K8S - RoleBinding - Unable to access secrets from service account cert-manager-webhook-ovh

Question

I want to use cert-manager OVH's webhook in order to deliver a https wildcard certificate, but I still can't figure out why the cert-manager can't access to OVH credentials secret (required to create a DNS entry in OVH)

The ovh-credentials secret has been created on the default namespace

The cert-manager is on a cert-manager namespace and the cert-manager-webhook-ovh is on the default namespace

I have a ClusterIssuer which is calling the cert-manager-webhook-ovh

I have defined a cert-manager-webhook-ovh:secret-reader ClusterRole

And a ClusterRole binding between cert-manager-webhook-ovh service account and

the cert-manager-webhook-ovh:secret-reader ClusterRole

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cert-manager-webhook-ovh:secret-reader
rules:
- apiGroups: [""]
  resources: ["secrets"]
  resourceNames: ["ovh-credentials"]
  verbs: ["get", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: cert-manager-webhook-ovh:secret-reader
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cert-manager-webhook-ovh:secret-reader
subjects:
- apiGroup: ""
  kind: ServiceAccount
  name: cert-manager-webhook-ovh
  namespace: cert-manager

here are my pods

➜  alaya-studio git:(main) ✗ kubectl get pods --namespace=cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-6588898cb4-nfn7p              1/1     Running   1          27d
cert-manager-cainjector-7bcbdbd99f-tgllj   1/1     Running   5          27d
cert-manager-webhook-5fd9f9dd86-csjzq      1/1     Running   0          27d
➜  alaya-studio git:(main) ✗ kubectl get pods
NAME                                                  READY   STATUS    RESTARTS   AGE
cert-manager-webhook-ovh-77f9c7cc7b-xfdfx             1/1     Running   4          15d
express-59df84c766-8wjxw                              1/1     Running   0          27d
express-59df84c766-l4cf8                              1/1     Running   0          27d
express-59df84c766-w6hbt                              1/1     Running   0          27d
ngingress-ingress-nginx-controller-5586599f89-5fsgn   1/1     Running   0          28d

When creating the challenge I have this error

  Type     Reason        Age              From          Message
  ----     ------        ----             ----          -------
  Normal   Started       9s               cert-manager  Challenge scheduled for processing
  Warning  PresentError  5s (x3 over 7s)  cert-manager  Error presenting challenge: secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"

Answer 1

The error message indicating to ServiceAccount cert-manager-webhook-ovh of default namespace. You have given permission to the the ServiceAccount of cert-manager namespace.

secrets "ovh-credentials" is forbidden: User "system:serviceaccount:default:cert-manager-webhook-ovh" cannot get resource "secrets" in API group "" in the namespace "cert-manager"