CrashLoopBackoff in single namespace mode (trying to watch OAuth2Client resources cluster wide) #252
Description
Preflight checklist
- I could not find a solution in the existing issues, docs, nor discussions.
- I agree to follow this project's Code of Conduct.
- I have read and am following this repository's Contribution Guidelines.
- I have joined the Ory Community Slack.
- I am signed up to the Ory Security Patch Newsletter.
Ory Network Project
No response
Describe the bug
This is a regression since v0.0.40 (my guess would be that there's a problem with the last commit). No problem with v0.0.39.
When hydra-maester is used in "singleNamespaceMode" (parameter from values.yaml), it fails to start start with the following error message:
ERROR controller-runtime.cache.UnhandledError Failed to watch {"reflector": "pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290", "type": "*v1alpha1.OAuth2Client", "error": "failed to list *v1alpha1.OAuth2Client: oauth2clients.hydra.ory.sh is forbidden: User \"system:serviceaccount:default:hydra-maester-account\" cannot list resource \"oauth2clients\" in API group \"hydra.ory.sh\" at the cluster scope"}
Hydra-maester shouldn't try to watch resources cluster wide in this mode.
Also, I checked: hydra-maester starts with arg "--namespace=default".
Reproducing the bug
With helm, set "singleNamespaceMode: true" and deploy.
Relevant log output
Relevant configuration
Version
v0.0.40
On which operating system are you observing this issue?
None
In which environment are you deploying?
Kubernetes
Additional Context
I templated the manifests with helm but use them with kustomize, though it shouldn't change anything.