From fb9c4a320e1d814bf586a24d88bd1c4f40a86687 Mon Sep 17 00:00:00 2001 From: Rafael Franzke Date: Mon, 24 Oct 2022 13:19:07 +0200 Subject: [PATCH] Cleanup legacy `service-account-key` secret deletion --- .../component/kubeapiserver/secrets.go | 3 +- pkg/operation/botanist/kubeapiserver.go | 1 - pkg/utils/secrets/manager/generate.go | 10 ----- pkg/utils/secrets/manager/generate_test.go | 43 ------------------- 4 files changed, 1 insertion(+), 56 deletions(-) diff --git a/pkg/operation/botanist/component/kubeapiserver/secrets.go b/pkg/operation/botanist/component/kubeapiserver/secrets.go index cc9b7fc60a8..9dc60667709 100644 --- a/pkg/operation/botanist/component/kubeapiserver/secrets.go +++ b/pkg/operation/botanist/component/kubeapiserver/secrets.go @@ -105,8 +105,7 @@ func (k *kubeAPIServer) reconcileSecretServiceAccountKey(ctx context.Context) (* return nil, err } - // TODO(rfranzke): Remove this in a future release. - return secret, kutil.DeleteObject(ctx, k.client.Client(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "service-account-key", Namespace: k.namespace}}) + return secret, nil } func (k *kubeAPIServer) reconcileSecretBasicAuth(ctx context.Context) (*corev1.Secret, error) { diff --git a/pkg/operation/botanist/kubeapiserver.go b/pkg/operation/botanist/kubeapiserver.go index 028552b31ee..ed3bd118dd1 100644 --- a/pkg/operation/botanist/kubeapiserver.go +++ b/pkg/operation/botanist/kubeapiserver.go @@ -684,7 +684,6 @@ func (b *Botanist) DeployKubeAPIServer(ctx context.Context) error { gardenerResourceDataList.Delete("static-token") gardenerResourceDataList.Delete("kube-apiserver-basic-auth") gardenerResourceDataList.Delete("etcdEncryptionConfiguration") - gardenerResourceDataList.Delete("service-account-key") *gardenerResourceData = gardenerResourceDataList return nil }); err != nil { diff --git a/pkg/utils/secrets/manager/generate.go b/pkg/utils/secrets/manager/generate.go index 018121c13d2..c9610fcae87 100644 --- a/pkg/utils/secrets/manager/generate.go +++ b/pkg/utils/secrets/manager/generate.go @@ -301,16 +301,6 @@ func (m *manager) keepExistingSecretsIfNeeded(ctx context.Context, configName st secretutils.DataKeyEncryptionKeyName: existingEncryptionKey, secretutils.DataKeyEncryptionSecret: existingEncryptionSecret, }, nil - - case "service-account-key": - if err := m.client.Get(ctx, kutil.Key(m.namespace, "service-account-key"), existingSecret); err != nil { - if !apierrors.IsNotFound(err) { - return nil, err - } - return newData, nil - } - - return existingSecret.Data, nil } return newData, nil diff --git a/pkg/utils/secrets/manager/generate_test.go b/pkg/utils/secrets/manager/generate_test.go index 75c2ff2b665..ce9ec835790 100644 --- a/pkg/utils/secrets/manager/generate_test.go +++ b/pkg/utils/secrets/manager/generate_test.go @@ -1233,49 +1233,6 @@ resources: })) }) }) - - Context("service account key", func() { - var ( - oldData = map[string][]byte{"id_rsa": []byte("some-old-key")} - config *secretutils.RSASecretConfig - ) - - BeforeEach(func() { - config = &secretutils.RSASecretConfig{ - Name: "service-account-key", - Bits: 4096, - } - }) - - It("should generate a new key if old secret does not exist", func() { - By("generating secret") - secret, err := m.Generate(ctx, config) - Expect(err).NotTo(HaveOccurred()) - - By("verifying new key was generated") - Expect(secret.Data).NotTo(Equal(oldData)) - }) - - It("should keep the existing key if old secret still exists", func() { - By("creating existing secret with old key") - existingSecret := &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: "service-account-key", - Namespace: namespace, - }, - Type: corev1.SecretTypeOpaque, - Data: oldData, - } - Expect(fakeClient.Create(ctx, existingSecret)).To(Succeed()) - - By("generating secret") - secret, err := m.Generate(ctx, config) - Expect(err).NotTo(HaveOccurred()) - - By("verifying old password was kept") - Expect(secret.Data).To(Equal(oldData)) - }) - }) }) }) })