Disabling Service Accounts doesn't propagate fully with deployments still set to use removed accounts
Summary
Disabling Service Accounts (serviceAccount.enabled
) after previously enabling them doesn't appear to work as expected.
While the accounts get deleted the related deployments aren't updated to no longer use them. This leaves pods hanging, attempting to use the now deleted Service Accounts instead of default.
Steps to reproduce
- Deploy the Helm Chart with
serviceAccount.enabled
set totrue
. - Note that the accounts have been created and deployments configured to use them, e.g.
gitlab-webservice
. - Set
serviceAccount.enabled
to false and redeploy - Note that the accounts have corrected been deleted but that the deployments haven't been updated and are still configured to use them.
Current behavior
Service accounts are deleted on disable but deployments are not updated accordingly.
Expected behavior
For the Service Accounts to be remove and for any deployments using them to be updated to no longer use them.
Versions
- Chart: 7.11.0
- Platform:
- Cloud: GKE (but issue is agnostic)
- Kubernetes: (
kubectl version
)- Client: v1.29.3
- Server: v1.27.11-gke.1062000
- Helm: (
helm version
)- Client: v3.14.4