Wait until the finalizer of the credentials secret is removed

Signed-off-by: ialidzhikov <i.alidjikov@gmail.com> Cherry-pick #3425 ```bugfix operator The generic Worker actuator does now wait until the machine-controller-manager finalizer is removed from the credentials secret that is referenced from the machine classes. ```
gardener · Jan 21, 2021 · b8cbfee · b8cbfee
1 parent ba65cf6
commit b8cbfee
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/extensions/pkg/controller/worker/genericactuator/actuator.go b/extensions/pkg/controller/worker/genericactuator/actuator.go
@@ -257,7 +257,7 @@ func (a *genericActuator) shallowDeleteMachineClassSecrets(ctx context.Context,
 	return nil
 }
 
-// cleanupMachineClassSecrets deletes MachineSets having number of desired and actual replicas equaling 0
+// cleanupMachineSets deletes MachineSets having number of desired and actual replicas equaling 0
 func (a *genericActuator) cleanupMachineSets(ctx context.Context, logger logr.Logger, namespace string) error {
 	logger.Info("Cleaning up machine sets")
 	machineSetList := &machinev1alpha1.MachineSetList{}

diff --git a/extensions/pkg/controller/worker/genericactuator/actuator_delete.go b/extensions/pkg/controller/worker/genericactuator/actuator_delete.go
@@ -165,6 +165,8 @@ func (a *genericActuator) waitUntilMachineResourcesDeleted(ctx context.Context,
 		countMachineDeployments  = -1
 		countMachineClasses      = -1
 		countMachineClassSecrets = -1
+
+		releasedMachineClassCredentialsSecret = false
 	)
 	logger.Info("Waiting until all machine resources have been deleted")
 
@@ -238,8 +240,34 @@ func (a *genericActuator) waitUntilMachineResourcesDeleted(ctx context.Context,
 			msg += fmt.Sprintf("%d machine class secrets, ", countMachineClassSecrets)
 		}
 
-		if countMachines != 0 || countMachineSets != 0 || countMachineDeployments != 0 || countMachineClasses != 0 || countMachineClassSecrets != 0 {
-			msg := fmt.Sprintf("Waiting until the following machine resources have been deleted: %s", strings.TrimSuffix(msg, ", "))
+		// Check whether the finalizer of the machine class credentials secret is removed.
+		// This check is only applicable when the given workerDelegate does not implement the
+		// deprecated WorkerCredentialsDelegate interface, i.e. machine classes reference a separate
+		// Secret for cloud provider credentials.
+		if !releasedMachineClassCredentialsSecret {
+			_, ok := workerDelegate.(WorkerCredentialsDelegate)
+			if ok {
+				releasedMachineClassCredentialsSecret = true
+			} else {
+				secret, err := controller.GetSecretByReference(ctx, a.client, &worker.Spec.SecretRef)
+				if err != nil {
+					return retryutils.SevereError(fmt.Errorf("could not get the secret referenced by worker: %+v", err))
+				}
+
+				hasFinalizer, err := controller.HasFinalizer(secret, mcmFinalizer)
+				if err != nil {
+					return retryutils.SevereError(fmt.Errorf("could not check whether machine class credentials secret has finalizer: %+v", err))
+				}
+				if hasFinalizer {
+					msg += "1 machine class credentials secret, "
+				} else {
+					releasedMachineClassCredentialsSecret = true
+				}
+			}
+		}
+
+		if countMachines != 0 || countMachineSets != 0 || countMachineDeployments != 0 || countMachineClasses != 0 || countMachineClassSecrets != 0 || !releasedMachineClassCredentialsSecret {
+			msg := fmt.Sprintf("Waiting until the following machine resources have been deleted or released: %s", strings.TrimSuffix(msg, ", "))
 			logger.Info(msg)
 			return retryutils.MinorError(errors.New(msg))
 		}