Service account conflict with the secrets-store-csi-driver #518
Description
Describe the bug
There seems to be a service account conflict introduced recently. I upgraded the secrets-store-csi-driver/secrets-store-csi-driver chart without issue. Then, when I tried to upgrade the aws-secrets-manager/secrets-store-csi-driver-provider-aws chart, I received this message:
Error: INSTALLATION FAILED: Unable to continue with install: ServiceAccount "secrets-store-csi-driver" in namespace "kube-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "secrets-provider-aws": current value is "csi-secrets-store"
Other functional clusters have this service account relative this helm chart:
secrets-provider-aws-secrets-store-csi-driver-provider-aws
Is there a bug or am I holding the mouse wrong?
To Reproduce
Steps to reproduce the behavior:
I removed both charts and then tried to install the latest version of each chart. I get a conflict regardless of which I install first:
`[sbaugh@devops-jump01 ~]$ helm list -A | grep kube-sys
aws-load-balancer-controller kube-system 10 2025-09-15 16:57:09.214254735 +0000 UTC deployed aws-load-balancer-controller-1.13.4 v2.13.4
cluster-autoscaler kube-system 7 2025-09-15 20:20:57.847456686 +0000 UTC deployed cluster-autoscaler-9.50.1 1.33.0
[sbaugh@devops-jump01 ~]$ helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws
NAME: secrets-provider-aws
LAST DEPLOYED: Fri Sep 19 16:42:44 2025
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
[sbaugh@devops-jump01 ~]$ helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver
--set syncSecret.enabled=true
--set enableSecretRotation=true
Error: INSTALLATION FAILED: Unable to continue with install: ServiceAccount "secrets-store-csi-driver" in namespace "kube-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "csi-secrets-store": current value is "secrets-provider-aws"
[sbaugh@devops-jump01 ~]$ helm uninstall -n kube-system secrets-provider-aws
release "secrets-provider-aws" uninstalled
[sbaugh@devops-jump01 ~]$ helm install -n kube-system csi-secrets-store secrets-store-csi-driver/secrets-store-csi-driver --set syncSecret.enabled=true --set enableSecretRotation=true
NAME: csi-secrets-store
LAST DEPLOYED: Fri Sep 19 16:43:42 2025
NAMESPACE: kube-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The Secrets Store CSI Driver is getting deployed to your cluster.
To verify that Secrets Store CSI Driver has started, run:
kubectl --namespace=kube-system get pods -l "app=secrets-store-csi-driver"
Now you can follow these steps https://secrets-store-csi-driver.sigs.k8s.io/getting-started/usage.html
to create a SecretProviderClass resource, and a deployment using the SecretProviderClass.
[sbaugh@devops-jump01 ~]$ helm install -n kube-system secrets-provider-aws aws-secrets-manager/secrets-store-csi-driver-provider-aws
Error: INSTALLATION FAILED: Unable to continue with install: ServiceAccount "secrets-store-csi-driver" in namespace "kube-system" exists and cannot be imported into the current release: invalid ownership metadata; annotation validation error: key "meta.helm.sh/release-name" must equal "secrets-provider-aws": current value is "csi-secrets-store"`
Do you also notice this bug when using a different secrets store provider (Vault/Azure/GCP...)? Yes/No
I haven't tested any other providers.
If yes, the issue is likely with the k8s Secrets Store CSI driver, not the AWS provider. Open an issue in that repo.
Expected behavior
Environment:
OS, Go version, etc.
AWS EKS, AL2023
~ helm version
version.BuildInfo{Version:"v3.19.0", GitCommit:"3d8990f0836691f0229297773f3524598f46bda6", GitTreeState:"clean", GoVersion:"go1.24.7"}
Additional context
Add any other context about the problem here.