Skip to content

The secrets for the AK aren't cleaned up with the machine #168

New issue
New issue
Open
Open
The secrets for the AK aren't cleaned up with the machine#168
@alicefr

Description

@alicefr
alicefr
opened on Jan 27, 2026

The secret for the attestation keys aren't garbage collected when the machine is deleted.

Steps to reproduce the issue, delete a machine and verify that the secrets for the AK isn't deleted:

[root@virtlab1012 kubevirt]# ktec get machines,attestationkeys,secrets
NAME                                                                                 AGE
machine.trusted-execution-clusters.io/machine-2803cb43-778b-4da9-b046-b6fddc9ebeca   5m40s

NAME                                                                                   AGE
attestationkey.trusted-execution-clusters.io/ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9   5m41s

NAME                                             TYPE     DATA   AGE
secret/2803cb43-778b-4da9-b046-b6fddc9ebeca      Opaque   1      5m40s
secret/ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9   Opaque   1      5m40s
[root@virtlab1012 kubevirt]# ktec delete machine.trusted-execution-clusters.io/machine-2803cb43-778b-4da9-b046-b6fddc9ebeca
machine.trusted-execution-clusters.io "machine-2803cb43-778b-4da9-b046-b6fddc9ebeca" deleted from trusted-execution-clusters namespace
[root@virtlab1012 kubevirt]# ktec get machines,attestationkeys,secrets
NAME                                             TYPE     DATA   AGE
secret/ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9   Opaque   1      6m
[root@virtlab1012 kubevirt]# ktec get secrets ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9 -oyaml
apiVersion: v1
data:
  public_key: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFwbldPMjZRWDBoRDhaeDNSSW1VdQppZDFLdGxQbmc5UklLRXJEd3lwdEprVlowUlVrcWE4SkxaaEpOUCtTZmRHcGh0NVY3VktaNXg5NzVZYlprcE9wCjFxdHR6WGdJeGZaSVdsd0c4N3BsNVBsMWlBUlA1TGkyTW9NdDF0aFRxd2NmellqVVdwRlRVMXg2SURkanI5cVkKMmlKeGlEMTFtTzdrT2lVM0IzRnFlRDFKdWtEZFppN3Rxd3pzZEN6WGlPdjllZkZsWmRDajVyd05FU0dKa0FSdgphaXgzZnhFWFB4eEN5cnljd213MW5ibFhlV0JKSGZQRTljak1KQlZ4NmRXeGZzRkpOeERrb3BqZk9OZUNzcThjCkw4ZWN0L2pWTDNNU05PbHQ4RExid00rUTdxRU5HcUNkTitnNkloaThUaXlXK250QVR5NzNMUkZSUjFBeXRObG0KK3dJREFRQUIKLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tCg==
kind: Secret
metadata:
  creationTimestamp: "2026-01-27T07:46:09Z"
  deletionGracePeriodSeconds: 0
  deletionTimestamp: "2026-01-27T07:52:05Z"
  finalizers:
  - trusted-execution-clusters.io/attestationkey-secret-finalizer
  name: ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9
  namespace: trusted-execution-clusters
  ownerReferences:
  - apiVersion: trusted-execution-clusters.io/v1alpha1
    blockOwnerDeletion: true
    controller: true
    kind: AttestationKey
    name: ak-8e4de9aa-a0a3-43e0-bcd8-48ad65e7cfd9
    uid: 9fe09350-3098-487e-af6d-16ca16c40935
  resourceVersion: "138256"
  uid: 00d661cd-18f8-47dd-88f2-31dad2c9be00
type: Opaque

Note the finalizer on the secret. When the finalizer is manually removed, then the secret is correctly deleted.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions