add clusterrolebinding logic

helm-chart/amalthea/templates/rbac/_rbac_rules.tpl

@@ -30,7 +30,6 @@
       - networking.k8s.io
     resources:
       - statefulsets
-      - persistentvolumes
       - persistentvolumeclaims
       - services
       - ingresses

helm-chart/amalthea/templates/rbac/rbac-cluster-wide.yaml

@@ -32,6 +32,9 @@ rules:
   - apiGroups: [""]
     resources: [namespaces]
     verbs: [list, watch]
+  - apiGroups: [""]
+    resources: [persistentvolumes]
+    verbs: [create,get,list, watch]
 
   # Kopf: admission webhook configuration management.
   - apiGroups: [admissionregistration.k8s.io/v1, admissionregistration.k8s.io/v1beta1]

helm-chart/amalthea/templates/rbac/rbac-namespaced.yaml

@@ -31,7 +31,22 @@ metadata:
     {{- include "amalthea.labels" $fullTemplateScope | nindent 4 }}
 rules:
 {{- include "amalthea.rules" $fullTemplateScope }}
-
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "amalthea.fullname" $fullTemplateScope }}
+  namespace: {{ . }}
+  labels:
+    {{- include "amalthea.labels" $fullTemplateScope | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "amalthea.serviceAccountName" $fullTemplateScope}}
+    namespace: {{ $fullTemplateScope.Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.scope.clusterRoleName }}
 {{- end }}
 {{- end }}
 {{- end }}

helm-chart/amalthea/values.yaml

@@ -33,6 +33,10 @@ scope:
   # 2. Do not define namespaces at all, in which case amalthea
   #    will only operate in the namespace where the helm chart is deployed.
   # namespaces: ["default"]
+  clusterRoleName: amalthea 
+  # name of the cluster role for PV creation
+  # only needs to be set if not deployed clusterwide
+  # the role needs permission to create,get,list,watch PVs
 
 deployCrd: true # whether to deploy the jupyterserver CRD