check if service account exists before uninstalling release

Signed-off-by: Sanskar Jaiswal <jaiswalsanskar078@gmail.com>

controllers/helmrelease_controller.go

@@ -39,6 +39,7 @@ import (
 	kuberecorder "k8s.io/client-go/tools/record"
 	"k8s.io/client-go/tools/reference"
 	"sigs.k8s.io/cli-utils/pkg/kstatus/polling"
+	"sigs.k8s.io/cli-utils/pkg/object"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -58,6 +59,7 @@ import (
 	"github.com/fluxcd/pkg/runtime/metrics"
 	"github.com/fluxcd/pkg/runtime/predicates"
 	"github.com/fluxcd/pkg/runtime/transform"
+	"github.com/fluxcd/pkg/ssa"
 	sourcev1 "github.com/fluxcd/source-controller/api/v1beta2"
 
 	v2 "github.com/fluxcd/helm-controller/api/v2beta1"
@@ -660,8 +662,11 @@ func (r *HelmReleaseReconciler) composeValues(ctx context.Context, hr v2.HelmRel
 
 // reconcileDelete deletes the v1beta2.HelmChart of the v2beta1.HelmRelease,
 // and uninstalls the Helm release if the resource has not been suspended.
+// It only performs a Helm uninstall if the ServiceAccount to be impersonated
+// exists.
 func (r *HelmReleaseReconciler) reconcileDelete(ctx context.Context, hr v2.HelmRelease) (ctrl.Result, error) {
 	r.recordReadiness(ctx, hr)
+	log := ctrl.LoggerFrom(ctx)
 
 	// Delete the HelmChart that belongs to this resource.
 	if err := r.deleteHelmChart(ctx, &hr); err != nil {
@@ -678,11 +683,42 @@ func (r *HelmReleaseReconciler) reconcileDelete(ctx context.Context, hr v2.HelmR
 		if err != nil {
 			return ctrl.Result{}, err
 		}
-		if err := run.Uninstall(hr); err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
-			return ctrl.Result{}, err
-		}
-		ctrl.LoggerFrom(ctx).Info("uninstalled Helm release for deleted resource")
 
+		impersonator := runtimeClient.NewImpersonator(
+			r.Client,
+			r.StatusPoller,
+			r.PollingOpts,
+			hr.Spec.KubeConfig,
+			r.KubeConfigOpts,
+			kube.DefaultServiceAccountName,
+			hr.Spec.ServiceAccountName,
+			hr.GetNamespace(),
+		)
+		if impersonator.CanImpersonate(ctx) {
+			if err := run.Uninstall(hr); err != nil && !errors.Is(err, driver.ErrReleaseNotFound) {
+				return ctrl.Result{}, err
+			}
+			log.Info("uninstalled Helm release for deleted resource")
+		} else {
+			release, err := run.ObserveLastRelease(hr)
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+			resources, err := ssa.ReadObjects(strings.NewReader(release.Manifest))
+			if err != nil {
+				return ctrl.Result{}, err
+			}
+
+			var b strings.Builder
+			for _, r := range resources {
+				b.WriteString(ssa.FmtObjMetadata(object.UnstructuredToObjMetadata(r)) + ", ")
+			}
+			resourceString := strings.TrimSuffix(b.String(), ", ")
+
+			msg := fmt.Sprintf("unable to delete objects: %s", resourceString)
+			log.Error(fmt.Errorf("skipping Helm uninstall, failed to find service account to impersonate"), msg)
+			r.event(ctx, hr, hr.Status.LastAppliedRevision, eventv1.EventSeverityError, msg)
+		}
 	} else {
 		ctrl.LoggerFrom(ctx).Info("skipping Helm uninstall for suspended resource")
 	}