From 094d095f0409afaeacc2f0e6a6f928a77fd35ba7 Mon Sep 17 00:00:00 2001
From: Alexei Ledenev <alexei.led@gmail.com>
Date: Wed, 2 Aug 2017 16:00:07 +0300
Subject: [PATCH] configure K8s service account to use with SERVICE_ACCOUNT env
 (default to 'helm')

---
 .gitignore     |  3 ++-
 kubeconfig     |  4 ++--
 main.go        | 47 +++++++++++++++++++++++-----------------------
 plugin.go      | 51 +++++++++++++++++++++++++++-----------------------
 plugin_test.go | 25 +++++++++++++++++++------
 5 files changed, 75 insertions(+), 55 deletions(-)

diff --git a/.gitignore b/.gitignore
index e3d2c5a..b4dde86 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,4 +25,5 @@ _testmain.go
 
 drone-helm
 *.test
-*.out
\ No newline at end of file
+*.out
+.vscode
diff --git a/kubeconfig b/kubeconfig
index 62d87ac..1527de7 100644
--- a/kubeconfig
+++ b/kubeconfig
@@ -12,12 +12,12 @@ contexts:
 {{ if .Namespace }}
     namespace: {{ .Namespace }}
 {{ end}}
-    user: helm
+    user: {{ .ServiceAccount }}
   name: helm
 current-context: "helm"
 kind: Config
 preferences: {}
 users:
-- name: helm
+- name: {{ .ServiceAccount }}
   user:
     token: {{ .Token }}
\ No newline at end of file
diff --git a/main.go b/main.go
index d44b944..5cf29e0 100644
--- a/main.go
+++ b/main.go
@@ -130,29 +130,30 @@ func run(c *cli.Context) error {
 	}
 	plugin := Plugin{
 		Config: Config{
-			APIServer:     c.String("api_server"),
-			Token:         c.String("token"),
-			HelmCommand:   c.StringSlice("helm_command"),
-			Namespace:     c.String("namespace"),
-			SkipTLSVerify: c.Bool("skip_tls_verify"),
-			Values:        c.String("values"),
-			ValuesFiles:   c.String("values_files"),
-			Release:       c.String("release"),
-			Chart:         c.String("chart"),
-			Version:       c.String("chart-version"),
-			Debug:         c.Bool("debug"),
-			DryRun:        c.Bool("dry-run"),
-			Secrets:       c.StringSlice("secrets"),
-			Prefix:        c.String("prefix"),
-			TillerNs:      c.String("tiller-ns"),
-			Wait:          c.Bool("wait"),
-			RecreatePods:  c.Bool("recreate-pods"),
-			ClientOnly:    c.Bool("client-only"),
-			CanaryImage:   c.Bool("canary-image"),
-			Upgrade:       c.Bool("upgrade"),
-			ReuseValues:   c.Bool("reuse-values"),
-			Timeout:       c.String("timeout"),
-			Force:         c.Bool("force"),
+			APIServer:      c.String("api_server"),
+			Token:          c.String("token"),
+			ServiceAccount: c.String("service-account"),
+			HelmCommand:    c.StringSlice("helm_command"),
+			Namespace:      c.String("namespace"),
+			SkipTLSVerify:  c.Bool("skip_tls_verify"),
+			Values:         c.String("values"),
+			ValuesFiles:    c.String("values_files"),
+			Release:        c.String("release"),
+			Chart:          c.String("chart"),
+			Version:        c.String("chart-version"),
+			Debug:          c.Bool("debug"),
+			DryRun:         c.Bool("dry-run"),
+			Secrets:        c.StringSlice("secrets"),
+			Prefix:         c.String("prefix"),
+			TillerNs:       c.String("tiller-ns"),
+			Wait:           c.Bool("wait"),
+			RecreatePods:   c.Bool("recreate-pods"),
+			ClientOnly:     c.Bool("client-only"),
+			CanaryImage:    c.Bool("canary-image"),
+			Upgrade:        c.Bool("upgrade"),
+			ReuseValues:    c.Bool("reuse-values"),
+			Timeout:        c.String("timeout"),
+			Force:          c.Bool("force"),
 		},
 	}
 	resolveSecrets(&plugin)
diff --git a/plugin.go b/plugin.go
index 0e6264a..fe88203 100644
--- a/plugin.go
+++ b/plugin.go
@@ -19,29 +19,30 @@ var CONFIG = "/root/.kube/config"
 type (
 	// Config maps the params we need to run Helm
 	Config struct {
-		APIServer     string   `json:"api_server"`
-		Token         string   `json:"token"`
-		HelmCommand   []string `json:"helm_command"`
-		SkipTLSVerify bool     `json:"tls_skip_verify"`
-		Namespace     string   `json:"namespace"`
-		Release       string   `json:"release"`
-		Chart         string   `json:"chart"`
-		Version       string   `json:"version"`
-		Values        string   `json:"values"`
-		ValuesFiles   string   `json:"values_files"`
-		Debug         bool     `json:"debug"`
-		DryRun        bool     `json:"dry_run"`
-		Secrets       []string `json:"secrets"`
-		Prefix        string   `json:"prefix"`
-		TillerNs      string   `json:"tiller_ns"`
-		Wait          bool     `json:"wait"`
-		RecreatePods  bool     `json:"recreate_pods"`
-		Upgrade       bool     `json:"upgrade"`
-		CanaryImage   bool     `json:"canary_image"`
-		ClientOnly    bool     `json:"client_only"`
-		ReuseValues   bool     `json:"reuse_values"`
-		Timeout       string   `json:"timeout"`
-		Force         bool     `json:"force"`
+		APIServer      string   `json:"api_server"`
+		Token          string   `json:"token"`
+		ServiceAccount string   `json:"service_account"`
+		HelmCommand    []string `json:"helm_command"`
+		SkipTLSVerify  bool     `json:"tls_skip_verify"`
+		Namespace      string   `json:"namespace"`
+		Release        string   `json:"release"`
+		Chart          string   `json:"chart"`
+		Version        string   `json:"version"`
+		Values         string   `json:"values"`
+		ValuesFiles    string   `json:"values_files"`
+		Debug          bool     `json:"debug"`
+		DryRun         bool     `json:"dry_run"`
+		Secrets        []string `json:"secrets"`
+		Prefix         string   `json:"prefix"`
+		TillerNs       string   `json:"tiller_ns"`
+		Wait           bool     `json:"wait"`
+		RecreatePods   bool     `json:"recreate_pods"`
+		Upgrade        bool     `json:"upgrade"`
+		CanaryImage    bool     `json:"canary_image"`
+		ClientOnly     bool     `json:"client_only"`
+		ReuseValues    bool     `json:"reuse_values"`
+		Timeout        string   `json:"timeout"`
+		Force          bool     `json:"force"`
 	}
 	// Plugin default
 	Plugin struct {
@@ -210,6 +211,10 @@ func resolveSecrets(p *Plugin) {
 	p.Config.Values = resolveEnvVar(p.Config.Values, p.Config.Prefix)
 	p.Config.APIServer = resolveEnvVar("${API_SERVER}", p.Config.Prefix)
 	p.Config.Token = resolveEnvVar("${KUBERNETES_TOKEN}", p.Config.Prefix)
+	p.Config.ServiceAccount = resolveEnvVar("${SERVICE_ACCOUNT}", p.Config.Prefix)
+	if p.Config.ServiceAccount == "" {
+		p.Config.ServiceAccount = "helm"
+	}
 }
 
