From e21385b9ba22583ed8e2dacf5cdc4f53f8ec89f7 Mon Sep 17 00:00:00 2001
From: Denis Moiseev <dmoiseev@redhat.com>
Date: Tue, 6 Apr 2021 19:50:33 +0200
Subject: [PATCH] Disable zones obtaining attempts for legacy vSphere cloud
 provider if secret provided and no CredentialsManager was set up.

Partially solves #75175. Kubelet does not stucking on startup.
---
 .../legacy-cloud-providers/vsphere/vsphere.go |  7 ++-
 .../vsphere/vsphere_test.go                   | 62 +++++++++++++++++++
 2 files changed, 68 insertions(+), 1 deletion(-)

diff --git a/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go b/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go
index 82c4895b1a5..fefc0ec6a18 100644
--- a/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere.go
@@ -896,7 +896,12 @@ func (vs *VSphere) LoadBalancer() (cloudprovider.LoadBalancer, bool) {
 }
 
 func (vs *VSphere) isZoneEnabled() bool {
-	return vs.cfg != nil && vs.cfg.Labels.Zone != "" && vs.cfg.Labels.Region != ""
+	isEnabled := vs.cfg != nil && vs.cfg.Labels.Zone != "" && vs.cfg.Labels.Region != ""
+	if isEnabled && vs.isSecretInfoProvided && vs.nodeManager.credentialManager == nil {
+		klog.V(1).Info("Zones can not be populated now due to credentials in Secret, skip.")
+		return false
+	}
+	return isEnabled
 }
 
 // Zones returns an implementation of Zones for vSphere.
diff --git a/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere_test.go b/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere_test.go
index 64db1cef399..c00d19de153 100644
--- a/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere_test.go
+++ b/staging/src/k8s.io/legacy-cloud-providers/vsphere/vsphere_test.go
@@ -463,6 +463,68 @@ func TestZonesNoConfig(t *testing.T) {
 	}
 }
 
+func TestZonesWithCredsInSecret(t *testing.T) {
+	noSecretCfg, err := readConfig(strings.NewReader(`
+[Global]
+user = "vsphere-creds"
+password = "kube-system"
+insecure-flag = "1"
+[Workspace]
+server = "vcenter.example.com"
+datacenter = "LAB"
+default-datastore = "datastore"
+folder = "/LAB/vm/lab-gxjfk"
+[VirtualCenter "vcenter.example.com"]
+datacenters = "LAB"
+[Labels]
+region = "kube-region"
+zone = "kube-zone"
+`))
+	if err != nil {
+		t.Fatalf("Should succeed when a valid config is provided: %s", err)
+	}
+	vsphere, err := buildVSphereFromConfig(noSecretCfg)
+	if err != nil {
+		t.Fatalf("Should succeed when a valid config is provided: %s", err)
+	}
+	_, ok := vsphere.Zones()
+	if !ok {
+		t.Fatalf("Zones should return true with plain text credentials")
+	}
+
+	// Return false in case if secret provided but no informers (no NodeManager.credentialManager basically) set up.
+	// Such situation happens during kubelet startup process, when InitialNode creates.
+	// See https://github.com/kubernetes/kubernetes/issues/75175
+	// and https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/kubelet_node_status.go#L418
+	withSecretCfg, err := readConfig(strings.NewReader(`
+[Global]
+secret-name = "vsphere-creds"
+secret-namespace = "kube-system"
+insecure-flag = "1"
+[Workspace]
+server = "vcenter.example.com"
+datacenter = "LAB"
+default-datastore = "datastore_big"
+folder = "/LAB/vm/lab-gxjfk"
+[VirtualCenter "vcenter.example.com"]
+datacenters = "LAB"
+[Labels]
+region = "kube-region"
+zone = "kube-zone"
+`))
+	if err != nil {
+		t.Fatalf("Should succeed when a valid config is provided: %s", err)
+	}
+	vsphere, err = buildVSphereFromConfig(withSecretCfg)
+	if err != nil {
+		t.Fatalf("Should succeed when a valid config is provided: %s", err)
+	}
+	_, ok = vsphere.Zones()
+	if ok {
+		t.Fatalf("Zones should return false with plain credentials in secret")
+	}
+}
+
 func TestZones(t *testing.T) {
 	// Any context will do
 	ctx := context.Background()