VPA manifests lack namespace

[evgkrsk]

What happened?

# helm -n default template goldilocks fairwinds-stable/goldilocks --version 8.0.1 --set vpa.enabled=true --skip-tests --no-hooks | kubectl apply --dry-run=server -f - -v=6 2>&1 |egrep /namespace
I0508 21:45:03.630086   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/serviceaccounts/goldilocks-vpa-admission-controller 404 Not Found in 62 milliseconds
I0508 21:45:03.691960   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system 200 OK in 61 milliseconds
I0508 21:45:03.756593   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/serviceaccounts?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 64 milliseconds
I0508 21:45:03.819761   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/serviceaccounts/goldilocks-vpa-recommender 200 OK in 62 milliseconds
I0508 21:45:03.884344   26400 round_trippers.go:553] PATCH https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/serviceaccounts/goldilocks-vpa-recommender?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 200 OK in 63 milliseconds
I0508 21:45:03.946668   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/serviceaccounts/goldilocks-controller 404 Not Found in 61 milliseconds
I0508 21:45:04.010382   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/serviceaccounts?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 63 milliseconds
I0508 21:45:04.074522   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/serviceaccounts/goldilocks-dashboard 404 Not Found in 63 milliseconds
I0508 21:45:04.135679   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/serviceaccounts?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 60 milliseconds
I0508 21:45:06.307165   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/services/goldilocks-vpa-webhook 404 Not Found in 61 milliseconds
I0508 21:45:06.370486   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system 200 OK in 63 milliseconds
I0508 21:45:06.432766   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system/services?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 62 milliseconds
I0508 21:45:06.495681   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/services/goldilocks-dashboard 404 Not Found in 62 milliseconds
I0508 21:45:06.559329   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/default/services?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 63 milliseconds
I0508 21:45:06.623038   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/kube-system/deployments/goldilocks-vpa-admission-controller 404 Not Found in 63 milliseconds
I0508 21:45:06.685995   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/api/v1/namespaces/kube-system 200 OK in 62 milliseconds
I0508 21:45:06.753441   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/kube-system/deployments?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 67 milliseconds
I0508 21:45:06.817708   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/kube-system/deployments/goldilocks-vpa-recommender 200 OK in 62 milliseconds
I0508 21:45:06.891832   26400 round_trippers.go:553] PATCH https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/kube-system/deployments/goldilocks-vpa-recommender?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 200 OK in 69 milliseconds
I0508 21:45:06.954595   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/default/deployments/goldilocks-controller 404 Not Found in 60 milliseconds
I0508 21:45:07.287064   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/default/deployments?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 332 milliseconds
I0508 21:45:07.350705   26400 round_trippers.go:553] GET https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/default/deployments/goldilocks-dashboard 404 Not Found in 62 milliseconds
I0508 21:45:07.807244   26400 round_trippers.go:553] POST https://apiserver.test.s.o3.ru:6443/apis/apps/v1/namespaces/default/deployments?dryRun=All&fieldManager=kubectl-client-side-apply&fieldValidation=Strict 201 Created in 456 milliseconds

notice that serviceaccount and some other objects created in two different namespaces: "default" (from helm render params) and "kube-system" (from current cluster context). As result, RBAC rules for "default" namespace do not work for (unused) serviceaccounts in "kube-system" namespace. So VPA is just broken, it dont have permissions to do the job.

What did you expect to happen?

I expect to have all namespaced objects in .Release.Namespace, not current cluster context namespace.

How can we reproduce this?

helm -n default template goldilocks fairwinds-stable/goldilocks --version 8.0.1 --set vpa.enabled=true --skip-tests --no-hooks | kubectl apply --dry-run=server -f - -v=6 2>&1 |egrep /namespace

Version

helm-chart-8.0.1

Search

• [X] I did search for other open and closed issues before opening this.

Code of Conduct

• [X] I agree to follow this project's Code of Conduct

Additional context

For usage VPA as subchart (e.g. goldilocks) when helm is used just as renderer (we use qbec for that) we need to render namespace in metadata. Currently (NO "namespace:" in deployment's metadata) namespaced objects may be created in some random ("default" in case of qbec) namespace, so RBAC is broken.

There was PR for that: https://github.com/FairwindsOps/charts/pull/1369 (now out-of-sync).

[evgkrsk]

/reopen , not stale