Skip to content

fix: handle default priority class and remote SA #1088

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
sambuc wants to merge 3 commits into
base: main
Choose a base branch
from
Open

fix: handle default priority class and remote SA #1088

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
11d1d03
fix: Allow creation of a default priorityclass and a remote service a…
sambuc Mar 13, 2026
b9c1b05
fix: forgotten file
sambuc Mar 13, 2026
c8ef6f7
Merge branch 'main' into fix-allow-the-creation-of-a-default-priority…
olevski Mar 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 12 additions & 0 deletions helm-chart/amalthea-sessions/templates/priorityclass.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if .Values.deploy.priorityClass -}}
---
apiVersion: scheduling.k8s.io/v1
description: Renku default resource quota priority class
kind: PriorityClass
metadata:
labels:
app: renku
name: renku-user-sessions-priority
Copy link
Copy Markdown
Member

@olevski olevski Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is never referenced in the source code of amalthea. Why is it part of the helm chart? Amalthea does not make or manage priority classes.

preemptionPolicy: Never
value: 100
{{- end }}
107 changes: 106 additions & 1 deletion helm-chart/amalthea-sessions/templates/serviceaccount.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
Expand All @@ -8,4 +9,108 @@ metadata:
app.kubernetes.io/part-of: amalthea
{{- include "amalthea-sessions.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
{{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}

{{- if .Values.deploy.remoteServiceAccount }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: renku-remote-session-manager
Copy link
Copy Markdown
Member

@olevski olevski Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This service account is not used anywhere in amalthea? Why have it here?

Copy link
Copy Markdown
Member

@olevski olevski Mar 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If this is the same "service account name" used in the cluster spec on the data service then that is used to assign a specific service account to the user session that is created. And in almost all cases the sessions do not need a dedicated service account. The only place we have needed this is on openshift where a dedicated service account is used to get a different security context constraint.

labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: amalthea
app.kubernetes.io/part-of: amalthea
{{- include "amalthea-sessions.labels" . | nindent 4 }}
annotations:
{{- toYaml .Values.controllerManager.remoteServiceAccount.annotations | nindent 4 }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: renku-remote-session-manager-role
namespace: {{ .Release.Namespace }}
labels:
{{- include "amalthea-sessions.labels" . | nindent 4 }}
rules:
- apiGroups:
- ""
resources:
- pods
- pods/log
- services
- endpoints
- secrets
- priorityclasses
- resourcequotas
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- pods
- secrets
verbs:
- delete
- apiGroups:
- apps
resources:
- statefulsets
verbs:
- get
- list
- watch
- patch
- apiGroups:
- ""
resources:
- secrets
- resourcequotas
verbs:
- create
- update
- delete
- patch
- apiGroups:
- scheduling.k8s.io
resources:
- priorityclasses
verbs:
- get
- list
- watch
- apiGroups:
- amalthea.dev
resources:
- amaltheasessions
verbs:
- create
- update
- delete
- patch
- list
- get
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: renku-remote-session-manager-rolebinding
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/component: rbac
app.kubernetes.io/created-by: amalthea
app.kubernetes.io/part-of: amalthea
{{- include "amalthea-sessions.labels" . | nindent 4 }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: 'renku-remote-session-manager-role'
subjects:
- kind: ServiceAccount
name: 'renku-remote-session-manager'
namespace: '{{ .Release.Namespace }}'

{{- end }}
6 changes: 6 additions & 0 deletions helm-chart/amalthea-sessions/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,19 @@ controllerManager:
replicas: 1
serviceAccount:
annotations: {}
remoteServiceAccount:
annotations: {}
kubernetesClusterDomain: cluster.local
# If set to true then the operator will watch and operate in all namespaces
clusterScoped: false
# Whether to install the CRD
deployCrd: true
# Whether to install the dependencies or not
deploy:
priorityClass: false
# Whether to create a default resource quota priority class named `renku-user-sessions-priority`
remoteServiceAccount: false
# Whether to create a service account for a remote Renku portal to connect to the cluster running this operator.
csiRclone: false

# rcloneStorageClass is the storage class name for the csi-rclone Helm chart
Expand Down
Loading