deleting CSV does not delete operator's RBAC related resources

[jmazzitelli]

I am installing RH Service Mesh in OpenShift 4.1. I do so through the CLI - I create Subscriptions and CatalogSourceConfig such that I get service mesh and kiali all running fine.

But now I want to delete all of these resources via the CLI (so I can script all of this for automation and easy setup/teardown for dev environments).

I can delete everything except for the operators' roles, role bindings, service accounts, etc. As I understand it, deleting the CSV should remove the operator (its deployment and pod) as well as its roles, bindings, and service accounts. However, I only see the deployment and pod delete.

Here's a log of what I executed in my shell console window and you can see what happens:

# HERE ARE MY EXISTING SUBSCRIPTIONS

$ oc get subscription servicemeshoperator -n openshift-operators
NAME                  PACKAGE               SOURCE                            CHANNEL
servicemeshoperator   servicemeshoperator   hack-redhat-openshift-operators   1.0
$ oc get subscription kiali-ossm -n openshift-operators
NAME         PACKAGE      SOURCE                            CHANNEL
kiali-ossm   kiali-ossm   hack-redhat-openshift-operators   stable

# HERE IS MY KIALI OPERATOR POD RUNNING AND ITS DEPLOYMENT

$ oc get pod -n openshift-operators | grep kiali
kiali-operator-64c8487b6f-h9jjx           1/1     Running   0          13m
$ oc get deployment -n openshift-operators | grep kiali
kiali-operator           1/1     1            1           13m

# HERE ARE MY KIALI OPERATOR'S RBAC RESOURCES - SA, ROLES, BINDINGS

$ oc get sa -n openshift-operators | grep kiali
kiali-operator           2         13m
$ oc get clusterrolebinding -n openshift-operators | grep kiali
kiali-operator.v1.0.5-qwc56-kiali-operator-q2m4b                                  13m
$ oc get clusterrole -n openshift-operators | grep kiali
kiali-operator.v1.0.5-qwc56                                            13m
kialis.kiali.io-v1alpha1-admin                                         10m
kialis.kiali.io-v1alpha1-crdview                                       10m
kialis.kiali.io-v1alpha1-edit                                          10m
kialis.kiali.io-v1alpha1-view                                          10m
monitoringdashboards.monitoring.kiali.io-v1alpha1-admin                10m
monitoringdashboards.monitoring.kiali.io-v1alpha1-crdview              10m
monitoringdashboards.monitoring.kiali.io-v1alpha1-edit                 10m
monitoringdashboards.monitoring.kiali.io-v1alpha1-view                 10m

# HERE ARE MY SERVICE MESH (AKA ISTIO) OPERATOR'S POD, DEPLOYMENT, AND SA

$ oc get pod -n openshift-operators | grep istio-operator
istio-operator-6bb446cb7f-mq245           1/1     Running   0          14m
$ oc get deployment -n openshift-operators | grep istio-operator
istio-operator           1/1     1            1           14m
$ oc get sa -n openshift-operators | grep istio
istio-cni                2         12m
istio-operator           2         14m

# HERE ARE MY CSVs FOR SERVICE MESH AND KIALI

$ oc get csv -n openshift-operators | grep servicemesh
servicemeshoperator.v1.0.0                   Red Hat OpenShift Service Mesh   1.0.0                            Succeeded
$ oc get csv -n openshift-operators | grep kiali
kiali-operator.v1.0.5                        Kiali Operator                   1.0.5                            Succeeded

# NOW I WILL DELETE MY SUBSCRIPTIONS TO SERVICE MESH AND KIALI

$ oc delete subscription servicemeshoperator -n openshift-operators
subscription.operators.coreos.com "servicemeshoperator" deleted
$ oc delete subscription kiali-ossm -n openshift-operators
subscription.operators.coreos.com "kiali-ossm" deleted

# I SIMPLY NOTE THAT THE OPERATORS ARE STILL RUNNING AS EXPECTED

$ oc get pod -n openshift-operators | grep kiali
kiali-operator-64c8487b6f-h9jjx           1/1     Running   0          16m
$ oc get pod -n openshift-operators | grep istio-operator
istio-operator-6bb446cb7f-mq245           1/1     Running   0          16m

# AND I CONFIRM MY SUBSCRIPTIONS ARE GONE

$ oc get subscription servicemeshoperator -n openshift-operators
Error from server (NotFound): subscriptions.operators.coreos.com "servicemeshoperator" not found
$ oc get subscription kiali-ossm -n openshift-operators
Error from server (NotFound): subscriptions.operators.coreos.com "kiali-ossm" not found

