Merge pull request #3400 from dlmather/dmather/issue-3394/invalid-secret-backend

Only attempt to delete bootstrap data secret if InsecureSkipSecretsManager isn't set

Author: k8s-ci-robot

controllers/awsmachine_controller.go

@@ -733,8 +733,10 @@ func (r *AWSMachineReconciler) ignitionUserData(scope *scope.MachineScope, objec
 }
 
 func (r *AWSMachineReconciler) deleteBootstrapData(machineScope *scope.MachineScope, clusterScope cloud.ClusterScoper, objectStoreScope scope.S3Scope) error {
-	if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
-		return err
+	if !machineScope.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager {
+		if err := r.deleteEncryptedBootstrapDataSecret(machineScope, clusterScope); err != nil {
+			return err
+		}
 	}
 
 	if objectStoreScope != nil {

controllers/awsmachine_controller_unit_test.go

@@ -1079,6 +1079,20 @@ func TestAWSMachineReconciler(t *testing.T) {
 				ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()
 				_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
 			})
+			t.Run("should not attempt to delete the secret if InsecureSkipSecretsManager is set on CloudInit", func(t *testing.T) {
+				g := NewWithT(t)
+				awsMachine := getAWSMachine()
+				setup(t, g, awsMachine)
+				defer teardown(t, g)
+				setNodeRef(t, g)
+
+				ms.AWSMachine.Spec.CloudInit.InsecureSkipSecretsManager = true
+
+				secretSvc.EXPECT().Delete(gomock.Any()).Return(nil).Times(0)
+				ec2Svc.EXPECT().TerminateInstanceAndWait(gomock.Any()).Return(nil).AnyTimes()
+
+				_, _ = reconciler.reconcileDelete(ms, cs, cs, cs, cs)
+			})
 		})
 
 		t.Run("Secrets management lifecycle when there's only a secret ARN and no node ref", func(t *testing.T) {