chore(helm): stop requesting superfluous permissions

[oleobal]

Description

Remove permissions that we think are superfluous.

(this was split from #671)

How has this been tested?

⬇️ (sufficient, I hope)

Checklist

• changelog was updated with notable changes
• documentation was updated

[oleobal]

/e2e --tests sdk,substrafl,frontend

[Owlfred]

End to end tests: ❌ FAILURE

Jobs status:

• Camelyon: ⏭️
• Distributed / distributed-sdk,substrafl,frontend: ❌
• MNIST: ⏭️
• Standalone / standalone-sdk,substrafl,frontend: ❌

Too bad.

[oleobal]

/e2e --tests sdk,frontend

[Owlfred]

End to end tests: ❌ FAILURE

Jobs status:

• Camelyon: ⏭️
• Distributed / distributed-sdk,frontend: ❌
• MNIST: ⏭️
• Standalone / standalone-sdk,frontend: ❌

Sorry, try again.

[oleobal]

/e2e --tests sdk

[Owlfred]

End to end tests: ✔️ SUCCESS

[SdgJlbl]

Do we have a process to ensure that the helm chart version is the right one? 🤔

[oleobal]

@SdgJlbl

Do we have a process to ensure that the helm chart version is the right one? 🤔

Sort of, the CI checks the proposed version doesn't already exist on the repo: https://github.com/Substra/substra-backend/blob/main/.github/workflows/helm.yml#L41

but that's it

[guilhem-barthes]

Do we actually need "create", "update", "patch" on secrets? It looks like this Role just use read access on secret

[oleobal]

Probably not, now you put it like this

[guilhem-barthes]

Do we actually use batch jobs in the worker?

[oleobal]

I don't know 😅

[oleobal]

Ctrl+F-ing batch in the code base would lead my to believe we don't

No, jobs is part of the batch kubernetes API group so that is normal

[guilhem-barthes]

But do we need to run jobs in the worker? I thought we just ran pods :x

[SdgJlbl]

To the best of my knowledge, we don't use K8s Jobs currently

[oleobal]

/e2e --tests sdk,substrafl,frontend

[Owlfred]

End to end tests: ✔️ SUCCESS

That was easy.