From 4745cd5f2314e71bd953dafbc43bc56b6ac93e50 Mon Sep 17 00:00:00 2001
From: Knative Prow Robot <automation+prow-robot@knative.team>
Date: Wed, 10 Apr 2024 15:16:21 +0100
Subject: [PATCH] [release-1.13] Remove sinkbindings OIDC token secret when not
 needed and fix status setting (#7839)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

* Remove Sinkbindings OIDC token secret, when not needed

* Set Sinkbindings OIDCTokenSecretName in its status correctly

---------

Co-authored-by: Christoph Stäbler <cstabler@redhat.com>
---
 pkg/reconciler/sinkbinding/sinkbinding.go | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go
index 687c8500841..74744d24453 100644
--- a/pkg/reconciler/sinkbinding/sinkbinding.go
+++ b/pkg/reconciler/sinkbinding/sinkbinding.go
@@ -114,6 +114,10 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 			// sink has no audience set -> don't create token secret
 			sb.Status.MarkOIDCIdentityCreatedSucceededWithReason("Sink has no audience defined", "")
 			sb.Status.MarkOIDCTokenSecretCreatedSuccceededWithReason("Sink has no audience defined", "")
+
+			if err := s.removeOIDCTokenSecretEventually(ctx, sb); err != nil {
+				return err
+			}
 			sb.Status.OIDCTokenSecretName = nil
 		}
 	} else {
@@ -164,6 +168,8 @@ func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context
 		logger.Debugf("OIDC token secret for %s/%s sinkbinding still valid for > %s (expires %s). Will not update secret", sb.Name, sb.Namespace, resyncAndBufferDuration, expiry)
 		// token is still valid for resync period + buffer --> we're fine
 
+		sb.Status.OIDCTokenSecretName = &secretName
+
 		return nil
 	}