From 1366a3a164b04574cd61f0653f6cef3bc0b533a7 Mon Sep 17 00:00:00 2001 From: Angel Marin Date: Fri, 8 May 2026 15:11:14 +0200 Subject: [PATCH] HYPERFLEET-1040 - fix: Use label selector to clean up orphaned cluster-scoped RBAC resources The cleanup function was deleting ClusterRole/ClusterRoleBinding by name, which couples it to the chart's naming scheme. Switch to label-based deletion using app.kubernetes.io/instance so the cleanup works correctly regardless of how the chart names these resources. Co-Authored-By: Claude Sonnet 4.6 --- pkg/helper/adapter.go | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/helper/adapter.go b/pkg/helper/adapter.go index 8271954..a783199 100644 --- a/pkg/helper/adapter.go +++ b/pkg/helper/adapter.go @@ -221,12 +221,16 @@ func (h *Helper) UninstallAdapter(ctx context.Context, releaseName, namespace st // cleanupClusterScopedResources removes orphaned cluster-scoped resources that may be left // after Helm uninstall. This is a best-effort cleanup and logs errors without failing. +// Uses label selectors instead of names so it works regardless of the chart's naming scheme. func (h *Helper) cleanupClusterScopedResources(ctx context.Context, releaseName string) { cmdCtx, cancel := context.WithTimeout(ctx, 30*time.Second) defer cancel() + labelSelector := fmt.Sprintf("app.kubernetes.io/instance=%s", releaseName) + // Try to delete ClusterRole - clusterRoleCmd := exec.CommandContext(cmdCtx, "kubectl", "delete", "clusterrole", releaseName, + clusterRoleCmd := exec.CommandContext(cmdCtx, "kubectl", "delete", "clusterrole", //nolint:gosec // labelSelector is derived from releaseName, not user input + "-l", labelSelector, "--ignore-not-found=true") if output, err := clusterRoleCmd.CombinedOutput(); err != nil { logger.Info("could not delete ClusterRole (may not exist)", @@ -237,7 +241,8 @@ func (h *Helper) cleanupClusterScopedResources(ctx context.Context, releaseName } // Try to delete ClusterRoleBinding - clusterRoleBindingCmd := exec.CommandContext(cmdCtx, "kubectl", "delete", "clusterrolebinding", releaseName, + clusterRoleBindingCmd := exec.CommandContext(cmdCtx, "kubectl", "delete", "clusterrolebinding", //nolint:gosec // labelSelector is derived from releaseName, not user input + "-l", labelSelector, "--ignore-not-found=true") if output, err := clusterRoleBindingCmd.CombinedOutput(); err != nil { logger.Info("could not delete ClusterRoleBinding (may not exist)",