Issue with minio-operator creation

[Peyoz]

Hi Guys,

with the last yaml definition for the minio-operator, I got this issue

[root@cloumgmt minio]# curl -O https://raw.githubusercontent.com/minio/minio-operator/master/minio-operator.yaml
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  3477  100  3477    0     0  10683      0 --:--:-- --:--:-- --:--:-- 10665
[root@cloumgmt minio]# kubectl apply -f minio-operator.yaml 
customresourcedefinition.apiextensions.k8s.io/minioinstances.operator.min.io unchanged
customresourcedefinition.apiextensions.k8s.io/mirrorinstances.operator.min.io unchanged
clusterrole.rbac.authorization.k8s.io/minio-operator-role unchanged
serviceaccount/minio-operator-sa unchanged
The ClusterRoleBinding "minio-operator-binding" is invalid: subjects[0].namespace: Required value

This is on a freshly installed RKE cluster.
There is something missing in the namespace scopes I suppose.

Let me know if you need any logs / output.

Cheers!

[vmwiz]

Caused by 67a1c4f Remove fixed namespace from install

The ServiceAccount subject is no more scoped in the ClusterRoleBinding definition.

Quickfix:

---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: minio-operator-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: minio-operator-role
subjects:
- kind: ServiceAccount
  name: minio-operator-sa
  namespace: __yournamespacegohere__

@dvaldivia wouldn't it be better to let the namespace fixed in the plain yaml and let the user override it with kustomize ?

[nitisht]

Thanks we'll take a look @vmwiz @Peyoz

[dvaldivia]

@vmwiz setting the namespace to default on the service account may do it, but indeed the service account cluster role binding might not be something that can be seeded so easily, I’ll test if if the “-n” flag overrides. Can you add the namespace default to the cluster role binding in the meanwhile?

[vmwiz]

With kubectl apply -f minio-operator.yaml -n minio-operator the ServiceAccount will be created in the minio-operator namespace along with other resources.

Adding the default namespace to the ClusterRoleBinding subject would reference a ServiceAccount created in the default namespace which is not the case when forcing the namespace with kubectl -n

Hardcoding the ServiceAccount to the default namespace will fail too with the namespace from the provided object "default" does not match the namespace "minio-operator"

Keeping the ServiceAccount in the same namespace as the operator make sense to me and I don't see any way of seeding the namespace correctly without using some kind of templating.

If you look at how jetstack/cert-manager is doing it, they fix the namespace in their plain yaml like it was before 67a1c4f ; if a user want to change the default namespace he need to use the Helm chart or use kustomize to override the namespace from the plain yaml.

[Peyoz]

ok, so I added namespace to both SA definition and binding and it works correctly.
I also deployed some minio instances in different namespaces.
Thanks for the clarification!

[dvaldivia]

@vmwiz valid point, I'll default to the default namespace and add a kustomize file