From 11d1d039f4ab6b616c3d572d9f7d9a8ce4a7d0da Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@epfl.ch>
Date: Fri, 13 Mar 2026 15:13:14 +0100
Subject: [PATCH 1/2] fix: Allow creation of a default priorityclass and a
 remote service account

---
 .../templates/serviceaccount.yaml             | 107 +++++++++++++++++-
 helm-chart/amalthea-sessions/values.yaml      |   6 +
 2 files changed, 112 insertions(+), 1 deletion(-)

diff --git a/helm-chart/amalthea-sessions/templates/serviceaccount.yaml b/helm-chart/amalthea-sessions/templates/serviceaccount.yaml
index 0eab2b2b..b74e751c 100644
--- a/helm-chart/amalthea-sessions/templates/serviceaccount.yaml
+++ b/helm-chart/amalthea-sessions/templates/serviceaccount.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -8,4 +9,108 @@ metadata:
     app.kubernetes.io/part-of: amalthea
   {{- include "amalthea-sessions.labels" . | nindent 4 }}
   annotations:
-    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
\ No newline at end of file
+    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
+
+{{- if .Values.deploy.remoteServiceAccount }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: renku-remote-session-manager
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: amalthea
+    app.kubernetes.io/part-of: amalthea
+  {{- include "amalthea-sessions.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.controllerManager.remoteServiceAccount.annotations | nindent 4 }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: renku-remote-session-manager-role
+  namespace: {{ .Release.Namespace }}
+  labels:
+  {{- include "amalthea-sessions.labels" . | nindent 4 }}
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - pods/log
+      - services
+      - endpoints
+      - secrets
+      - priorityclasses
+      - resourcequotas
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - ""
+    resources:
+      - pods
+      - secrets
+    verbs:
+      - delete
+  - apiGroups:
+      - apps
+    resources:
+      - statefulsets
+    verbs:
+      - get
+      - list
+      - watch
+      - patch
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+      - resourcequotas
+    verbs:
+      - create
+      - update
+      - delete
+      - patch
+  - apiGroups:
+      - scheduling.k8s.io
+    resources:
+      - priorityclasses
+    verbs:
+      - get
+      - list
+      - watch
+  - apiGroups:
+      - amalthea.dev
+    resources:
+      - amaltheasessions
+    verbs:
+      - create
+      - update
+      - delete
+      - patch
+      - list
+      - get
+      - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: renku-remote-session-manager-rolebinding
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: amalthea
+    app.kubernetes.io/part-of: amalthea
+  {{- include "amalthea-sessions.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: 'renku-remote-session-manager-role'
+subjects:
+- kind: ServiceAccount
+  name: 'renku-remote-session-manager'
+  namespace: '{{ .Release.Namespace }}'
+
+{{- end }}
diff --git a/helm-chart/amalthea-sessions/values.yaml b/helm-chart/amalthea-sessions/values.yaml
index e24d24fd..f5f67dc5 100644
--- a/helm-chart/amalthea-sessions/values.yaml
+++ b/helm-chart/amalthea-sessions/values.yaml
@@ -28,6 +28,8 @@ controllerManager:
   replicas: 1
   serviceAccount:
     annotations: {}
+  remoteServiceAccount:
+    annotations: {}
 kubernetesClusterDomain: cluster.local
 # If set to true then the operator will watch and operate in all namespaces
 clusterScoped: false
@@ -35,6 +37,10 @@ clusterScoped: false
 deployCrd: true
 # Whether to install the dependencies or not
 deploy:
+  priorityClass: false
+  # Whether to create a default resource quota priority class named `renku-user-sessions-priority`
+  remoteServiceAccount: false
+  # Whether to create a service account for a remote Renku portal to connect to the cluster running this operator.
   csiRclone: false
 
 # rcloneStorageClass is the storage class name for the csi-rclone Helm chart

From b9c1b05e8468373761686c5fad702f3e4ae125ae Mon Sep 17 00:00:00 2001
From: Lionel Sambuc <lionel.sambuc@epfl.ch>
Date: Fri, 13 Mar 2026 15:17:39 +0100
Subject: [PATCH 2/2] fix: forgotten file

---
 .../amalthea-sessions/templates/priorityclass.yaml   | 12 ++++++++++++
 1 file changed, 12 insertions(+)
 create mode 100644 helm-chart/amalthea-sessions/templates/priorityclass.yaml

diff --git a/helm-chart/amalthea-sessions/templates/priorityclass.yaml b/helm-chart/amalthea-sessions/templates/priorityclass.yaml
new file mode 100644
index 00000000..6fa2c49b
--- /dev/null
+++ b/helm-chart/amalthea-sessions/templates/priorityclass.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.deploy.priorityClass -}}
+---
+apiVersion: scheduling.k8s.io/v1
+description: Renku default resource quota priority class
+kind: PriorityClass
+metadata:
+  labels:
+    app: renku
+  name: renku-user-sessions-priority
+preemptionPolicy: Never
+value: 100
+{{- end }}