bootstrap token auth: don't accept deleted tokens

plugin/pkg/auth/authenticator/token/bootstrap/bootstrap_test.go

@@ -52,6 +52,8 @@ const (
 )
 
 func TestTokenAuthenticator(t *testing.T) {
+	now := metav1.Now()
+
 	tests := []struct {
 		name string
 
@@ -135,6 +137,25 @@ func TestTokenAuthenticator(t *testing.T) {
 			token:        "barfoo" + "." + tokenSecret,
 			wantNotFound: true,
 		},
+		{
+			name: "deleted token",
+			secrets: []*api.Secret{
+				{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:              bootstrapapi.BootstrapTokenSecretPrefix + tokenID,
+						DeletionTimestamp: &now,
+					},
+					Data: map[string][]byte{
+						bootstrapapi.BootstrapTokenIDKey:               []byte(tokenID),
+						bootstrapapi.BootstrapTokenSecretKey:           []byte(tokenSecret),
+						bootstrapapi.BootstrapTokenUsageAuthentication: []byte("true"),
+					},
+					Type: "bootstrap.kubernetes.io/token",
+				},
+			},
+			token:        tokenID + "." + tokenSecret,
+			wantNotFound: true,
+		},
 		{
 			name: "expired token",
 			secrets: []*api.Secret{