diff --git a/jupyterhub/templates/hub/rbac.yaml b/jupyterhub/templates/hub/rbac.yaml index 2bee50d8c8..d1ee34a30e 100644 --- a/jupyterhub/templates/hub/rbac.yaml +++ b/jupyterhub/templates/hub/rbac.yaml @@ -1,4 +1,9 @@ {{ if .Values.rbac.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hub +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: @@ -23,9 +28,4 @@ roleRef: kind: Role name: hub apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: hub {{- end }} diff --git a/jupyterhub/templates/image-puller/_helper.yaml b/jupyterhub/templates/image-puller/_helper.yaml index 26fdaabbda..870795b1df 100644 --- a/jupyterhub/templates/image-puller/_helper.yaml +++ b/jupyterhub/templates/image-puller/_helper.yaml @@ -26,10 +26,10 @@ metadata: spec: selector: matchLabels: - app: jupyterhub - component: {{ .name }} - release: {{ .top.Release.Name }} - heritage: {{ .top.Release.Service }} + app: jupyterhub + component: {{ .name }} + release: {{ .top.Release.Name }} + heritage: {{ .top.Release.Service }} updateStrategy: type: RollingUpdate rollingUpdate: diff --git a/jupyterhub/templates/pod-culler/rbac.yaml b/jupyterhub/templates/pod-culler/rbac.yaml index 3ca66c8254..18ad26ece2 100644 --- a/jupyterhub/templates/pod-culler/rbac.yaml +++ b/jupyterhub/templates/pod-culler/rbac.yaml @@ -1,4 +1,10 @@ +{{ if and .Values.cull.enabled .Values.cull.maxAge }} {{ if .Values.rbac.enabled -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pod-culler +--- kind: Role apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: @@ -26,9 +32,5 @@ roleRef: kind: Role name: pod-culler apiGroup: rbac.authorization.k8s.io ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: pod-culler +{{- end }} {{- end }} diff --git a/jupyterhub/templates/proxy/autohttps/rbac.yaml b/jupyterhub/templates/proxy/autohttps/rbac.yaml index 420c5eb057..79d7a35a21 100644 --- a/jupyterhub/templates/proxy/autohttps/rbac.yaml +++ b/jupyterhub/templates/proxy/autohttps/rbac.yaml @@ -5,6 +5,16 @@ # This is way too many permissions, but apparently the nginx-controller # is written to sortof assume it is clusterwide ingress provider. # So we keep this as is, for now. +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app: jupyterhub + chart: {{ .Chart.Name }}-{{ .Chart.Version }} + heritage: {{ .Release.Service }} + release: {{ .Release.Name }} + name: autohttps +--- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole metadata: @@ -83,9 +93,9 @@ roleRef: kind: ClusterRole name: nginx-{{ .Release.Name }} subjects: - - kind: ServiceAccount - name: autohttps - namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: autohttps + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: Role @@ -181,9 +191,9 @@ roleRef: kind: Role name: nginx subjects: - - kind: ServiceAccount - name: autohttps - namespace: {{ .Release.Namespace }} +- kind: ServiceAccount + name: autohttps + namespace: {{ .Release.Namespace }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: RoleBinding @@ -198,18 +208,8 @@ roleRef: kind: Role name: kube-lego subjects: - - kind: ServiceAccount - name: autohttps - namespace: {{ .Release.Namespace }} ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app: jupyterhub - chart: {{ .Chart.Name }}-{{ .Chart.Version }} - heritage: {{ .Release.Service }} - release: {{ .Release.Name }} +- kind: ServiceAccount name: autohttps + namespace: {{ .Release.Namespace }} {{- end }} {{ end }} \ No newline at end of file