Context
I had the ocm controllers installed with a HelmRelease and I had to set .values.fullnameOverride to ocm-k8s-toolkit
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: ocm-k8s-toolkit
namespace: flux-system
spec:
interval: 10m
url: oci://ghcr.io/open-component-model/kubernetes/controller/chart
ref:
tag: 0.4.0
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ocm-k8s-toolkit
namespace: flux-system
spec:
interval: 10m
releaseName: ocm-k8s-toolkit
install:
createNamespace: true
targetNamespace: ocm-k8s-toolkit-system
chartRef:
kind: OCIRepository
name: ocm-k8s-toolkit
namespace: flux-system
values:
fullnameOverride: ocm-k8s-toolkit
Otherwise, the service account name was:
ocm-k8s-toolkit-system-ocm-k8s-toolkit-controller-manager
And there were controller errors:
errors occurred during ApplySet apply:
resourcegraphdefinitions.kro.run "cert-manager" is forbidden: User
"system:serviceaccount:ocm-k8s-toolkit-system:ocm-k8s-toolkit-system-ocm-k8s-toolkit-controller-manager" cannot patch resource "resourcegraphdefinitions" in API group "kro.run" at the cluster scope
resourcegraphdefinitions.kro.run "prometheus-operator" is forbidden: User
"system:serviceaccount:ocm-k8s-toolkit-system:ocm-k8s-toolkit-system-ocm-k8s-toolkit-controller-manager" cannot patch
resource "resourcegraphdefinitions" in API group "kro.run" at the cluster scope
This is why my custom RBAC rules were not applied as documented here: https://github.com/open-component-model/open-component-model/blob/main/kubernetes/controller/docs/getting-started/custom-rbac.md#create-a-clusterrole-and-clusterrolebinding
The strange thing is, I never ran into this issue before. But it seems that the service account name is not 100% predictable without the fullnameOverride.
Mabey this is not a real issue, but something that needs to be more precise in the documentation.
Version
0.4.0
To Reproduce
See above
Actual behavior
Expected behavior
Additional Comments
Context
I had the ocm controllers installed with a HelmRelease and I had to set
.values.fullnameOverridetoocm-k8s-toolkitOtherwise, the service account name was:
ocm-k8s-toolkit-system-ocm-k8s-toolkit-controller-managerAnd there were controller errors:
This is why my custom RBAC rules were not applied as documented here: https://github.com/open-component-model/open-component-model/blob/main/kubernetes/controller/docs/getting-started/custom-rbac.md#create-a-clusterrole-and-clusterrolebinding
The strange thing is, I never ran into this issue before. But it seems that the service account name is not 100% predictable without the fullnameOverride.
Mabey this is not a real issue, but something that needs to be more precise in the documentation.
Version
0.4.0To Reproduce
See above
Actual behavior
Expected behavior
Additional Comments