Skip to content

Impersonation ServiceAccount should use HelmRelease namespace instead of targetNamespace #498

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
avthart opened this issue Jun 21, 2022 · 1 comment
Closed

Impersonation ServiceAccount should use HelmRelease namespace instead of targetNamespace #498

avthart opened this issue Jun 21, 2022 · 1 comment

Comments

@avthart
Copy link

avthart commented Jun 21, 2022
edited
Loading

@hiddeco

We found out that serviceAccount impersonation is not using the hr.Namespace anymore but the hr.targetNamespace

Example:

apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: echoserver
  namespace: a-ns
spec:
  releaseName: echoserver
  serviceAccountName: flux-reconciler
  targetNamespace: other-ns
status:
  conditions:
  - lastTransitionTime: "2022-06-21T18:28:06Z"
    message: failed to get last release revision
    reason: GetLastReleaseFailed
    status: "False"
    type: Ready
  Warning  error            8m22s (x11 over 21m)  helm-controller  reconciliation failed: failed to get last release revision: query: failed to query with labels: secrets is forbidden: User "system:serviceaccount:other-ns:flux-reconciler" cannot list resource "secrets" in API group "" in the namespace "a-ns"

Actual: system:serviceaccount:other-ns:flux-reconciler
Expected: system:serviceaccount:a-ns:flux-reconciler

Found this change which is probably changing how serviceAccount impersonation works in the helm-controller:
d19b470
@avthart
Copy link
Author

avthart commented Jun 22, 2022

Closing. Confirmed that this is fixed in the latest helm-controller release ghcr.io/fluxcd/helm-controller:v0.22.1

@avthart avthart closed this as completed Jun 22, 2022
@stealthybox stealthybox mentioned this issue May 13, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@avthart
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy