
@@ -176,10 +176,12 @@ func main() {
 		ocpHostURL := strings.TrimSuffix(ctrlConfig.OPAControlPlaneConfig.Address, "/")
 		opaControlPlaneClient = ocp.New(ocpHostURL, ctrlConfig.OPAControlPlaneConfig.Token)
 
-		s3Client, err = s3.NewClient(*ctrlConfig.UserCredentialHandler.S3)
-		if err != nil {
-			log.Error(err, "unable to create S3 client")
-			exit(err)
+		if ctrlConfig.UserCredentialHandler != nil && ctrlConfig.UserCredentialHandler.S3 != nil {
+			s3Client, err = s3.NewClient(*ctrlConfig.UserCredentialHandler.S3)
+			if err != nil {
+				log.Error(err, "unable to create S3 client")
+				exit(err)
+			}
 		}
 	}
 
diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
index 6be49041..b792b42d 100644
--- a/internal/controller/styra/system_controller.go
+++ b/internal/controller/styra/system_controller.go
@@ -745,6 +745,11 @@ func (r *SystemReconciler) reconcileS3Credentials(
 	uniqueName string,
 	secretName string,
 ) (s3.Credentials, ctrl.Result, error) {
+	if r.Config.UserCredentialHandler == nil || r.Config.UserCredentialHandler.S3 == nil {
+		log.Info("No UserCredentialHandler configured, returning empty S3 credentials")
+		return s3.Credentials{}, ctrl.Result{}, nil
+	}
+
 	s3Credentials := s3.Credentials{}
 	s3Credentials.Region = r.Config.UserCredentialHandler.S3.Region
 	s3Credentials.AccessKeyID = fmt.Sprintf("Access-Key-%s-%s", r.Config.UserCredentialHandler.S3.Bucket, uniqueName)

From 16296d79eb5d5724c089fd447b1b3bd1306ee922 Mon Sep 17 00:00:00 2001
From: Anders Stigaard <andersstigaard@gmail.com>
Date: Fri, 10 Apr 2026 09:16:15 +0200
Subject: [PATCH 2/2] Dont create empty secret

---
 internal/controller/styra/system_controller.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/internal/controller/styra/system_controller.go b/internal/controller/styra/system_controller.go
index b792b42d..c2ea33a5 100644
--- a/internal/controller/styra/system_controller.go
+++ b/internal/controller/styra/system_controller.go
@@ -628,6 +628,11 @@ func (r *SystemReconciler) reconcileOPASecret(
 ) (ctrl.Result, bool, error) {
 	log.Info("Reconciling OPA secret")
 
+	if r.Config.UserCredentialHandler == nil || r.Config.UserCredentialHandler.S3 == nil {
+		log.Info("No UserCredentialHandler configured, don't create secret")
+		return ctrl.Result{}, false, nil
+	}
+
 	reconcileS3CredentialsStart := time.Now()
 	s3CredentialsRead, result, err := r.reconcileS3Credentials(
 		ctx, log, system, uniqueName, secretName)
@@ -745,11 +750,6 @@ func (r *SystemReconciler) reconcileS3Credentials(
 	uniqueName string,
 	secretName string,
 ) (s3.Credentials, ctrl.Result, error) {
-	if r.Config.UserCredentialHandler == nil || r.Config.UserCredentialHandler.S3 == nil {
-		log.Info("No UserCredentialHandler configured, returning empty S3 credentials")
-		return s3.Credentials{}, ctrl.Result{}, nil
-	}
-
 	s3Credentials := s3.Credentials{}
 	s3Credentials.Region = r.Config.UserCredentialHandler.S3.Region
 	s3Credentials.AccessKeyID = fmt.Sprintf("Access-Key-%s-%s", r.Config.UserCredentialHandler.S3.Bucket, uniqueName)