chart: api-syncagent Role/RoleBinding leaked into 'default' namespace instead of release ns

[ifdotpy]

Problem

When helm template (or install) the api-syncagent chart against a target --namespace X, most resources correctly land in X, but the Role and RoleBinding for the events leader-election lock emerge with namespace: default instead of namespace: X.

Reproducer:

helm template test api-syncagent/api-syncagent --version 0.4.2 --namespace my-agent | grep -B1 -A10 'kind: Role'

Impact

• On shared clusters, every sync-agent install quietly writes into default ns.
• Multiple sync-agents collide on the same names in default (leader-election lock, etc.).
• Violates least-privilege posture — operators targeting a dedicated namespace don't expect cluster-wide or other-ns writes.

Suspected cause

Helm templates omit .metadata.namespace on Role/RoleBinding. Helm then defaults the namespace to the --namespace flag, unless a release-namespace override is applied somewhere (e.g., {{ .Release.Namespace }} missing from the template, --create-namespace not honored, or a namespace: default literal sneaking in).

Fix

Set namespace: {{ .Release.Namespace }} on the Role + RoleBinding in the templates, matching every other namespace-scoped resource the chart emits.

Noticed at

apeirora/showroom-msp-dati during cluster-infra bring-up for a new dati-syncagent. Same behavior observed for private-llm-sync-agent and cncf-postgres-sync-agent on the same shared MSP cluster (msp03 cc-d2).