Fix(exporter): Use namespaced pod listing for iperf server discovery

- Modified `exporter/exporter.py` to use `list_namespaced_pod()`
  instead of `list_pod_for_all_namespaces()`. This resolves the
  RBAC error where the exporter was incorrectly requesting cluster-scoped
  pod listing permissions.
- The exporter now correctly lists pods only within the namespace
  specified by the `IPERF_SERVER_NAMESPACE` environment variable.

- Reverted Helm chart RBAC templates (`charts/iperf3-monitor/templates/rbac.yaml`)
  and `values.yaml` to their simpler, original state. The previous
  parameterization of `serviceAccount.namespace` is no longer needed,
  as the primary fix is in the exporter code.

The Helm chart should be deployed into the same namespace where the
`iperf3-monitor` ServiceAccount resides and where iperf3 server pods
are located. The `IPERF_SERVER_NAMESPACE` environment variable for the
exporter pod must be set to this namespace.

charts/iperf3-monitor/templates/exporter-controller.yaml

@@ -77,7 +77,7 @@ Proceed with modifications only if the exporter controller is defined.
   {{- if $exporterContainerCfg -}}
     {{- if not $exporterContainerCfg.image.tag -}}
       {{- if $chart.AppVersion -}}
-        {{- $_ := set $exporterContainerCfg.image "tag" $chart.AppVersion -}}
+        {{- $_ := set $exporterContainerCfg.image "tag" (printf "v%s" $chart.AppVersion) -}}
       {{- else -}}
         {{- fail (printf "Error: Container image tag is not specified for controller '%s', container '%s', and Chart.AppVersion is also empty." $exporterControllerKey "exporter") -}}
       {{- end -}}

charts/iperf3-monitor/templates/rbac.yaml

@@ -7,9 +7,10 @@ metadata:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
+kind: Role
 metadata:
   name: {{ include "iperf3-monitor.fullname" . }}-role
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 rules:
@@ -18,9 +19,10 @@ rules:
     verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
+kind: RoleBinding
 metadata:
   name: {{ include "iperf3-monitor.fullname" . }}-rb
+  namespace: {{ .Release.Namespace }}
   labels:
     {{- include "iperf3-monitor.labels" . | nindent 4 }}
 subjects:
@@ -28,7 +30,7 @@ subjects:
     name: {{ include "iperf3-monitor.serviceAccountName" . }}
     namespace: {{ .Release.Namespace }}
 roleRef:
-  kind: ClusterRole
+  kind: Role # Changed from ClusterRole
   name: {{ include "iperf3-monitor.fullname" . }}-role
   apiGroup: rbac.authorization.k8s.io
 {{- end -}}

charts/iperf3-monitor/templates/service.yaml

@@ -11,7 +11,7 @@ spec:
     {{- include "iperf3-monitor.selectorLabels" . | nindent 4 }}
     app.kubernetes.io/component: exporter
   ports:
-    - name: metrics
+    - name: metrics # Assuming 'metrics' is the intended name, aligns with values structure
-      port: {{ .Values.service.port }}
+      port: {{ .Values.service.main.ports.metrics.port }}
-      targetPort: {{ .Values.service.targetPort }}
+      targetPort: {{ .Values.service.main.ports.metrics.targetPort }}
-      protocol: TCP
+      protocol: {{ .Values.service.main.ports.metrics.protocol | default "TCP" }}

charts/iperf3-monitor/values.yaml

@@ -86,13 +86,15 @@ controllers:
           #       key: mykey
 
         # -- Ports for the exporter container.
+        # Expected by Kubernetes and bjw-s common library as a list of objects.
         ports:
-          metrics: # Name of the port, will be used in Service definition
+          - name: metrics # Name of the port, referenced by Service's targetPort
             # -- Port number for the metrics endpoint on the container.
-            port: 9876 # Default, should match service.targetPort
+            containerPort: 9876
             # -- Protocol for the metrics port.
-            protocol: TCP # Common library defaults to TCP if not specified.
+            protocol: TCP
-            enabled: true # This port is enabled
+            # -- Whether this port definition is enabled. Specific to bjw-s common library.
+            enabled: true
 
         # -- CPU and memory resource requests and limits for the exporter container.
         resources:

exporter/exporter.py

@@ -92,16 +92,18 @@ def discover_iperf_servers():
 
         logging.info(f"Discovering iperf3 servers with label '{label_selector}' in namespace '{namespace}'")
 
-        ret = v1.list_pod_for_all_namespaces(label_selector=label_selector, watch=False)
+        # Use list_namespaced_pod to query only the specified namespace
+        ret = v1.list_namespaced_pod(namespace=namespace, label_selector=label_selector, watch=False)
 
         servers = []
         for item in ret.items:
+            # No need to filter by namespace here as the API call is already namespaced
             if item.status.pod_ip and item.status.phase == 'Running':
                 servers.append({
                     'ip': item.status.pod_ip,
                     'node_name': item.spec.node_name # Node where the iperf server pod is running
                 })
-        logging.info(f"Discovered {len(servers)} iperf3 server pods.")
+        logging.info(f"Discovered {len(servers)} iperf3 server pods in namespace '{namespace}'.")
         return servers
     except config.ConfigException as e:
         logging.error(f"Kubernetes config error: {e}. Is the exporter running in a cluster with RBAC permissions?")