D Cleaning Up After a Failed Installation

This appendix describes the procedure to remove a deployed or a partially deployed Oracle Identity and Access Management software from a Kubernetes cluster.

The steps provided in this section assume that you have the persistent volumes mounted on the configuration node under /nfs_volumes/<pvname>.

This appendix includes the following topics:

• Oracle Unified Directory Services Manager
  
• Oracle Unified Directory
  
• Oracle Access Manager
  
• Oracle Identity Governance
  
• WebLogic Operator for Kubernetes
  
• Oracle Identity Role Intelligence
  
• Oracle Advanced Authentication
  
• Ingress Controller
  
• Elasticsearch and Kibana
  
• Prometheus and Grafana
  

Oracle Unified Directory Services Manager

To remove Oracle Unified Directory Services Manager (OUDSM):

1. Remove the OUDSM deployment using the command:

   helm uninstall -n <OUDNS> oudsm-1

   For example:

   helm uninstall -n ounds oudsm-1

2. If you have set up a node port service, remove the service using the command:

   kubectl delete service -n <OUDNS> oudsm-nodeport

   For example:

   kubectl delete service -n oudns oudsm-nodeport

3. If you have installed Logstash, you also need to execute the following commands:

   kubectl delete deployment -n <OUDNS> oudsm-logstash

   kubectl delete cm -n <OUDNS> oudsm-logstash-configmap

4. Verify there are no OUSDM services running, using the command:

   kubectl get all -n <OUDNS> -o wide

   For example:

   kubectl get all -n oudns -o wide

5. Remove the contents of the persistent volume using the command:

   rm -rf /nfs_volumes/oudsmpv/*

6. Remove the files from the working directory.

   rm -f /workdir/OUDSM

For the list of applicable variables, see Variables Used in this Chapter.

Oracle Unified Directory

If you have deployed OUDSM into the Oracle Unified Directory (OUD) namespace, you should first remove this component. See Oracle Unified Directory Services Manager.

1. Remove the OUD deployment using the command:

   helm uninstall -n <OUDNS> <OUD_POD_PREFIX>

   For example:

   helm uninstall -n oudns edg

2. If you have set up a node port service, remove the service using the command:

   kubectl delete service -n <OUDNS> oud-nodeport

   For example:

   kubectl delete service -n oudns oud-nodeport

3. If you have installed Logstash, you also need to execute the following commands:

   kubectl delete deployment -n <OUDNS> oud-logstash

   kubectl delete cm -n <OUDNS> oud-logstash-configmap

   kubectl delete cm -n <OUDNS> elk-cert

4. Remove the OUD namespace.

   kubectl delete namespace -n <OUDNS>

   For example:

   kubectl delete namespace -n oudns

5. Check that all OUD pods have stopped, using the command:

   kubectl get all -n <OUDNS> -o wide

   For example:

   kubectl get all -n oudns -o wide

6. Remove the files on persistent volume.

   rm -rf /nfs_volumes/oudpv

7. Optionally, remove the files on the configuration persistent volume.

   rm -rf /nfs_volumes/oudconfigpv

8. Remove the files from the working directory.

   rm -f /workdir/OUD

For the list of applicable variables, see Variables Used in this Chapter.

Oracle Access Manager

To remove Oracle Access Manager:

1. Delete the domain creation job using the command:

   kubectl delete jobs <OAM_DOMAIN_NAME>-create-fmw-infra-sample-domain-job -n <OAMNS>

   For example:

   kubectl delete jobs accessdomain-create-fmw-infra-sample-domain-job -n oamns

2. Delete the domain using the command:

   kubectl delete domain <OAM_DOMAIN_NAME> -n <OAMNS>

   For example:

   kubectl delete domain accessdomain -n oamns

3. Delete the configmap using the command:

   kubectl delete configmaps <OAM_DOMAIN_NAME>-create-oam-infra-domain-job-cm -n <OAMNS>

