From 75bf520697466147ad5de09e0ab53e4305eeec7f Mon Sep 17 00:00:00 2001
From: Christopher Homberger <christopher.homberger@web.de>
Date: Sat, 12 Apr 2025 10:36:05 +0000
Subject: [PATCH] fix: always reference the correct ServiceAccount and Secret
 namespace (#11)

### Description of the change

Use the same namespace template for all `namespace:` fields, this would be no error if the ServiceAccount would had the same different template than the reference.

I found this while analyzing existing code statically via `namespace:` search.

Updated to also use correct namespace in existing secret lookup

### Benefits

Previously if .Values.namespace and .Release.Namespace didn't match this might caused an install error.

e.g. in values.yml
```yaml
namespace: test
# ** enable provisioning job is required
```
However installed using
```
helm install -f values.yml --create-namespace --namespace install-name-space myactions .
```

Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com>
Reviewed-on: https://gitea.com/gitea/helm-actions/pulls/11
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Christopher Homberger <christopher.homberger@web.de>
Co-committed-by: Christopher Homberger <christopher.homberger@web.de>
---
 templates/rolebinding-job.yaml | 2 +-
 templates/secret-token.yaml    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/templates/rolebinding-job.yaml b/templates/rolebinding-job.yaml
index 6c240f5..d21d12d 100644
--- a/templates/rolebinding-job.yaml
+++ b/templates/rolebinding-job.yaml
@@ -17,6 +17,6 @@ roleRef:
 subjects:
   - kind: ServiceAccount
     name: {{ $name }}
-    namespace: {{ .Release.Namespace }}
+    namespace: {{ .Values.namespace | default .Release.Namespace }}
 {{- end }}
 {{- end }}
diff --git a/templates/secret-token.yaml b/templates/secret-token.yaml
index 5016dd9..5e6dcfe 100644
--- a/templates/secret-token.yaml
+++ b/templates/secret-token.yaml
@@ -11,7 +11,7 @@ metadata:
   labels:
     {{- include "gitea.actions.labels" . | nindent 4 }}
     app.kubernetes.io/component: token-job
-{{ $secret := (lookup "v1" "Secret" .Release.Namespace $secretName) -}}
+{{ $secret := (lookup "v1" "Secret" (.Values.namespace | default .Release.Namespace) $secretName) -}}
 {{ if $secret -}}
 data:
   token: {{ (b64dec (index $secret.data "token")) | b64enc }}