From 92f45bebb8747e6834e277a595fec980035a1a24 Mon Sep 17 00:00:00 2001
From: Manu <21658174+epignot@users.noreply.github.com>
Date: Fri, 13 Sep 2024 11:17:43 +0200
Subject: [PATCH] [BGD-5797] add bns role to list and patch CR (#224)

* add bns role to list and patch CR

Why?
We want the notebook-service to be able to watch sparkapp CR and add
annotations `bigdata.spot.io/kill-requested-at` in them and let
spark-watcher kill the app.
This will happen at each kernel shutdown handled by bns

* doc: bigdata-notebook-service killer clusterrole

---------

Co-authored-by: Emmanuel Pignot <emmanuel.pignot@netapp.com>
---
 charts/bigdata-notebook-service/Chart.yaml          |  2 +-
 charts/bigdata-notebook-service/Readme.md           | 11 +++++++++++
 charts/bigdata-notebook-service/templates/role.yaml | 13 +++++++++++++
 .../templates/role_binding.yaml                     | 13 +++++++++++++
 4 files changed, 38 insertions(+), 1 deletion(-)
 create mode 100644 charts/bigdata-notebook-service/Readme.md

diff --git a/charts/bigdata-notebook-service/Chart.yaml b/charts/bigdata-notebook-service/Chart.yaml
index 87456ff0..9f7dcfb1 100644
--- a/charts/bigdata-notebook-service/Chart.yaml
+++ b/charts/bigdata-notebook-service/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: bigdata-notebook-service
 description: A Helm chart for the Spot Big Data Notebook Service
 type: application
-version: 0.4.1
+version: 0.4.2
 appVersion: 0.83.0
 home: https://github.com/spotinst/charts
 icon: https://docs.spot.io/_media/images/spot_mark.png
diff --git a/charts/bigdata-notebook-service/Readme.md b/charts/bigdata-notebook-service/Readme.md
new file mode 100644
index 00000000..eecb2117
--- /dev/null
+++ b/charts/bigdata-notebook-service/Readme.md
@@ -0,0 +1,11 @@
+# bigdata-notebook-service
+
+## Cluster role
+
+### bigdata-notebook-service-bdenv-vXX-killer
+
+This role is used by bigdata-notebook-service to add the following SparkApp CR annotations:
+```
+bigdata.spot-io/kill-reason
+bigdata.spot-io/kill-requested-at
+```
diff --git a/charts/bigdata-notebook-service/templates/role.yaml b/charts/bigdata-notebook-service/templates/role.yaml
index 565e9cce..d5cb2762 100644
--- a/charts/bigdata-notebook-service/templates/role.yaml
+++ b/charts/bigdata-notebook-service/templates/role.yaml
@@ -25,3 +25,16 @@ rules:
       - get
       - list
       - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "bigdata-notebook-service.fullname" . }}-killer
+rules:
+  - apiGroups:
+    - sparkoperator.k8s.io
+    resources:
+    - '*'
+    verbs:
+    - 'list'
+    - 'patch'
diff --git a/charts/bigdata-notebook-service/templates/role_binding.yaml b/charts/bigdata-notebook-service/templates/role_binding.yaml
index 511a5c87..c4d64268 100644
--- a/charts/bigdata-notebook-service/templates/role_binding.yaml
+++ b/charts/bigdata-notebook-service/templates/role_binding.yaml
@@ -25,3 +25,16 @@ subjects:
 - kind: ServiceAccount
   name: {{ include "bigdata-notebook-service.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "bigdata-notebook-service.fullname" . }}-killer
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "bigdata-notebook-service.fullname" . }}-killer
+subjects:
+- kind: ServiceAccount
+  name: {{ include "bigdata-notebook-service.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}