diff --git a/controllers/awsmachine_controller.go b/controllers/awsmachine_controller.go index 7178c7d4d6..7c57be3f2a 100644 --- a/controllers/awsmachine_controller.go +++ b/controllers/awsmachine_controller.go @@ -733,8 +733,10 @@ func (r *AWSMachineReconciler) ignitionUserData(scope *scope.MachineScope, objec } func (r *AWSMachineReconciler) deleteBootstrapData(machineScope *scope.MachineScope, clusterScope cloud.ClusterScoper, objectStoreScope scope.S3Scope) error { - if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil { - return err + if !machineScope.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager { + if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil { + return err + } } if objectStoreScope != nil { diff --git a/controllers/awsmachine_controller_unit_test.go b/controllers/awsmachine_controller_unit_test.go index 3ebea82996..0cf6729841 100644 --- a/controllers/awsmachine_controller_unit_test.go +++ b/controllers/awsmachine_controller_unit_test.go @@ -1079,6 +1079,20 @@ func TestAWSMachineReconciler(t *testing.T) { ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes() _, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs) }) + t.Run("should not attempt to delete the secret if InsecureSkipSecretsManager is set on CloudInit", func(t *testing.T) { + g := NewWithT(t) + awsMachine := getAWSMachine() + setup(t, g, awsMachine) + defer teardown(t, g) + setNodeRef(t, g) + + ms.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager = true + + secretSvc.EXPECT().Delete(gomock.Any()).Return(nil).Times(0) + ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes() + + _, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs) + }) }) t.Run("Secrets management lifecycle when there's only a secret ARN and no node ref", func(t *testing.T) {