The MinioPolicyBinding object does not get deleted when removing MinioUser, MinioPolicy and MinioPolicyBinding objects from a cluster

[steinwelberg]

The MinioPolicyBinding CR does not get deleted when we remove the MinioUser, MinioPolicy and MinioPolicyBinding objects from a cluster at the same time.

Deleting the policy binding fails with the following error (logs from the operator):

2024-09-04 13:43:47,125 - INFO - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template started                                                                                                                                              │
│ 2024-09-04 13:43:47,134 - INFO - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template-policy started                                                                                                                                       │
│ 2024-09-04 13:43:47,143 - INFO - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template-policy-binding started                                                                                                                               │
│ 2024-09-04 13:43:47,213 - INFO - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template started                                                                                                                                              │
│ 2024-09-04 13:43:47,317 - INFO - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template completed                                                                                                                                            │
│ 2024-09-04 13:43:47,415 - ERROR - minio_operator_ext.operator - delete:infra-minio/ci-e0eb02dd-typescript-react-template-policy failed with retryable error: admin request failed; Status: 400, Body: {"Code":"XMinioIAMPolicyInUse","Message":"The policy cannot be removed │
│ , as it is in use","Resource":"/minio/admin/v3/remove-canned-policy","RequestId":"17F20E636C183861","HostId":"569a2c2b6fe6f180002dfb8bb719e75853115b62c50874ff56f4c016dde8d1b8"}                                                                                             │

For completeness all delete resource logs are included. Btw, both the bucket and the user have the name ci-e0eb02dd-typescript-react-template.

We also noticed that the first time the policy gets deployed, the same error is triggered.

[benfiola]

We also noticed that the first time the policy gets deployed, the same error is triggered.

On policy binding creation, if the resource fails to create because a user/group/policy doesn't exist - it should retry until success. In your case, did this happen?

The MinioPolicyBinding CR does not get deleted when we remove the MinioUser, MinioPolicy and MinioPolicyBinding objects from a cluster at the same time.

This shouldn't happen! Taking a look.

[benfiola]

I've put in the following code that addresses the issues you were facing re: MinioPolicyBinding resource deletion.

You can try these changes out yourself with either of the following images:

docker.io/benfiola/minio-operator-ext:latest
docker.io/benfiola/minio-operator-ext:1.1.2

[steinwelberg]

We also noticed that the first time the policy gets deployed, the same error is triggered.

On policy binding creation, if the resource fails to create because a user/group/policy doesn't exist - it should retry until success. In your case, did this happen?

The MinioPolicyBinding CR does not get deleted when we remove the MinioUser, MinioPolicy and MinioPolicyBinding objects from a cluster at the same time.

This shouldn't happen! Taking a look.

Yeah, on resource creation, the problem resolves itself! Just wanted to mention it here to be complete.

Great. Will have a look!

[steinwelberg]

Alright, I have verified that it works as expected! Thanks for the quick response and fix! 💪