Merge pull request #2850 from chrischdi/pr-release-1-8-cp-2846

k8s-ci-robot · web-flow · commit f5c3177d4340 · 2024-03-25T13:40:33.000-07:00
[release-1.8] 🐛 Ensure entries for ProviderServiceAccount created in the ConfigMap are cleaned up
diff --git a/apis/vmware/v1beta1/vspherecluster_types.go b/apis/vmware/v1beta1/vspherecluster_types.go
@@ -27,6 +27,10 @@ const (
 	// resources associated with VSphereCluster before removing it from the
 	// API server.
 	ClusterFinalizer = "vspherecluster.vmware.infrastructure.cluster.x-k8s.io"
+
+	// ProviderServiceAccountFinalizer allows ServiceAccountReconciler to clean up service accounts
+	// resources associated with VSphereCluster from the SERVICE_ACCOUNTS_CM (service accounts ConfigMap).
+	ProviderServiceAccountFinalizer = "providerserviceaccount.vmware.infrastructure.cluster.x-k8s.io"
 )
 
 // VSphereClusterSpec defines the desired state of VSphereCluster
diff --git a/controllers/serviceaccount_controller.go b/controllers/serviceaccount_controller.go
@@ -100,6 +100,19 @@ func AddServiceAccountProviderControllerToManager(ctx *context.ControllerManager
 			&corev1.Secret{},
 			handler.EnqueueRequestsFromMapFunc(r.secretToVSphereCluster),
 		).
+		Watches(
+			&vmwarev1.VSphereCluster{},
+			handler.EnqueueRequestsFromMapFunc(func(ctx goctx.Context, o client.Object) []reconcile.Request {
+				return []reconcile.Request{
+					{
+						NamespacedName: types.NamespacedName{
+							Namespace: o.GetNamespace(),
+							Name:      o.GetName(),
+						},
+					},
+				}
+			}),
+		).
 		// Watches clusters and reconciles the vSphereCluster
 		Watches(
 			&clusterv1.Cluster{},
@@ -198,6 +211,13 @@ func (r ServiceAccountReconciler) Reconcile(_ goctx.Context, req reconcile.Reque
 		return reconcile.Result{}, nil
 	}
 
+	// Add finalizer first if not set to avoid the race condition between init and delete.
+	// Note: Finalizers in general can only be added when the deletionTimestamp is not set.
+	if !controllerutil.ContainsFinalizer(clusterContext.VSphereCluster, vmwarev1.ProviderServiceAccountFinalizer) {
+		controllerutil.AddFinalizer(clusterContext.VSphereCluster, vmwarev1.ProviderServiceAccountFinalizer)
+		return ctrl.Result{}, nil
+	}
+
 	// We cannot proceed until we are able to access the target cluster. Until
 	// then just return a no-op and wait for the next sync. This will occur when
 	// the Cluster's status is updated with a reference to the secret that has
@@ -235,6 +255,7 @@ func (r ServiceAccountReconciler) ReconcileDelete(ctx *vmwarecontext.ClusterCont
 		}
 	}
 
+	controllerutil.RemoveFinalizer(ctx.VSphereCluster, vmwarev1.ProviderServiceAccountFinalizer)
 	return reconcile.Result{}, nil
 }
 
@@ -513,6 +534,9 @@ func (r ServiceAccountReconciler) ensureServiceAccountConfigMap(ctx *vmwareconte
 	if err != nil {
 		return err
 	}
+	if configMap.Data == nil {
+		configMap.Data = map[string]string{}
+	}
 	if valid, exist := configMap.Data[svcAccountName]; exist && valid == strconv.FormatBool(true) {
 		// Service account name is already in the config map
 		return nil
