Helm chart RBAC broken since Jan 10 chart rebuild #7
Description
Bug
Fresh helm install of dcontroller fails — the controller cannot start:
operators.dcontroller.io is forbidden: User "system:serviceaccount:dcontroller-system:dcontroller-account"
cannot list resource "operators" in API group "dcontroller.io" at the cluster scope:
RBAC: clusterrole.rbac.authorization.k8s.io "dcontroller-role" not found
Root Cause
config/rbac/role.yaml uses name: manager-role. With namePrefix: dcontroller in config/helm-base/kustomization.yaml, kustomize produces dcontrollermanager-role (no dash).
The ClusterRoleBinding in config/rbac/role_binding.yaml hardcodes roleRef.name: dcontroller-role, which doesn't match.
All other RBAC resources use the -prefix convention (-rolebinding, -account, -leader-election-role) which produces correct names with the namePrefix.
Timeline
- Oct 29 (
6803f35):namePrefix: dcontrollerintroduced in kustomize pipeline - Dec 9-19: Published chart packages still used previous
all.yaml— worked fine - Jan 10 (
c8d3481on gh-pages): Automated rebuild regenerated chart via kustomize — broke RBAC
Reproduction
helm repo add dcontroller https://l7mp.github.io/dcontroller/
helm repo update
helm install dcontroller dcontroller/dcontroller --create-namespace -n dcontroller-system
kubectl logs -n dcontroller-system -l app.kubernetes.io/name=dcontrollerEnvironment
- Chart version: 0.0.0 (latest from gh-pages)
- Kubernetes: v1.31.4+rke2r1
- Helm: v3.17