Update our hub-health service to properly set roles

[sgibson91]

Context

Warning in the JupyterHub logs:

[W 2022-12-05 10:49:52.801 JupyterHub app:2312] Service hub-health sets `admin: True`, which is deprecated in JupyterHub 2.0. You can assign now assign roles via `JupyterHub.load_roles` configuration. If you specify services in the admin role configuration, the Service admin flag will be ignored.

We should update our helm chart accordingly.

Proposal

No response

Updates and actions

No response

[sgibson91]

Needs investigation to see if this is still the case or if it has resolved itself

[consideRatio]

The permissions for the health check should still should be narrowed to the relevant permissions only:

infrastructure/helm-charts/basehub/values.yaml

Lines 517 to 527 in 864d8f8

	# hub-health service helps us run health checks from the deployer script.
	# The JupyterHub Helm chart will automatically generate an API token for
	# services and expose it in a k8s Secret named `hub`. When we run health
	# tests against a hub, we read this token from the k8s Secret to acquire
	# the credentials needed to interacting with the JupyterHub API.
	#
	hub-health:
	# FIXME: With JupyterHub 2 we can define a role for this service with
	# more tightly scoped permissions based on our needs.
	#
	admin: true

Action points

• Identify required JupyterHub RBAC permissions
• Declare an entry for hub.loadRoles with the permissions (scopes) in basehub, applying it to the hub-health jupyterhub service.

  jupyterhub:
    hub:
      loadRoles:
        hub-health:
          # scopes should at least include permissions to start the
          # user server for the user "deployment-service-check"
          scopes: [???]
          services: [hub-health]

Btw a bug to be aware about is that changes to hub.loadRoles doesn't yet trigger a restart of the hub pod as it should, see jupyterhub/zero-to-jupyterhub-k8s#3251.