   For example:

   kubectl delete configmaps accessdomain-create-oam-infra-domain-job-cm -n oamns

4. If you have installed Logstash, you also need to execute the following commands:

   kubectl delete deployment -n <OAMNS> oam-logstash

   kubectl delete cm -n <OAMNS> oam-logstash-configmap

   kubectl delete cm -n <OAMNS> elk-cert

5. Delete the NodePort Services if you have defined them, using the commands:

   kubectl delete service -n <OAMNS> <OAM_DB_SERVICE>

   For example:

   kubectl delete service -n oamns accessdomain-oap

   kubectl delete service -n oamns accessdomain-policy-nodeport

   kubectl delete service -n oamns accessdomain-oam-nodeport

6. Check that the domain has completely stopped, using the command:

   kubectl get all -n <OAMNS> -o wide

   For example:

   kubectl get all -n oamns -o wide

7. Drop the OAM schemas by using the commands:
   1. Start a bash shell in the helper pod using the following command:

      kubectl exec -it helper -n <OAMNS> -- /bin/bash

      For example:

      kubectl exec -it helper -n oamns -- /bin/bash

   2. Set up the environment variables which you will use to connect to the database.

      export DB_HOST=<OAM_DB_SCAN>
      export DB_PORT=<OAM_DB_LISTENER>
      export DB_SERVICE=<OAM_DB_SERVICE>
      export CONNECTION_STRING=$DB_HOST:$DB_PORT/$DB_SERVICE
      export RCU_PREFIX=<OIG_RCU_PREFIX> 
      export RCU_SCHEMA_PWD=<OAM_SCHEMA_PWD>
      echo -e <OAM_DB_SYS_PWD>"\n"<OAM_SCHEMA_PWD> /tmp/pwd.txt

      For example:

      export DB_HOST=DBSCAN.example.com
      export DB_PORT=1521
      export DB_SERVICE=igdedg.example.com
      export CONNECTION_STRING=$DB_HOST:$DB_PORT/$DB_SERVICE
      export RCU_PREFIX=IGDEDG
      export RCU_SCHEMA_PWD=rcupassword
      echo -e syspassword"\n"rcupassword > /tmp/pwd.txt

      Check that there are two entries in the /tmp/pwd file.

      For example:

      cat /tmp/pwd.txt

      syspassword
      rcupassword

   3. Run the following command to create the RCU schemas in the database:

      /u01/oracle/oracle_common/bin/rcu -silent -dropRepository -databaseType ORACLE -connectString \
      $CONNECTION_STRING -dbUser sys -dbRole sysdba \
      -selectDependentsForComponents true -schemaPrefix $RCU_PREFIX -component MDS -component IAU \
      -component IAU_APPEND -component IAU_VIEWER -component OPSS -component WLS -component STB -component OAM -f < /tmp/pwd.txt

8. Remove persistent volume and claim from Kubernetes using the commands:

   kubectl delete pvc -n <OAMNS> <OAM_DOMAIN_NAME>-domain-pvc

   kubectl delete pv <OAM_DOMAIN_NAME>-domain-pv

   For example:

   kubectl delete pvc -n oamns accessdomain-domain-pvc

   kubectl delete pv accessdomain-domain-pv

9. Remove the OAM namespace.

   kubectl delete namespace <OAMNS>

   For example:

   kubectl delete namespace oamns

10. Remove the files on the persistent volume.

    rm -rf /nfs_volumes/oampv

11. Remove the files from the working directory.

    rm -f /workdir/OAM

For the list of applicable variables, see Variables Used in this Chapter.

Oracle Identity Governance

To remove Oracle Identity Governance:

1. Delete the domain creation job using the command:

   kubectl delete jobs <OIG_DOMAIN_NAME>-create-fmw-infra-sample-domain-job -n <OIGNS>

   For example:

   kubectl delete jobs governancedomain-create-fmw-infra-sample-domain-job -n oigns

2. Delete the domain using the command:

   kubectl delete domain <OIG_DOMAIN_NAME> -n <OIGNS>

   For example:

   kubectl delete domain governancedomain -n oigns

3. Delete the configmap using the command:

   kubectl delete configmaps <OIG_DOMAIN_NAME>-create-fmw-infra-sample -infra-domain-job-cm -n <OIGNS>

   For example:

   kubectl delete configmaps governancedomain-create-fmw-infra-sample-domain-job-cm -n oigns

4. If you have installed Logstash, you also need to execute the following commands:

   kubectl delete deployment -n <OIGNS> oig-logstash

   kubectl delete cm -n <OIGNS> oig-logstash-configmap

   kubectl delete cm -n <OIGNS> elk-cert

5. Delete the NodePort Services if you have defined them, using the commands:

   kubectl delete service -n <OIGNS> <OIG_DB_SERVICE>

   For example:

   kubectl delete service -n oigns governancedomain-oim-t3-nodeport

   kubectl delete service -n oigns governancedomain-oim-nodeport

   kubectl delete service -n oigns governancedomain-soa-nodeport

6. Check that the domain has completely stopped, using the command:

   kubectl get all -n <OIGNS> -o wide

   For example:

   kubectl get all -n oigns -o wide

7. Drop the OIG schemas by using the commands:
   1. Start a bash shell in the helper pod using the following command:

      kubectl exec -it helper -n <OIGNS> -- /bin/bash

      For example:

      kubectl exec -it helper -n oigns -- /bin/bash

   2. Set up the environment variables which you will use to connect to the database.

      export DB_HOST=<OIG_DB_SCAN>
      export DB_PORT=<OIG_DB_LISTENER>
      export DB_SERVICE=<OIG_DB_SERVICE>
      export CONNECTION_STRING=$DB_HOST:$DB_PORT/$DB_SERVICE
      export RCU_PREFIX=<OIG_RCU_PREFIX> 
      export RCU_SCHEMA_PWD=<OIG_SCHEMA_PWD>
      echo -e <OIG_DB_SYS_PWD>"\n"<OIG_SCHEMA_PWD> /tmp/pwd.txt

      For example:

      export DB_HOST=DBSCAN.example.com
      export DB_PORT=1521
      export DB_SERVICE=igdedg.example.com
      export CONNECTION_STRING=$DB_HOST:$DB_PORT/$DB_SERVICE
      export RCU_PREFIX=IGDEDG
      export RCU_SCHEMA_PWD=rcupassword
      echo -e syspassword"\n"rcupassword > /tmp/pwd.txt

      Check that there are two entries in the /tmp/pwd file.

      For example:

      cat /tmp/pwd.txt

      syspassword
      rcupassword

   3. Run the following command to create the RCU schemas in the database:

      /u01/oracle/oracle_common/bin/rcu -silent -fropRepository -databaseType ORACLE -connectString \
      $CONNECTION_STRING -dbUser sys -dbRole sysdba \
      -selectDependentsForComponents true -schemaPrefix $RCU_PREFIX -component MDS -component IAU -component OIM \
      -component SOAINFRA -component OPSS -component WLS -component STB -component IAU_APPEND -component IAU_VIEWER -component UCSUMS -f < /tmp/pwd.txt

8. Remove persistent volume and claim from Kubernetes using the commands:

   kubectl delete pvc -n <OIGNS> <OIG_DOMAIN_NAME>-domain-pvc

   kubectl delete pv <OIG_DOMAIN_NAME>-domain-pv

   For example:

   kubectl delete pvc -n oigns governancedomain-domain-pvc

   kubectl delete pv governancedomain-domain-pv

9. Remove the OIG namespace.

   kubectl delete namespace -n <OIGNS>

   For example:

   kubectl delete namespace -n oigns

10. Remove the files on the persistent volume.

    rm -rf /nfs_volumes/oigpv

11. Remove the files from the working directory.

    rm -f /workdir/OIG

For the list of applicable variables, see Variables Used in this Chapter.

WebLogic Operator for Kubernetes

Before you remove the WebLogic Operator for Kubernetes, ensure that there are no domains in the Kubernetes cluster that is being managed by the WebLogic Operator. Removing the Operator may cause the dependent existing domains to cease working.

To remove the WebLogic Operator for Kubernetes:

1. Remove the Operator deployment using the command:

   helm uninstall --namespace <OPERNS> weblogic-kubernetes-operator

   For example:

   helm uninstall --namespace operns weblogic-kubernetes-operator

2. Remove the Operator namespace.

   kubectl delete namespace -n <OPERNS>

   For example:

   kubectl delete namespace -n operns

3. Remove the local working directory.

   rm -rf /workdir/OPER/*

Oracle Identity Role Intelligence

To remove OIRI:

1. Connect to the oiri-cli pod by using the command:

   kubectl exec -n <OIRINS> -ti oiri-cli /bin/bash

   For example:

   kubectl exec -n oirins -ti oiri-cli /bin/bash

2. Remove the OIRI deployment using the command:

   helm delete oiri

3. Delete the OIRI schemas from the oiri-cli pod by using the command:

   oiri-cli --config=/app/data/conf/config.yaml schema drop /app/data/conf/dbconfig.yaml \
                --sysp <syspassword>

