-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Calico Helm release cannot be deleted because of ServiceAccount with stuck finalizer #6629
Comments
xref: tigera/operator#2031 ^ Believe this is the same issue. There are a couple of workarounds suggested in that thread, but fundamentally to fix this we need to make some code / chart changes. |
+1, stuck on that as well every time, need to edit that ServiceAccount manually with |
+1, Still the issue This workaround helps, before deleting all namespaces related to calico |
+1 Deleting the installations.operator.tigera.io default before destroying the helm tigera, does remove the finalizers on calico-system ServiceAccount/calico-node
|
+1 We are also having the same issue. In the work around posted above, the dependency on the |
Example PR with one approach for resolving this: tigera/operator#2662 |
Expected Behavior
When I try to delete a Calico Helm release, I expect all resources to be deleted.
Current Behavior
Sometimes, when I try to delete a Calico Helm release it will timeout.
From some investigation this seems to be because of a stuck ServiceAccount in the
calico-system
namespace. The ServiceAccount has a finalizer namedtigera.io/cni-protector
which seems to be failing to complete.When I try to manually delete the ServiceAccount with kubectl it also just gets stuck.
Possible Solution
Not sure, but I tried googling the finalizer and nothing came up other than this Go package page which doesn't shed much light.
Steps to Reproduce (for bugs)
tigera-operator
Helm Chart through a Terraformhelm_release
(version 3.23.3) (it will probably also work using the helm cli)Context
We have a CI pipeline that sets up a new Kubernetes deployment every night and then cleans it up. This is how we test the IaC that creates our Kubernetes deployments. The deployment includes a K8s cluster and supporting tools like Ingress Controllers, Calico, SealedSecrets controller, Sysdig, Datadog, etc.
Currently, our CI pipeline is intermittently failing because it's timing out trying to delete the Calico Helm release.
Your Environment
tigera-operator
version 3.23.3 (Managed by Terraform Helm provider)amd64
, Linux Distro:Amazon Linux 2
, Linux Kernel:5.4.176-91.338.amzn2.x86_64
, AWS AMI:amazon-eks-node-1.21-v20220216
The text was updated successfully, but these errors were encountered: