From 6efb91a15bc4f6090a87cdd52b08bce0002e8974 Mon Sep 17 00:00:00 2001
From: Ole Markus With <o.with@sportradar.com>
Date: Mon, 14 Sep 2020 19:32:22 +0200
Subject: [PATCH] Don't write application credentials to cloud config unless
 external CCM is enabled

---
 nodeup/pkg/model/cloudconfig.go | 12 ++++++++++--
 pkg/model/bootstrapscript.go    |  8 +++++++-
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/nodeup/pkg/model/cloudconfig.go b/nodeup/pkg/model/cloudconfig.go
index 23da22ba7d..2d065eb9b8 100644
--- a/nodeup/pkg/model/cloudconfig.go
+++ b/nodeup/pkg/model/cloudconfig.go
@@ -92,8 +92,16 @@ func (b *CloudConfigBuilder) Build(c *fi.ModelBuilderContext) error {
 			fmt.Sprintf("tenant-name=\"%s\"", tenantName),
 			fmt.Sprintf("domain-name=\"%s\"", os.Getenv("OS_DOMAIN_NAME")),
 			fmt.Sprintf("domain-id=\"%s\"", os.Getenv("OS_DOMAIN_ID")),
-			fmt.Sprintf("application-credential-id=\"%s\"", os.Getenv("OS_APPLICATION_CREDENTIAL_ID")),
-			fmt.Sprintf("application-credential-secret=\"%s\"", os.Getenv("OS_APPLICATION_CREDENTIAL_SECRET")),
+		)
+		if b.Cluster.Spec.ExternalCloudControllerManager != nil {
+			lines = append(lines,
+				fmt.Sprintf("application-credential-id=\"%s\"", os.Getenv("OS_APPLICATION_CREDENTIAL_ID")),
+				fmt.Sprintf("application-credential-secret=\"%s\"", os.Getenv("OS_APPLICATION_CREDENTIAL_SECRET")),
+			)
+
+		}
+
+		lines = append(lines,
 			"",
 		)
 
diff --git a/pkg/model/bootstrapscript.go b/pkg/model/bootstrapscript.go
index 7e84d42037..1022adf864 100644
--- a/pkg/model/bootstrapscript.go
+++ b/pkg/model/bootstrapscript.go
@@ -118,7 +118,13 @@ func (b *BootstrapScript) buildEnvironmentVariables(cluster *kops.Cluster) (map[
 			"OS_REGION_NAME",
 		}
 
-		if os.Getenv("OS_APPLICATION_CREDENTIAL_ID") != "" && os.Getenv("OS_APPLICATION_CREDENTIAL_SECRET") != "" {
+		hasCCM := cluster.Spec.ExternalCloudControllerManager != nil
+		appCreds := os.Getenv("OS_APPLICATION_CREDENTIAL_ID") != "" && os.Getenv("OS_APPLICATION_CREDENTIAL_SECRET") != ""
+		if !hasCCM && appCreds {
+			klog.Warning("application credentials only supported when using external cloud controller manager. Continuing with passwords.")
+		}
+
+		if hasCCM && appCreds {
 			osEnvs = append(osEnvs,
 				"OS_APPLICATION_CREDENTIAL_ID",
 				"OS_APPLICATION_CREDENTIAL_SECRET",