Hey,
I noticed that the oxia coordinator RoleBinding template (charts/pulsar/templates/oxia-coordinator-rolebinding.yaml) has apiGroup: "" in the roleRef section.
Kubernetes silently fills this in with rbac.authorization.k8s.io on the server side, so it works fine at runtime. But it causes a problem for GitOps / IaC tools like Pulumi and ArgoCD — they see the mismatch between the template (empty string) and the live resource (filled in by k8s), and try to recreate the RoleBinding on every single run.
Since roleRef is immutable, this means the RoleBinding gets deleted and recreated every deployment, even when nothing actually changed.
Current
roleRef:
apiGroup: ""
kind: Role
name: {{ template "pulsar.fullname" . }}-{{ .Values.oxia.component }}-coordinator
Fix
roleRef:
apiGroup: "rbac.authorization.k8s.io"
kind: Role
name: {{ template "pulsar.fullname" . }}-{{ .Values.oxia.component }}-coordinator
Running chart version 4.5.0 on GKE with Pulumi.
Thanks!
Hey,
I noticed that the oxia coordinator RoleBinding template (charts/pulsar/templates/oxia-coordinator-rolebinding.yaml) has apiGroup: "" in the roleRef section.
Kubernetes silently fills this in with rbac.authorization.k8s.io on the server side, so it works fine at runtime. But it causes a problem for GitOps / IaC tools like Pulumi and ArgoCD — they see the mismatch between the template (empty string) and the live resource (filled in by k8s), and try to recreate the RoleBinding on every single run.
Since roleRef is immutable, this means the RoleBinding gets deleted and recreated every deployment, even when nothing actually changed.
Current
Fix
Running chart version 4.5.0 on GKE with Pulumi.
Thanks!