Module type: kubernetes with rbac settings produce an error

[kvokka]

Bug

Current Behavior

Given a manifest with custom role && role binding.

# support/rbac/garden.yaml

kind: Module
type: kubernetes
name: poker-core-rbac
description: Rbac extension for poker-core
manifests:
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: Role
    metadata:
      name: with-endpoints
      namespace: default
    rules:
      - apiGroups:
          - ""
        resources:
          - endpoints
        verbs:
          - get
          - list
  - apiVersion: rbac.authorization.k8s.io/v1
    kind: RoleBinding
    metadata:
      name: endpoints-access-by-default
      namespace: default
    roleRef:
      apiGroup: rbac.authorization.k8s.io
      kind: Role
      name: with-endpoints
    subjects:
      - kind: ServiceAccount
        name: default
        namespace: default

or

# support/rbac/garden.yaml

kind: Module
type: kubernetes
name: poker-core-rbac
description: Rbac extension for poker-core
files: [endpoints.yaml]

garden scan shows no errors, but with garden dev constantly getting:

$garden dev
✔ providers                 → Getting status... → Done
✔ postgres                  → Building version v-8d9e4b5e75... → Done (took 2 sec)
✔ pubsub-emulator-image     → Getting build status for v-19730a28c8... → Done (took 0.7 sec)
✔ pubsub-emulator           → Getting build status for v-3495fb91dd... → Done (took 0.6 sec)
✔ redis                     → Building version v-87278bbcb5... → Done (took 1.8 sec)
✔ pubsub-emulator           → Deploying version v-3495fb91dd... → Done (took 3.9 sec)
   ℹ pubsub-emulator           → Service deployed
   → Forward: http://localhost:62833 → pubsub-emulator:8538 (pubsub-emulator)
✔ poker-core-rbac           → Building version v-9b71094f61... → Done (took 0.2 sec)
✖ poker-core-rbac           → Deploying version v-9b71094f61...

Failed deploying service 'poker-core-rbac' (from module 'poker-core-rbac'). Here is the output:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Command failed with exit code 1 (EPERM): /Users/mike/.garden/tools/kubectl/52606cbad4c7babc/kubectl --context=
minikube --namespace=rp --context=minikube --namespace=rp apply --prune --selector garden.io/service=poker-cor
e-rbac --output=json -f -
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

The same behavior with both formats.

Unfortunately, this link does not cover the case for MacOs.

Expected behavior

No error

Your environment

OS
MacOs 10.14.6

garden version
0.10.9
kubectl version
1.15.2
docker version
2.1.0.2

[kvokka]

Later I found, in error.log the answer to my question.

stderr: >-
  the namespace from the provided object "default" does not match the namespace
  "rp". You must pass '--namespace=default' to perform this operation.

This error message is great and helps a lot, while the default message is more misleading than helpful. Maybe at least add some notice about error.log for others? It should save time.

[edvald]

Thanks for the report @kvokka !

I see two things to fix:

1. Make sure we print the stderr when kubectl commands fail.
2. We should not pass the --namespace parameter in the command in question, but rather apply the namespace attribute when none is specified.

We'll try and get those sorted asap.