diff --git a/controllers/helpers.go b/controllers/helpers.go index c7a2003f2a3..7e2136b3a6c 100644 --- a/controllers/helpers.go +++ b/controllers/helpers.go @@ -457,7 +457,7 @@ func reconcileAzureSecret(ctx context.Context, log logr.Logger, kubeclient clien tag, exists := old.Labels[clusterName] - if exists && tag != string(infrav1.ResourceLifecycleOwned) { + if !exists || tag != string(infrav1.ResourceLifecycleOwned) { log.V(2).Info("returning early from json reconcile, user provided secret already exists") return nil } diff --git a/controllers/helpers_test.go b/controllers/helpers_test.go index 4494c02e490..75662ab5420 100644 --- a/controllers/helpers_test.go +++ b/controllers/helpers_test.go @@ -188,9 +188,11 @@ func TestReconcileAzureSecret(t *testing.T) { g := NewWithT(t) cases := map[string]struct { - kind string - apiVersion string - ownerName string + kind string + apiVersion string + ownerName string + existingSecret *corev1.Secret + expectedNoChange bool }{ "azuremachine should reconcile secret successfully": { kind: "AzureMachine", @@ -207,6 +209,52 @@ func TestReconcileAzureSecret(t *testing.T) { apiVersion: "infrastructure.cluster.x-k8s.io/v1beta1", ownerName: "azureMachineTemplateName", }, + "should not replace the content of the pre-existing unowned secret": { + kind: "AzureMachine", + apiVersion: "infrastructure.cluster.x-k8s.io/v1beta1", + ownerName: "azureMachineName", + existingSecret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "azureMachineName-azure-json", + Namespace: "default", + Labels: map[string]string{"testCluster": "foo"}, + }, + Data: map[string][]byte{ + "azure.json": []byte("foobar"), + }, + }, + expectedNoChange: true, + }, + "should not replace the content of the pre-existing unowned secret without the label": { + kind: "AzureMachine", + apiVersion: "infrastructure.cluster.x-k8s.io/v1beta1", + ownerName: "azureMachineName", + existingSecret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "azureMachineName-azure-json", + Namespace: "default", + }, + Data: map[string][]byte{ + "azure.json": []byte("foobar"), + }, + }, + expectedNoChange: true, + }, + "should replace the content of the pre-existing owned secret": { + kind: "AzureMachine", + apiVersion: "infrastructure.cluster.x-k8s.io/v1beta1", + ownerName: "azureMachineName", + existingSecret: &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: "azureMachineName-azure-json", + Namespace: "default", + Labels: map[string]string{"testCluster": string(infrav1.ResourceLifecycleOwned)}, + }, + Data: map[string][]byte{ + "azure.json": []byte("foobar"), + }, + }, + }, } ctrl.SetLogger(zap.New(zap.UseDevMode(true))) @@ -217,6 +265,7 @@ func TestReconcileAzureSecret(t *testing.T) { cluster.Default() azureCluster.Default() + azureCluster.ClusterName = "testCluster" scheme := setupScheme(g) kubeclient := fake.NewClientBuilder().WithScheme(scheme).Build() @@ -233,6 +282,14 @@ func TestReconcileAzureSecret(t *testing.T) { for name, tc := range cases { t.Run(name, func(t *testing.T) { + if tc.existingSecret != nil { + _ = kubeclient.Delete(context.Background(), tc.existingSecret) + _ = kubeclient.Create(context.Background(), tc.existingSecret) + defer func() { + _ = kubeclient.Delete(context.Background(), tc.existingSecret) + }() + } + owner := metav1.OwnerReference{ APIVersion: tc.apiVersion, Kind: tc.kind, @@ -254,8 +311,13 @@ func TestReconcileAzureSecret(t *testing.T) { if err := kubeclient.Get(context.Background(), key, found); err != nil { t.Error(err) } - g.Expect(cloudConfig.Data).To(Equal(found.Data)) - g.Expect(found.OwnerReferences).To(Equal(cloudConfig.OwnerReferences)) + + if tc.expectedNoChange { + g.Expect(cloudConfig.Data).NotTo(Equal(found.Data)) + } else { + g.Expect(cloudConfig.Data).To(Equal(found.Data)) + g.Expect(found.OwnerReferences).To(Equal(cloudConfig.OwnerReferences)) + } }) } }