Skip to content

Commit

Permalink
Merge pull request #3400 from dlmather/dmather/issue-3394/invalid-sec…
Browse files Browse the repository at this point in the history
…ret-backend

Only attempt to delete bootstrap data secret if InsecureSkipSecretsManager isn't set
  • Loading branch information
k8s-ci-robot authored Apr 12, 2022
2 parents f32e98d + d15f9bc commit 92600d5
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 2 deletions.
6 changes: 4 additions & 2 deletions controllers/awsmachine_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -733,8 +733,10 @@ func (r *AWSMachineReconciler) ignitionUserData(scope *scope.MachineScope, objec
}

func (r *AWSMachineReconciler) deleteBootstrapData(machineScope *scope.MachineScope, clusterScope cloud.ClusterScoper, objectStoreScope scope.S3Scope) error {
if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
return err
if !machineScope.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager {
if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
return err
}
}

if objectStoreScope != nil {
Expand Down
14 changes: 14 additions & 0 deletions controllers/awsmachine_controller_unit_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1079,6 +1079,20 @@ func TestAWSMachineReconciler(t *testing.T) {
ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()
_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
})
t.Run("should not attempt to delete the secret if InsecureSkipSecretsManager is set on CloudInit", func(t *testing.T) {
g := NewWithT(t)
awsMachine := getAWSMachine()
setup(t, g, awsMachine)
defer teardown(t, g)
setNodeRef(t, g)

ms.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager = true

secretSvc.EXPECT().Delete(gomock.Any()).Return(nil).Times(0)
ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()

_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
})
})

t.Run("Secrets management lifecycle when there's only a secret ARN and no node ref", func(t *testing.T) {
Expand Down

0 comments on commit 92600d5

Please sign in to comment.