From 43ea292f57b07a20d563aef46c4c9772290a3d00 Mon Sep 17 00:00:00 2001
From: Sam Dyson <sam.dyson@quantifiedstrategies.com.au>
Date: Fri, 13 May 2022 07:57:00 +1000
Subject: [PATCH 1/2] feat: add service account roles/rolebinding to helm
 chart, and add some doco for using the helm chart

---
 .../templates/serviceaccount.yaml             | 52 +++++++++++++++++++
 doc/source/operator.rst                       | 19 +++++++
 2 files changed, 71 insertions(+)

diff --git a/dask_kubernetes/operator/deployment/helm/dask-kubernetes-operator/templates/serviceaccount.yaml b/dask_kubernetes/operator/deployment/helm/dask-kubernetes-operator/templates/serviceaccount.yaml
index 3fd55e0bc..55582f345 100644
--- a/dask_kubernetes/operator/deployment/helm/dask-kubernetes-operator/templates/serviceaccount.yaml
+++ b/dask_kubernetes/operator/deployment/helm/dask-kubernetes-operator/templates/serviceaccount.yaml
@@ -9,4 +9,56 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "dask_kubernetes_operator.serviceAccountName" . }}-role-cluster
+rules:
+  # Framework: knowing which other operators are running (i.e. peering).
+  - apiGroups: [kopf.dev]
+    resources: [clusterkopfpeerings]
+    verbs: [list, watch, patch, get]
+
+  # Framework: runtime observation of namespaces & CRDs (addition/deletion).
+  - apiGroups: [apiextensions.k8s.io]
+    resources: [customresourcedefinitions]
+    verbs: [list, watch]
+  - apiGroups: [""]
+    resources: [namespaces]
+    verbs: [list, watch]
+
+  # Framework: admission webhook configuration management.
+  - apiGroups:
+      [admissionregistration.k8s.io/v1, admissionregistration.k8s.io/v1beta1]
+    resources: [validatingwebhookconfigurations, mutatingwebhookconfigurations]
+    verbs: [create, patch]
+
+  # Application: watching & handling for the custom resource we declare.
+  - apiGroups: [kubernetes.dask.org]
+    resources: [daskclusters, daskworkergroups]
+    verbs: [get, list, watch, patch, create, delete]
+
+  # Application: other resources it produces and manipulates.
+  # Here, we create/delete Pods.
+  - apiGroups: [""]
+    resources: [pods]
+    verbs: [create, delete, get, watch, list]
+  
+  - apiGroups: [""]
+    resources: [services]
+    verbs: [create, delete, get, watch, list]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "dask_kubernetes_operator.serviceAccountName" . }}-rolebinding-cluster
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "dask_kubernetes_operator.serviceAccountName" . }}-role-cluster
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "dask_kubernetes_operator.serviceAccountName" . }}
+    namespace: {{ .Release.Namespace }}
 {{- end }}
diff --git a/doc/source/operator.rst b/doc/source/operator.rst
index 0db29dc76..2339b4335 100644
--- a/doc/source/operator.rst
+++ b/doc/source/operator.rst
@@ -41,6 +41,25 @@ This will create the appropriate roles, service accounts and a deployment for th
    kube-system   dask-kubernetes-operator-775b8bbbd5-zdrf7   1/1     Running   0          74s
 
 
+Installing the operator with Helm
+---------------------------------
+
+Along with a set of kubernetes manifests, the operator has a basic Helm chart which can be used to manage the installation of the operator.
+The chart is published in the ``dask/helm-charts`` repository, and can be installed via:
+
+.. code-block:: console
+
+    $ helm repo add dask https://helm.dask.org
+    $ helm repo update
+    $ helm install --version 2022.5.0 myrelease dask/dask-kubernetes-operator
+
+This will install the custom resource definitions, service account, roles, and the operator deployment.
+
+.. warning::
+    Please note that `Helm does not support updating or deleting CRDs. <https://helm.sh/docs/chart_best_practices/custom_resource_definitions/#some-caveats-and-explanations>`_ If updates
+    are made to the CRD templates in future releases (to support future k8s releases, for example) you may have to manually update the CRDs.
+
+
 Creating a Dask cluster via ``kubectl``
 ---------------------------------------
 

From fc7011140bc6b0162d1f84d55264ddaa4439b30a Mon Sep 17 00:00:00 2001
From: Jacob Tomlinson <jacobtomlinson@users.noreply.github.com>
Date: Fri, 13 May 2022 09:47:21 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

---
 doc/source/operator.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/doc/source/operator.rst b/doc/source/operator.rst
index 2339b4335..4653bb2f7 100644
--- a/doc/source/operator.rst
+++ b/doc/source/operator.rst
@@ -45,13 +45,13 @@ Installing the operator with Helm
 ---------------------------------
 
 Along with a set of kubernetes manifests, the operator has a basic Helm chart which can be used to manage the installation of the operator.
-The chart is published in the ``dask/helm-charts`` repository, and can be installed via:
+The chart is published in the `Dask Helm repo <https://helm.dask.org>`_ repository, and can be installed via:
 
 .. code-block:: console
 
     $ helm repo add dask https://helm.dask.org
     $ helm repo update
-    $ helm install --version 2022.5.0 myrelease dask/dask-kubernetes-operator
+    $ helm install myrelease dask/dask-kubernetes-operator
 
 This will install the custom resource definitions, service account, roles, and the operator deployment.