cmd/containerboot: do not reset state on non-existant secret (#17021)

This commit modifies containerboot's state reset process to handle the state secret not existing. During other parts of the boot process we gracefully handle the state secret not being created yet, but missed that check within `resetContainerbootState` Fixes https://github.com/tailscale/tailscale/issues/16804 Signed-off-by: David Bond <davidsbond93@gmail.com>
3 months ago · 624cdd2961
parent d8ac539bf9
commit 624cdd2961
1 changed files with 5 additions and 2 deletions
--- a/cmd/containerboot/kube.go
+++ b/cmd/containerboot/kube.go
@ -124,10 +124,13 @@ func (kc *kubeClient) deleteAuthKey(ctx context.Context) error {
 // ensure the operator doesn't use stale state when a Pod is first recreated.
 func (kc *kubeClient) resetContainerbootState(ctx context.Context, podUID string) error {
 	existingSecret, err := kc.GetSecret(ctx, kc.stateSecret)
-	if err != nil {
+	switch {
+	case kubeclient.IsNotFoundErr(err):
+		// In the case that the Secret doesn't exist, we don't have any state to reset and can return early.
+		return nil
+	case err != nil:
 		return fmt.Errorf("failed to read state Secret %q to reset state: %w", kc.stateSecret, err)
 	}
-
 	s := &kubeapi.Secret{
 		Data: map[string][]byte{
 			kubetypes.KeyCapVer: fmt.Appendf(nil, "%d", tailcfg.CurrentCapabilityVersion),