Failed to create namespace for release: namespaces is forbidden

braghettos commented 2 years ago

What happened?

I'm trying to use provider-helm to install argocd helm chart but I'm getting the following issue:

Failed to create namespace for release: namespaces is forbidden: User "system:serviceaccount:crossplane-system:provider-helm-b9e90b3c7ff8" cannot create resource "namespaces" in API group "" at the cluster scope

How can we reproduce it?

This is how I'm configuring my managed resource in my composition:

    - base:
        apiVersion: helm.crossplane.io/v1beta1
        kind: Release
        metadata:
          annotations:
            crossplane.io/external-name: argocd
        spec:
          forProvider:
            chart:
              name: argo-cd
              repository: https://argoproj.github.io/argo-helm
              version: 4.6.0
            namespace: krateo-system

What environment did it happen in?

Crossplane version: 1.7.1
Cloud provider or hardware configuration: GCP

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.5",
GitCommit:"c285e781331a3785a7f436042c65c5641ce8a9e9", GitTreeState:"clean", BuildDate:"2022-03-16T15:51:05Z", GoVersion:"go1.17.8", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.11-gke.900", GitCommit:"20da4c21b3a6b1a56ff6ad5ecb7dee013aaf1b83", GitTreeState:"clean", BuildDate:"2022-03-30T09:37:00Z", GoVersion:"go1.16.15b7", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes distribution (e.g. Tectonic, GKE, OpenShift): GKE
provider-helm version: 0.10.0

portswigger-tim commented 1 year ago

I know that this was a while ago...

You probably need to bind the provider service account to a ClusterRole with privileges or use a ControllerConfig to assign a ServiceAccount bound to an appropriate ClusterRole.

Here is what I've started with:

---
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
  name: provider-helm
spec:
  package: xpkg.upbound.io/crossplane-contrib/provider-helm:v0.12.0
  controllerConfigRef:
    name: provider-helm
---
apiVersion: pkg.crossplane.io/v1alpha1
kind: ControllerConfig
metadata:
  name: provider-helm
spec:
  serviceAccountName: provider-helm
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: provider-helm
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: provider-helm
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: provider-helm
  namespace: crossplane-system

raphasle commented 3 months ago

If you know the namespace exists, you can set skipCreateNamespace to true.

https://marketplace.upbound.io/providers/crossplane-contrib/provider-helm/v0.19.0/resources/helm.crossplane.io/Release/v1beta1#doc:spec-forProvider-skipCreateNamespace

crossplane-contrib / provider-helm