CrashLoopBackoff in single namespace mode (trying to watch OAuth2Client resources cluster wide)

[gourvy]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

No response

Describe the bug

This is a regression since v0.0.40 (my guess would be that there's a problem with the last commit). No problem with v0.0.39.

When hydra-maester is used in "singleNamespaceMode" (parameter from values.yaml), it fails to start start with the following error message:

ERROR	controller-runtime.cache.UnhandledError	Failed to watch	{"reflector": "pkg/mod/k8s.io/client-go@v0.34.1/tools/cache/reflector.go:290", "type": "*v1alpha1.OAuth2Client", "error": "failed to list *v1alpha1.OAuth2Client: oauth2clients.hydra.ory.sh is forbidden: User \"system:serviceaccount:default:hydra-maester-account\" cannot list resource \"oauth2clients\" in API group \"hydra.ory.sh\" at the cluster scope"}

Hydra-maester shouldn't try to watch resources cluster wide in this mode.
Also, I checked: hydra-maester starts with arg "--namespace=default".

Reproducing the bug

With helm, set "singleNamespaceMode: true" and deploy.

Relevant log output

Relevant configuration

Version

v0.0.40

On which operating system are you observing this issue?

None

In which environment are you deploying?

Kubernetes

Additional Context

I templated the manifests with helm but use them with kustomize, though it shouldn't change anything.

[systemstart]

Seems like namespace handling is a bit off in main.go

As a workaround I found additionally setting NAMESPACE in the environment fixing the error.

[bartek-babu]

Same issue here, namespace environment variable solved the problem