From 624cdd2961ac88ac2c187072dc2cb322d05a653b Mon Sep 17 00:00:00 2001 From: David Bond Date: Thu, 4 Sep 2025 12:40:55 +0100 Subject: [PATCH] cmd/containerboot: do not reset state on non-existant secret (#17021) This commit modifies containerboot's state reset process to handle the state secret not existing. During other parts of the boot process we gracefully handle the state secret not being created yet, but missed that check within `resetContainerbootState` Fixes https://github.com/tailscale/tailscale/issues/16804 Signed-off-by: David Bond --- cmd/containerboot/kube.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cmd/containerboot/kube.go b/cmd/containerboot/kube.go index d4a974e6f..4873ae13f 100644 --- a/cmd/containerboot/kube.go +++ b/cmd/containerboot/kube.go @@ -124,10 +124,13 @@ func (kc *kubeClient) deleteAuthKey(ctx context.Context) error { // ensure the operator doesn't use stale state when a Pod is first recreated. func (kc *kubeClient) resetContainerbootState(ctx context.Context, podUID string) error { existingSecret, err := kc.GetSecret(ctx, kc.stateSecret) - if err != nil { + switch { + case kubeclient.IsNotFoundErr(err): + // In the case that the Secret doesn't exist, we don't have any state to reset and can return early. + return nil + case err != nil: return fmt.Errorf("failed to read state Secret %q to reset state: %w", kc.stateSecret, err) } - s := &kubeapi.Secret{ Data: map[string][]byte{ kubetypes.KeyCapVer: fmt.Appendf(nil, "%d", tailcfg.CurrentCapabilityVersion),