Cleanup legacy service-account-key secret deletion

nickytd · Oct 24, 2022 · fb9c4a3 · fb9c4a3
1 parent 842a4c0
commit fb9c4a3
Show file tree

Hide file tree

Showing 4 changed files with 1 addition and 56 deletions.
diff --git a/pkg/operation/botanist/component/kubeapiserver/secrets.go b/pkg/operation/botanist/component/kubeapiserver/secrets.go
@@ -105,8 +105,7 @@ func (k *kubeAPIServer) reconcileSecretServiceAccountKey(ctx context.Context) (*
 		return nil, err
 	}
 
-	// TODO(rfranzke): Remove this in a future release.
-	return secret, kutil.DeleteObject(ctx, k.client.Client(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "service-account-key", Namespace: k.namespace}})
+	return secret, nil
 }
 
 func (k *kubeAPIServer) reconcileSecretBasicAuth(ctx context.Context) (*corev1.Secret, error) {

diff --git a/pkg/operation/botanist/kubeapiserver.go b/pkg/operation/botanist/kubeapiserver.go
@@ -684,7 +684,6 @@ func (b *Botanist) DeployKubeAPIServer(ctx context.Context) error {
 		gardenerResourceDataList.Delete("static-token")
 		gardenerResourceDataList.Delete("kube-apiserver-basic-auth")
 		gardenerResourceDataList.Delete("etcdEncryptionConfiguration")
-		gardenerResourceDataList.Delete("service-account-key")
 		*gardenerResourceData = gardenerResourceDataList
 		return nil
 	}); err != nil {

diff --git a/pkg/utils/secrets/manager/generate.go b/pkg/utils/secrets/manager/generate.go
@@ -301,16 +301,6 @@ func (m *manager) keepExistingSecretsIfNeeded(ctx context.Context, configName st
 			secretutils.DataKeyEncryptionKeyName: existingEncryptionKey,
 			secretutils.DataKeyEncryptionSecret:  existingEncryptionSecret,
 		}, nil
-
-	case "service-account-key":
-		if err := m.client.Get(ctx, kutil.Key(m.namespace, "service-account-key"), existingSecret); err != nil {
-			if !apierrors.IsNotFound(err) {
-				return nil, err
-			}
-			return newData, nil
-		}
-
-		return existingSecret.Data, nil
 	}
 
 	return newData, nil

diff --git a/pkg/utils/secrets/manager/generate_test.go b/pkg/utils/secrets/manager/generate_test.go
@@ -1233,49 +1233,6 @@ resources:
 					}))
 				})
 			})
-
-			Context("service account key", func() {
-				var (
-					oldData = map[string][]byte{"id_rsa": []byte("some-old-key")}
-					config  *secretutils.RSASecretConfig
-				)
-
-				BeforeEach(func() {
-					config = &secretutils.RSASecretConfig{
-						Name: "service-account-key",
-						Bits: 4096,
-					}
-				})
-
-				It("should generate a new key if old secret does not exist", func() {
-					By("generating secret")
-					secret, err := m.Generate(ctx, config)
-					Expect(err).NotTo(HaveOccurred())
-
-					By("verifying new key was generated")
-					Expect(secret.Data).NotTo(Equal(oldData))
-				})
-
-				It("should keep the existing key if old secret still exists", func() {
-					By("creating existing secret with old key")
-					existingSecret := &corev1.Secret{
-						ObjectMeta: metav1.ObjectMeta{
-							Name:      "service-account-key",
-							Namespace: namespace,
-						},
-						Type: corev1.SecretTypeOpaque,
-						Data: oldData,
-					}
-					Expect(fakeClient.Create(ctx, existingSecret)).To(Succeed())
-
-					By("generating secret")
-					secret, err := m.Generate(ctx, config)
-					Expect(err).NotTo(HaveOccurred())
-
-					By("verifying old password was kept")
-					Expect(secret.Data).To(Equal(oldData))
-				})
-			})
 		})
 	})
 })