Oathkeeper Helm Chart (Maester as a side car) - Wrong service account name

[philippe-boyd-3r]

Describe the bug

When deploying the Oathkeeper helm chart with Maester as a sidecar, Oathkeeper is not deployed due to the service account not having the correct name.

Error creating: pods "oathkeeper-6877c9cd84-" is forbidden: error looking up service account oathkeeper/oathkeeper-maester-account: serviceaccount "oathkeeper-maester-account" not found

While debuging, I discovered that the sidecar wants a service account named {{ include "oathkeeper-maester.name" . }}-maester-account (see oathkeeper deployment-sidecar.yaml) but the service account in Maester is named {{ include "oathkeeper-maester.name" . }}-account (see maester rbac.yaml)

Now, that's part of the problem... When Oathkeeper is calling the helper oathkeeper-maester.name from Maester's chart, the default value of .Chart.Name is not being resolved to Maester's chart name but rather the chart it's being called from (Oathkeeper in this case).

By default, maester's service account is called maester-account and in the sidecar deployment, it wants a certain prefix: {{ include "oathkeeper-maester.name" . }}-maester-account

To Reproduce

Steps to reproduce the behavior:

1. minikube start
2. git clone --branch v0.3.3 https://github.com/ory/k8s.git
3. kubectl create ns oathkeeper
4. helm install oathkeeper -n oathkeeper ./k8s/helm/charts/oathkeeper/ --set global.ory.oathkeeper.maester.mode=sidecar
5. kubectl describe replicasets.apps oathkeeper-<random_id>

Expected behavior

Oathkeeper should be deployed correctly as a sidecar using the right maester's service account name.

Environment

• minikube version: v1.9.2
• kubectl version: v1.18.2