From f1314c2d67190e55ce6bc919040b6634a41b70d2 Mon Sep 17 00:00:00 2001
From: JamesMurkin <jamesmurkin@hotmail.com>
Date: Tue, 11 Jul 2023 09:11:56 +0100
Subject: [PATCH] Armada-scheduler helm tweaks + make kube native auth work

 - Set POD_NAMESPACE + SERVICE_ACCOUNT so kube native auth works properly from api and scheduler pods
 - Set the service account name properly in additionalClusterRoleBindings
 - Add to the armada-scheduler tls cert to sign for each replica of the scheduler
  - This is so the scheduler pods can talk to each other directly
  - Alternatively we could use a * record here
---
 .../scheduler/templates/scheduler-clusterrolebinding.yaml | 2 +-
 deployment/scheduler/templates/scheduler-ingress.yaml     | 6 +++++-
 deployment/scheduler/templates/scheduler-statefulset.yaml | 8 ++++++++
 3 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml b/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml
index 501dfd1384c..1c6d07ff379 100644
--- a/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml
+++ b/deployment/scheduler/templates/scheduler-clusterrolebinding.yaml
@@ -28,6 +28,6 @@ roleRef:
   name: {{ .clusterRoleName }}
 subjects:
   - kind: ServiceAccount
-    name: {{ $root.Values.customServiceAccount | default (include "armada-scheduler.name" $root) }}
+    name: {{ $root.Values.scheduler.customServiceAccount | default (include "armada-scheduler.name" $root) }}
     namespace: {{ $root.Release.Namespace }}
 {{ end }}
diff --git a/deployment/scheduler/templates/scheduler-ingress.yaml b/deployment/scheduler/templates/scheduler-ingress.yaml
index c7b1b48781f..5a461ddaed9 100644
--- a/deployment/scheduler/templates/scheduler-ingress.yaml
+++ b/deployment/scheduler/templates/scheduler-ingress.yaml
@@ -34,5 +34,9 @@ spec:
   {{ end }}
   tls:
     - hosts:
-      {{- toYaml .Values.scheduler.hostnames  | nindent 8 }}
+      {{- toYaml .Values.scheduler.hostnames  | nindent 6 }}
+      {{- $root := . -}}
+      {{- range $i := until (int .Values.scheduler.replicas) }}
+      - {{ include "armada-scheduler.name" $root }}-{{ $i }}.{{ include "armada-scheduler.name" $root }}.{{ $root.Release.Namespace }}.svc
+      {{- end }}
       secretName: armada-scheduler-service-tls
diff --git a/deployment/scheduler/templates/scheduler-statefulset.yaml b/deployment/scheduler/templates/scheduler-statefulset.yaml
index b2293104843..649686afb1a 100644
--- a/deployment/scheduler/templates/scheduler-statefulset.yaml
+++ b/deployment/scheduler/templates/scheduler-statefulset.yaml
@@ -49,6 +49,14 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: SERVICE_ACCOUNT
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.serviceAccountName
+            - name: POD_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
             {{- if  not (((.Values.scheduler.applicationConfig).leader).leaderConnection).armadaUrl }}
             - name: ARMADA_LEADER_LEADERCONNECTION_ARMADAURL
               value: "<name>.{{ include "armada-scheduler.name" . }}.{{ .Release.Namespace }}.svc:{{ .Values.scheduler.applicationConfig.grpc.port }}"