when ServiceAccount is on a different namespace then default, the ClusterRoleBinding still references the default namespace

[shay-ul]

Describe the bug When installing the chart as a dependency for a different chart which is namespace scoped, the replicator ServiceAccount is created on the desired namespace, however the ClusterRoleBinding still references the ServiceAccount in a default namespace.

To Reproduce Add Kubernetes-replicator as a subchart for a different, namespace-scoped helm chart.

Expected behavior The ClusterRoleBinding should reference kubernetes-replicator ServiceAccount in the correct namespace. Alternately, force the creation of the ServiceAccount on the default namespace.

Environment:

• Kubernetes version: 1.19
• kubernetes-replicator version: 2.7.3

Logs from kubernetes-replicator pod (private information omitted between <>) :

E0703 07:49:34.929843 1 reflector.go:138] pkg/mod/k8s.io/client-go@v0.22.4/tools/cache/reflector.go:167: Failed to watch v1.Secret: failed to list v1.Secret: secrets is forbidden: User "system:serviceaccount::-kubernetes-replicator" cannot list resource "secrets" in API group "" at the cluster scope

[shay-ul]

might be related to https://github.com/mittwald/kubernetes-replicator/pull/13

[mittwald-machine]

There has not been any activity to this issue in the last 14 days. It will automatically be closed after 7 more days. Remove the stale label to prevent this.

[shay-ul]

@martin-helmich any chance to remove the stale label? :)

[shay-ul]

Closing as the problem relies with the fact that you cannot specify namespace for sub-charts in Chart.yaml, therefore helmfile should be used. https://github.com/helm/helm/issues/5358