 // getEnvVars will return [${TAG} {TAG} TAG]
diff --git a/plugin_test.go b/plugin_test.go
index 97f7fe7..e7ca0e1 100644
--- a/plugin_test.go
+++ b/plugin_test.go
@@ -15,11 +15,12 @@ func TestInitialiseKubeconfig(t *testing.T) {
 
 	plugin := Plugin{
 		Config: Config{
-			APIServer:     "http://myapiserver",
-			Token:         "secret-token",
-			HelmCommand:   cmd,
-			Namespace:     "default",
-			SkipTLSVerify: true,
+			APIServer:      "http://myapiserver",
+			Token:          "secret-token",
+			ServiceAccount: "default-account",
+			HelmCommand:    cmd,
+			Namespace:      "default",
+			SkipTLSVerify:  true,
 		},
 	}
 
@@ -37,6 +38,9 @@ func TestInitialiseKubeconfig(t *testing.T) {
 	if !strings.Contains(kubeConfigStr, "http://myapiserver") {
 		t.Errorf("Kubeconfig doesn't render APIServer")
 	}
+	if !strings.Contains(kubeConfigStr, "default-account") {
+		t.Errorf("Kubeconfig doesn't render serviceaccount")
+	}
 
 }
 
@@ -72,9 +76,12 @@ func TestGetHelmCommand(t *testing.T) {
 func TestResolveSecrets(t *testing.T) {
 	tag := "v0.1.1"
 	api := "http://apiserver"
+	token := "12345"
+	account := "helm"
 	os.Setenv("MY_TAG", tag)
 	os.Setenv("MY_API_SERVER", api)
-	os.Setenv("MY_TOKEN", "12345")
+	os.Setenv("MY_KUBERNETES_TOKEN", token)
+	os.Setenv("MY_SERVICE_ACCOUNT", "helm")
 
 	plugin := &Plugin{
 		Config: Config{
@@ -102,6 +109,12 @@ func TestResolveSecrets(t *testing.T) {
 	if plugin.Config.APIServer != api {
 		t.Errorf("env var ${API_SERVER} not resolved %s", api)
 	}
+	if plugin.Config.Token != token {
+		t.Errorf("env var ${KUBERNETES_TOKEN} not resolved %s", token)
+	}
+	if plugin.Config.ServiceAccount != account {
+		t.Errorf("env var ${SERVICE_ACCOUNT} not resolved %s", account)
+	}
 }
 
 func TestGetEnvVars(t *testing.T) {