Error: cannot delete resource "serviceaccounts" in API group while uninstalling the SSP
search cancel

Error: cannot delete resource "serviceaccounts" in API group while uninstalling the SSP

book

Article ID: 381331

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction

In this environment VIP AuthHub is deployed on Openshift Cluster 4.14. 

Customer has restriction to deploy ServiceAccounts, Role and RoleBinding resources but after setting the variable

--set ssp.global.existingDataseedSATokenSecret=<serviceAccountToken's secret name>

in the deployment command it works fine. 

When customer try to execute helm uninstall ssp-dev --debug, below error message is observed

client.go:486: [debug] Starting delete for "ssp-dev-ssp-services-actuator-prometheus" ServiceMonitor
client.go:486: [debug] Starting delete for "ssp-dev-ssp-services-metrics" ServiceMonitor
uninstall.go:124: [debug] uninstall: Failed to delete release: [serviceaccounts "ssp-hazelcast" is forbidden: User "<Username>" cannot delete resource "serviceaccounts" in API group "" in the namespace "<NameSpace>"]
Error: failed to delete release: ssp-dev
helm.go:84: [debug] failed to delete release: ssp-dev
helm.sh/helm/v3/pkg/action.(*Uninstall).Run
        helm.sh/helm/v3/pkg/action/uninstall.go:125

It looks like that the uninstall try to delete the service account ssp-hazelcast which is was created manually. The uninstall should not try to delete what is created manually.

Environment

VIP Authentication Hub 3.2.1

Resolution

To overcome the issue, it is recommended to include hazelcast-enterprise.serviceAccount.create=false when deploying the chart:
 
hazelcast-enterprise:
    serviceAccount:
        # Specifies whether a ServiceAccount should be created
        create: false

Powered by Wolken Software