NatsServiceRole creates invalid tokens in wrong namespaces with Cluster-scoped installation

[valeneiko]

Description

If I create NatsServiceRole with a mathcing name in 2 different namespaces, Nats Operator will crate a total of 4 secrets, two in each namespace, but if I try to use it to connect to the cluster the connection will fail with Authentication error.

Steps to reproduce
0. Have 2 clusters deployed with NatsOperator in 2 namespaces (dev, staging).

1. kubectl apply -n dev -f nats.yaml && kubectl apply -n staging -f nats.yaml

   # nats.yaml
   ---
   kind: ServiceAccount
   apiVersion: v1
   metadata:
     name: nats-test
     namespace: dev
   ---
   apiVersion: nats.io/v1alpha2
   kind: NatsServiceRole
   metadata:
     labels:
       nats_cluster: dev-nats
     name: nats-test
     namespace: dev
   spec:
     permissions:
       publish:
       - 'a.>'
       subscribe:
       - 'a.>'

2. Observe 4 secrets beeing created:

   NAMESPACE   NAME                                 TYPE
   dev         nats-test-dev-nats-bound-token       Opaque
   dev         nats-test-staging-nats-bound-token   Opaque
   staging     nats-test-dev-nats-bound-token       Opaque
   staging     nats-test-staging-nats-bound-token   Opaque

3. Try to connect using the above secrets. Observe "Authentication failed" error in Nats logs.

Expected Behaviour
Only 2 secrets to be created: nats-test-dev-nats-bound-token (in dev) and nats-test-staging-nats-bound-token (in staging), which are valid to authenticate with Nats in the corresponding namespace.

Workaround
Make sure Service Account names are unique (e.g. dev-nats-test in dev and staging-nats-test in staging). Then everything works as expected and only 2 valid secrets are created.