Merge pull request #9104 from liggitt/token_cleanup

Clean up token on service account update failure

pkg/serviceaccount/tokens_controller.go

@@ -21,6 +21,7 @@ import (
 	"time"
 
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
+	apierrors "github.com/GoogleCloudPlatform/kubernetes/pkg/api/errors"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/client/cache"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/controller/framework"
@@ -307,11 +308,20 @@ func (e *TokensController) createSecret(serviceAccount *api.ServiceAccount) erro
 
 	_, err = serviceAccounts.Update(serviceAccount)
 	if err != nil {
-		return err
+		// we weren't able to use the token, try to clean it up.
+		glog.V(2).Infof("Deleting secret %s/%s because reference couldn't be added (%v)", secret.Namespace, secret.Name, err)
+		if err := e.client.Secrets(secret.Namespace).Delete(secret.Name); err != nil {
+			glog.Error(err) // if we fail, just log it
 		}
+	}
+	if apierrors.IsConflict(err) {
+		// nothing to do.  We got a conflict, that means that the service account was updated.  We simply need to return because we'll get an update notification later
 		return nil
 	}
 
+	return err
+}
+
 // generateTokenIfNeeded populates the token data for the given Secret if not already set
 func (e *TokensController) generateTokenIfNeeded(serviceAccount *api.ServiceAccount, secret *api.Secret) error {
 	if secret.Annotations == nil {