EntityAlreadyExists thrown and then deletion leads to Role 'xxxx' not yet created

[jayzalowitz]

kubectl get role.aws-iam.redradrat.xyz -A

jay nginx-deployment-role EntityAlreadyExists: Role with name nginx-deployment-role already exists. status code: 409, request id: 042007ff-baf9-47d3-8960-b8bf9209c6ee ERROR
jay role-sample EntityAlreadyExists: Role with name role-sample already exists. status code: 409, request id: 23bf242d-4a05-4668-b1e8-de3aa0538306 ERROR
test nginx-deployment-role arn:aws:iam::....:role/nginx-deployment-role Succesfully reconciled
test role-sample arn:aws:iam::....:role/role-sample Succesfully reconciled OK

jayzalowitz$ kubectl delete -f deployment.yaml -n jay deployment.apps "nginx-deployment" deleted role.aws-iam.redradrat.xyz "nginx-deployment-role" deleted role.aws-iam.redradrat.xyz "role-sample" deleted

SFO-WXLVCF:application jayzalowitz$ kubectl get role.aws-iam.redradrat.xyz -A

jay nginx-deployment-role Role 'nginx-deployment-role' not yet created
jay role-sample Role 'role-sample' not yet created
test nginx-deployment-role arn:aws:iam::....:role/nginx-deployment-role Succesfully reconciled
test role-sample arn:aws:iam::.....:role/role-sample Succesfully reconciled

kubectl delete -f deployment.yaml -n test deployment.apps "nginx-deployment" deleted role.aws-iam.redradrat.xyz "nginx-deployment-role" deleted role.aws-iam.redradrat.xyz "role-sample" deleted

kubectl get role.aws-iam.redradrat.xyz -A jay nginx-deployment-role Role 'nginx-deployment-role' not yet created ERROR 11 Feb 21 22:33 +0000 jay role-sample Role 'role-sample' not yet created ERROR 11 Feb 21 22:33 +0000

[redradrat]

Hi @jayzalowitz, sorry for the late response... I'm not actually sure I'm following the flow correctly here. You're saying the Role resource isn't ever created? Or just in the scenario where the running controller has detected it as already existing?

[jayzalowitz]

I basically need a mode that deletes role regardless of if all other actions are completed before it. I have several creation and deletion problems. Would you consider adding a flag that says "just delete" or "ignore if already created"

[redradrat]

Ok, I think I get your point... I mean the operator cannot detect the exact details of the existing role yet. It only understands that it exists and thus fails, as the understanding of whether that existing Role is actually right is not there...

So that's why the controller really want's to create the role from the beginning. And thus shouldn't touch it, if it is not able to properly "adopt" it.

[redradrat]

I wonder if one could just alter the Custom Resource to include the status in a way, that makes the operator think it did create the resource. But yeah, it would be a hack.