tofu-controller icon indicating copy to clipboard operation
tofu-controller copied to clipboard
verified publisher icon flux-iac

Cannot destroy namespace with Terraform CR as ServiceAccount is removed before runner created

Open heschlie opened this issue 3 years ago • 3 comments

Hello, I have a potentially odd use case but it seems like it should work, digging into the details we understand why, but would like input on how we can do this before we dive into creating our own work around.

We would like to host the Terraform CR in a namespace with the deployment it is tied to. We have some testing deployments that are ephemeral in nature and we like to have the ability to simply destroy the entire namespace and just let k8s clean it all up. We started trying out tf-controller recently and found that while the Terraform CRs have a finalizer on them to ensure the cloud resources are destroyed, there is no mechanism for the ServiceAccount and k8s happily deletes it before the runner pod even has a chance to spin up.

I'm not sure this is technically the problem of tf-controller but it would be nice if there was a way to get tf-controller to keep the requisite service account around until it isn't needed anymore. I see there is code for adding finalizers to dependent Terraform resources, perhaps we could hijack that to add a finalizer to the ServiceAccount?

heschlie avatar Apr 27 '23 20:04 heschlie

Sorry to be annoying, but what does the team/wild-watermelon label mean on this issue? Is there a way to follow this further or see this as part of a team's backlog?

rattboi avatar Jul 18 '23 22:07 rattboi

Hi @rattboi, that's our internal team label.

We now have an umbrella issue to address the resource-deletion process of the Terraform Controller as a whole here: https://github.com/weaveworks/tf-controller/issues/755

chanwit avatar Jul 19 '23 10:07 chanwit

We don't support deleting the namespace right now, and I don't see how can we do that in the near future as the ServiceAccount is created during a helm release based on allowedNamespaces. The controller does not create ServiceAccounts (and I think it shouldn't have permissions to create ServiceAccounts) therefore it can't recreate the deleted resource.

@chanwit: I don't think we can resolve this with the current runner logic (independent from BLOB cache), do you see any way to handle it properly and still in a secure way?

Correction: Delete should work and should be fixed as it does not work now, but you can't re-create the namespace after you deleted.

yitsushi avatar Oct 11 '23 09:10 yitsushi