Merge pull request #620 from consideRatio/rbac-sa-fix-pr

Helm upgrade error "... with the name ... not found" and how to handle it
jupyterhub · Apr 2, 2018 · 544e355 · 544e355
2 parents c826f93 + cd0958e
commit 544e355
Show file tree

Hide file tree

Showing 4 changed files with 34 additions and 32 deletions.
diff --git a/jupyterhub/templates/hub/rbac.yaml b/jupyterhub/templates/hub/rbac.yaml
@@ -1,4 +1,9 @@
 {{ if .Values.rbac.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: hub
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
@@ -23,9 +28,4 @@ roleRef:
   kind: Role
   name: hub
   apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: hub
 {{- end }}
diff --git a/jupyterhub/templates/image-puller/_helper.yaml b/jupyterhub/templates/image-puller/_helper.yaml
@@ -26,10 +26,10 @@ metadata:
 spec:
   selector:
     matchLabels:
-        app: jupyterhub
-        component: {{ .name }}
-        release: {{ .top.Release.Name }}
-        heritage: {{ .top.Release.Service }}
+      app: jupyterhub
+      component: {{ .name }}
+      release: {{ .top.Release.Name }}
+      heritage: {{ .top.Release.Service }}
   updateStrategy:
     type: RollingUpdate
     rollingUpdate:

diff --git a/jupyterhub/templates/pod-culler/rbac.yaml b/jupyterhub/templates/pod-culler/rbac.yaml
@@ -1,4 +1,10 @@
+{{ if and .Values.cull.enabled .Values.cull.maxAge }}
 {{ if .Values.rbac.enabled -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: pod-culler
+---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
@@ -26,9 +32,5 @@ roleRef:
   kind: Role
   name: pod-culler
   apiGroup: rbac.authorization.k8s.io
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: pod-culler
+{{- end }}
 {{- end }}
diff --git a/jupyterhub/templates/proxy/autohttps/rbac.yaml b/jupyterhub/templates/proxy/autohttps/rbac.yaml
@@ -5,6 +5,16 @@
 # This is way too many permissions, but apparently the nginx-controller
 # is written to sortof assume it is clusterwide ingress provider.
 # So we keep this as is, for now.
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  labels:
+    app: jupyterhub
+    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
+    heritage: {{ .Release.Service }}
+    release: {{ .Release.Name }}
+  name: autohttps
+---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
@@ -83,9 +93,9 @@ roleRef:
   kind: ClusterRole
   name: nginx-{{ .Release.Name }}
 subjects:
-  - kind: ServiceAccount
-    name: autohttps
-    namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: autohttps
+  namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: Role
@@ -181,9 +191,9 @@ roleRef:
   kind: Role
   name: nginx
 subjects:
-  - kind: ServiceAccount
-    name: autohttps
-    namespace: {{ .Release.Namespace }}
+- kind: ServiceAccount
+  name: autohttps
+  namespace: {{ .Release.Namespace }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: RoleBinding
@@ -198,18 +208,8 @@ roleRef:
   kind: Role
   name: kube-lego
 subjects:
-  - kind: ServiceAccount
-    name: autohttps
-    namespace: {{ .Release.Namespace }}
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  labels:
-    app: jupyterhub
-    chart: {{ .Chart.Name }}-{{ .Chart.Version }}
-    heritage: {{ .Release.Service }}
-    release: {{ .Release.Name }}
+- kind: ServiceAccount
   name: autohttps
+  namespace: {{ .Release.Namespace }}
 {{- end }}
 {{ end }}