Delete all deployed resources without a extra rbac role when using he…

…lm unintsall (#2208) Signed-off-by: dashanji <caoye.cao@alibaba-inc.com>
alibaba · Nov 8, 2022 · 7ecd75a · 7ecd75a
1 parent 094e81d
commit 7ecd75a
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 10 deletions.
diff --git a/charts/graphscope/README.md b/charts/graphscope/README.md
@@ -15,14 +15,6 @@ See [*helm repo*](https://helm.sh/docs/helm/helm_repo/) for command documentatio
 
 ## Install Chart
 
-GraphScope rely on some permissions to delete resources.
-
-```shell
-# example for `default` ServiceAccount with `default` namespace
-$ wget https://raw.githubusercontent.com/alibaba/GraphScope/main/charts/role_and_binding.yaml
-$ kubectl create -f ./role_and_binding.yaml
-```
-
 ```shell
 # Helm 3
 $ helm install [RELEASE_NAME] graphscope/graphscope

diff --git a/charts/graphscope/templates/coordinator.yaml b/charts/graphscope/templates/coordinator.yaml
@@ -47,8 +47,17 @@ spec:
           preStop:
             exec:
               command:
-                - python3
-                - /usr/local/bin/pre_stop.py
+                - /bin/bash
+                - -c
+                - |
+                  kubectl patch role/{{ include "graphscope.fullname" . }}-role \
+                  -n {{ .Release.Namespace }} \
+                  --type json \
+                  --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]' && \
+                  kubectl patch rolebinding/{{ include "graphscope.fullname" . }}-role-binding \
+                  -n {{ .Release.Namespace }} \
+                  --type json \
+                  --patch='[ { "op": "remove", "path": "/metadata/finalizers" } ]'
         command:
           - python3
           - "-m"

diff --git a/charts/graphscope/templates/role_and_binding.yaml b/charts/graphscope/templates/role_and_binding.yaml
@@ -3,16 +3,23 @@ kind: Role
 metadata:
   name: {{ include "graphscope.fullname" . }}-role
   namespace: {{ .Release.Namespace }}
+  finalizers:
+  - kubernetes
 rules:
 - apiGroups: ["apps", "extensions", ""]
   resources: ["configmaps", "deployments", "deployments/status", "endpoints", "events", "pods", "pods/log", "pods/exec", "pods/status", "services", "replicasets"]
   verbs: ["*"]
+- apiGroups: ["rbac.authorization.k8s.io"]
+  resources: ["roles", "rolebindings"]
+  verbs: ["patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
   name: {{ include "graphscope.fullname" . }}-role-binding
   namespace: {{ .Release.Namespace }}
+  finalizers:
+  - kubernetes
 subjects:
 - kind: ServiceAccount
   name: default