# NOW I DELETE THE CSVs WHICH SHOULD DELETE MY OPERATORS

$ oc delete csv -n openshift-operators servicemeshoperator.v1.0.0
clusterserviceversion.operators.coreos.com "servicemeshoperator.v1.0.0" deleted
$ oc delete csv -n openshift-operators kiali-operator.v1.0.5
clusterserviceversion.operators.coreos.com "kiali-operator.v1.0.5" deleted

# I CONFIRM MY OPERATORS' DEPLOYMENTS AND PODS ARE GONE

$ oc get deployment -n openshift-operators | grep istio-operator
$ oc get deployment -n openshift-operators | grep kiali
$ oc get pod -n openshift-operators | grep kiali
$ oc get pod -n openshift-operators | grep istio-operator

# BUT!!! AND HERE IS THE PROBLEM - ALL OF MY OPERATORS' RBAC RELATED RESOURCES STILL EXIST

$ oc get sa -n openshift-operators | grep kiali
kiali-operator           2         19m

$ oc get clusterrole -n openshift-operators | grep kiali
kiali-operator.v1.0.5-qwc56                                            19m
kialis.kiali.io-v1alpha1-admin                                         16m
kialis.kiali.io-v1alpha1-crdview                                       16m
kialis.kiali.io-v1alpha1-edit                                          16m
kialis.kiali.io-v1alpha1-view                                          16m
monitoringdashboards.monitoring.kiali.io-v1alpha1-admin                16m
monitoringdashboards.monitoring.kiali.io-v1alpha1-crdview              16m
monitoringdashboards.monitoring.kiali.io-v1alpha1-edit                 16m
monitoringdashboards.monitoring.kiali.io-v1alpha1-view                 16m

$ oc get clusterrolebinding -n openshift-operators | grep kiali
kiali-operator.v1.0.5-qwc56-kiali-operator-q2m4b                                  19m

$ oc get sa -n openshift-operators | grep istio
istio-cni                2         18m
istio-operator           2         20m

[jmazzitelli]

Here's oc version info (the cluster is running in a CRC VM):

$ oc version
Client Version: version.Info{Major:"4", Minor:"1+", GitVersion:"v4.1.14-201908291507+c406751-dirty", GitCommit:"c406751", GitTreeState:"dirty", BuildDate:"2019-08-29T22:56:42Z", GoVersion:"go1.11.13", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.4+df9cebc", GitCommit:"df9cebc", GitTreeState:"clean", BuildDate:"2019-08-06T18:31:45Z", GoVersion:"go1.11.6", Compiler:"gc", Platform:"linux/amd64"}

[jmazzitelli]

For the record, here is how I set up the catalogsourceconfig and subscriptions (again, I did this through the CLI - I did not install or uninstall the operators via the OpenShift Console):

cat <<EOM | oc apply -f -
---
apiVersion: operators.coreos.com/v1
kind: CatalogSourceConfig
metadata:
  name: hack-redhat-openshift-operators
  namespace: openshift-marketplace
spec:
  csDisplayName: Hack Red Hat Operators
  csPublisher: Hack Red Hat
  packages: 'elasticsearch-operator,jaeger-product,kiali-ossm,servicemeshoperator'
  targetNamespace: openshift-operators
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: elasticsearch-operator
  namespace: openshift-operators
spec:
  channel: preview
  installPlanApproval: Automatic
  name: elasticsearch-operator
  source: hack-redhat-openshift-operators
  sourceNamespace: openshift-operators
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: jaeger-product
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: jaeger-product
  source: hack-redhat-openshift-operators
  sourceNamespace: openshift-operators
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: kiali-ossm
  namespace: openshift-operators
spec:
  channel: stable
  installPlanApproval: Automatic
  name: kiali-ossm
  source: hack-redhat-openshift-operators
  sourceNamespace: openshift-operators
---
apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  name: servicemeshoperator
  namespace: openshift-operators
spec:
  channel: '1.0'
  installPlanApproval: Automatic
  name: servicemeshoperator
  source: hack-redhat-openshift-operators
  sourceNamespace: openshift-operators
EOM

[kramvan1]

Seeing same results with basic kube env, Roles and such are not cleaned up.

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[kramvan1]

working now with 14.1

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[ecordell]

Closing since this has been resolved