Skip to content

controller: clean up credential temp files on finalizer removal#69

Merged
tamalsaha merged 1 commit into
masterfrom
fix/cleanup-credential-tempfiles
Jun 6, 2026
Merged

controller: clean up credential temp files on finalizer removal#69
tamalsaha merged 1 commit into
masterfrom
fix/cleanup-credential-tempfiles

Conversation

@tamalsaha

Copy link
Copy Markdown
Contributor

Summary

AWS / Azure / Google credential setters write secret material to `/tmp/--credential`. `handleDeletion` removed the finalizer but never removed the file, so a long-running operator pod accumulated every credential it ever served.

Add `credentials.CleanupCredential` and call it from `handleDeletion` before the finalizer is removed. No-op for providers that don't use a file (Cloudflare); tolerant of an already-deleted file.

Test plan

  • `go build ./...`
  • Create + delete an AWS-provider ExternalDNS, confirm `/tmp/--credential` is gone

The AWS / Azure / Google credential setters write the secret material
into /tmp/<ns>-<name>-credential with mode 0600. handleDeletion removed
the finalizer but left the file behind, so a long-running operator pod
that has churned through many ExternalDNS objects ended up holding
every credential it has ever served.

Add credentials.CleanupCredential and call it from handleDeletion
before the finalizer is removed. The function is a no-op for providers
that do not write a file (Cloudflare) and tolerates an already-deleted
file.

Signed-off-by: Tamal Saha <tamal@appscode.com>
@tamalsaha tamalsaha merged commit 0421643 into master Jun 6, 2026
4 checks passed
@tamalsaha tamalsaha deleted the fix/cleanup-credential-tempfiles branch June 6, 2026 15:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant