From a44870656407239a455ab68064844eac12c6d3c0 Mon Sep 17 00:00:00 2001
From: Felix Kunde <felix-kunde@gmx.de>
Date: Tue, 18 Feb 2020 12:59:40 +0100
Subject: [PATCH] fix helpers script for UI chart and docs

---
 charts/postgres-operator-ui/templates/_helpers.tpl  | 7 +++++++
 charts/postgres-operator/templates/clusterrole.yaml | 4 ++--
 docs/reference/operator_parameters.md               | 6 +++---
 manifests/operator-service-account-rbac.yaml        | 4 ++--
 4 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/charts/postgres-operator-ui/templates/_helpers.tpl b/charts/postgres-operator-ui/templates/_helpers.tpl
index a5e97081d..d83b9291a 100644
--- a/charts/postgres-operator-ui/templates/_helpers.tpl
+++ b/charts/postgres-operator-ui/templates/_helpers.tpl
@@ -24,6 +24,13 @@ If release name contains chart name it will be used as a full name.
 {{- end -}}
 {{- end -}}
 
+{{/*
+Create a service account name.
+*/}}
+{{- define "postgres-operator-ui.serviceAccountName" -}}
+{{ default (include "postgres-operator-ui.fullname" .) .Values.serviceAccount.name }}
+{{- end -}}
+
 {{/*
 Create chart name and version as used by the chart label.
 */}}
diff --git a/charts/postgres-operator/templates/clusterrole.yaml b/charts/postgres-operator/templates/clusterrole.yaml
index dc54c479a..1d9ce70c2 100644
--- a/charts/postgres-operator/templates/clusterrole.yaml
+++ b/charts/postgres-operator/templates/clusterrole.yaml
@@ -54,8 +54,8 @@ rules:
   - get
   - list
   - patch
-  - update  # needed if postgres-operator account is used for pods as well
-  - watch  # needed if postgres-operator account is used for pods as well
+  - update
+  - watch
 # to CRUD secrets for database access
 - apiGroups:
   - ""
diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
index 6ae1cd5ba..ca972c22b 100644
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@@ -162,12 +162,12 @@ configuration they are grouped under the `kubernetes` key.
   default is empty.
 
 * **pod_service_account_role_binding_definition**
-  This definition must bind pod service account to a role with permission
+  This definition must bind the pod service account to a role with permission
   sufficient for the pods to start and for Patroni to access K8s endpoints;
   service account on its own lacks any such rights starting with K8s v1.8. If
   not explicitly defined by the user, a simple definition that binds the
-  account to the operator's own 'postgres-operator' cluster role will be used.
-  The default is empty.
+  account to the 'postgres-pod' [cluster role](../../manifests/operator-service-account-rbac.yaml#L198)
+  will be used. The default is empty.
 
 * **pod_terminate_grace_period**
   Postgres pods are [terminated forcefully](https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods)
diff --git a/manifests/operator-service-account-rbac.yaml b/manifests/operator-service-account-rbac.yaml
index 7b3617027..802411623 100644
--- a/manifests/operator-service-account-rbac.yaml
+++ b/manifests/operator-service-account-rbac.yaml
@@ -55,8 +55,8 @@ rules:
   - get
   - list
   - patch
-  - update  # needed if postgres-operator account is used for pods as welle
-  - watch  # needed if postgres-operator account is used for pods as well
+  - update
+  - watch
 # to CRUD secrets for database access
 - apiGroups:
   - ""