4. Delete the oiri-cli pod by using the command:

   kubectl delete pod -n <OIRINS> oiri-cli

   For example:

   kubectl delete pod -n oirins oiri-cli

5. Delete the oiri-ding-cli pod by using the command:

   kubectl delete pod -n <DINGNS> oiri-ding-cli

   For example:

   kubectl delete pod -n dingns oiri-ding-cli

6. Remove the OIRI namespace.

   kubectl delete namespace -n <OIRINS>

   For example:

   kubectl delete namespace -n oirins

7. Remove the DING namespace.

   kubectl delete namespace -n <DINGNS>

   For example:

   kubectl delete namespace -n dingns

8. Remove the files on the persistent volume.

   rm -rf /nfs_volumes/oiripv /nfs_volumes/dingpv /nfs_volumes/workpv

9. Remove the files from the working directory.

   rm -f /workdir/OIRI

For the list of applicable variables, see Variables Used in this Chapter.

Oracle Advanced Authentication

To remove Oracle Advanced Authentication:

1. Remove the OAA application.
   From the OAA-MGMT pod, run the following command:

   helm uninstall <OAA_APPLICATION> -n <OAANS>

   For example:

   helm uninstall edg -n oaans

2. Ensure that all pods have been terminated and deleted before continuing, by using the following command:

   kubectl get pods -n oaans

   Ensure that there are no STS services running before continuing, by using the following command:

   kubectl get sts -n oaans

   If any STS services are still running, then attempt to stop them using the following commands:

   kubectl patch sts -n oaans edg-cache-rest -p '{"spec":{"replicas":0}}'

   kubectl patch sts -n oaans edg-cache-proxy -p '{"spec":{"replicas":0}}'

   kubectl patch sts -n oaans edg-cache-storage -p '{"spec":{"replicas":0}}'

   Where edg is the name of the OAA deployment.

3. Remove the OAM integration. You can perform these steps using curl or the OAM Console. For simplicity, the curl commands are shown.
   1. Encode oamadmin and its password by using the following command:

      echo -n oamadmin:<password> | base64

   2. Delete the authentication scheme using the following curl command:

      curl --location --request DELETE "http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnscheme?name=OAA-MFA-Scheme" --header "Authorization: Basic <ENCODED_OAMADMIN>"

      For example:

      curl --location --request DELETE "http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnscheme?name=OAA-MFA-Scheme" --header "Authorization: Basic <ENCODED_OAMADMIN>"

   3. Delete the authentication policy using the following curl command.

      curl --location --request DELETE "http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy?appdomain=IAM Suite&name=OAA_MFA-Policy" --header "Authorization: Basic b2FtYWRtaW46cGFzc3dvcmQ="

      For example:

      curl --location --request DELETE "http://worker1.example.com:30701/oam/services/rest/11.1.2.0.0/ssa/policyadmin/authnpolicy?appdomain=IAM Suite&name=OAA_MFA-Policy" --header "Authorization: Basic b2FtYWRtaW46cGFzc3dvcmQ="

4. Delete the OAuth client.
   1. Encode oamadmin and its password by using the command:

      echo -n oamadmin:<password> | base64

   2. Delete the OAuth client using the following curl command:

      curl --location --request DELETE "http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client?name=OAAClient&identityDomainName=<OAA_DOMAIN>"  --header "Authorization: Basic <ENCODED_OAMADMIN>"

      for example:

      curl --location --request DELETE "http://worker1.example.com:30701/oam/services/rest/ssa/api/v1/oauthpolicyadmin/client?name=OAAClient&identityDomainName=OAADomain>"  --header "Authorization: Basic b2FtYWRtaW46cGFzc3dvcmQ="

   3. Delete the OAuth resource server using the command:

      curl --location --request DELETE "http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application?name=OAAResource&identityDomainName=<OAA_DOMAIN>" --header "Authorization: Basic <ENCODED_OAMADMIN>"

      For example:

      curl --location --request DELETE http://worker1.example.com:30701/oam/services/rest/ssa/api/v1/oauthpolicyadmin/application?name=OAAResource&identityDomainName=OAADomain" --header "Authorization: Basic b2FtYWRtaW46cGFzc3dvcmQ="

   4. Delete the OAuth domain using the command:

      curl --location --request DELETE " http://worker1.example.com:<OAM_K8_PORT>/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain?name=<OAA_DOMAIN>" --header "Authorization: Basic <ENCODED_OAMADMIN>"

      For example:

      curl --location --request DELETE " http://worker1.example.com:30701/oam/services/rest/ssa/api/v1/oauthpolicyadmin/oauthidentitydomain?name=OAADomain--header "Authorization: Basic b2FtYWRtaW46cGFzc3dvcmQ=

5. Delete the database schemas. From the OAA-MGMT pod, run the following commands:

   sqlplus sys/<OAA_DB_SYS_PWD>@<DB_SCAN>:<DB_LISTENER>/<OAA_DB_SERVICE> as sysdba
   
   alter session set "_oracle_script"=TRUE; ** Required for PDB’s **
   
   drop user <OAA_RCU_PREFIX>_oaa cascade;
   delete from SCHEMA_VERSION_REGISTRY where comp_name='Oracle Advanced Authentication' and OWNER=UPPER('<OAA_RCU_PREFIX>_OAA');
   
   commit;
   
   set pages 0
   set feedback off
   spool /tmp/drop_directories.sql
   select 'drop directory '||directory_name||';' from all_directories
   where directory_name like 'EXPORT%'
   /
   spool off
   @/tmp/drop_directories

6. Delete role bindings using the commands:

   kubectl delete rolebinding -n oaans oaa-rolebinding

   kubectl delete clusterrolebinding oaa-clusterrolebinding

   kubectl delete clusterrolebinding oaa-clusteradmin

   kubectl delete role oaa-ns-role -n oaans

   kubectl delete serviceaccount -n oaans oaa-service-account

7. Delete the OAA management pod.

   kubectl delete pod -n oaans oaa-mgmt

8. Delete the namespaces using the commands:

   kubectl delete namespace oaans

9. Delete the contents of the persistent volumes using the commands:

   Note:

   The assumption is that you have the volumes mounted locally under /nfs_volumes.

   rm -rf <WORKDIR>

   rm -rf /nfs_volumes/oaacredpv/*

   rm -rf /nfs_volumes/oaaconfigpv/*

   rm -rf /nfs_volumes/oaalogpv/*

   rm -rf /nfs_volumes/oaalogpv /* /nfs_volumes/oaalogpv /.??*

10. Remove the OAA entries from the OCI vault:

    Delete vault secret "<OAA_DEPLOYMENT>-map-oaaManifestMap.txt

    Change the default deletion date when scheduling the secret for deletion. For mor information, see Managing Vaults.

    Wait for <OAA_DEPLOYMENT>-map-oaaManifestMap.txt to be removed from the vault. The secret being in the deleted state is not sufficient. The removal from the vault takes upto 48 hours.

    After the secret is deleted, perform a new installation of OAA.

For the list of applicable variables, see Variables Used in this Chapter.

Ingress Controller

To remove Ingress controller:

1. Remove the controller using the following command:

   helm uninstall -n <INGRESSNS> nginx-ingress

2. Remove the namespace:

   kubectl delete namespace -n <INGRESSNS>

For the list of applicable variables, see Variables Used in this Chapter.

Elasticsearch and Kibana

To remove Elasticsearch and Kibana:

1. Remove the NodePort Services:

   kubectl delete service -n <ELKNS> kibana-nodeport

   kubectl delete service -n <ELKNS> elk-nodeport

2. Remove Kibana:

   kubectl delete kibana -n <ELKNS> kibana

3. Remove the Elasticsearch cluster:

   kubectl delete elasticsearch -n <ELKNS> elasticsearch

4. Remove the Elasticsearch Operator:

   helm uninstall -n <ELKNS> elastic-operator

5. Remove the namespace:

   kubectl delete namespace -n <ELKNS>

For the list of applicable variables, see Variables Used in this Section.

Prometheus and Grafana

To remove Prometheus and Grafana:

1. Remove the application:

   helm uninstall kube-prometheus -n <PROMNS>

2. Remove Custom Resource Definitions:

   kubectl delete crd -n <PROMNS> alertmanagerconfigs.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> alertmanagers.monitoring.coreos.com 

   kubectl delete crd -n <PROMNS> podmonitors.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> probes.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> prometheuses.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> prometheusrules.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> servicemonitors.monitoring.coreos.com

   kubectl delete crd -n <PROMNS> thanosrulers.monitoring.coreos.com

3. Remove the namespace:

   kubectl delete namespace <PROMNS>