From 8ed81bf0c7c118d6ff4370081755970f11a38e35 Mon Sep 17 00:00:00 2001
From: Heather Young <heather@andyet.net>
Date: Fri, 8 Jun 2018 16:06:21 -0700
Subject: [PATCH] support certificate-authority-data

---
 kubeconfig     | 5 ++++-
 main.go        | 1 +
 plugin.go      | 8 +++++++-
 plugin_test.go | 7 +++++--
 4 files changed, 17 insertions(+), 4 deletions(-)

diff --git a/kubeconfig b/kubeconfig
index 1527de7..0c88acb 100644
--- a/kubeconfig
+++ b/kubeconfig
@@ -1,10 +1,13 @@
 apiVersion: v1
 clusters:
 - cluster:
-{{ if .SkipTLSVerify }}
+{{ if eq .SkipTLSVerify true }}
     insecure-skip-tls-verify: true
+{{ else }}
+    certificate-authority-data: {{ .Certificate }}
 {{ end}}
     server: {{ .APIServer }}
+
   name: helm
 contexts:
 - context:
diff --git a/main.go b/main.go
index d234dba..a3e5e1e 100644
--- a/main.go
+++ b/main.go
@@ -148,6 +148,7 @@ func run(c *cli.Context) error {
 		Config: Config{
 			APIServer:      c.String("api_server"),
 			Token:          c.String("token"),
+			Certificate:    c.String("certificate"),
 			ServiceAccount: c.String("service-account"),
 			KubeConfig:     c.String("kube-config"),
 			HelmCommand:    c.String("helm_command"),
diff --git a/plugin.go b/plugin.go
index 2bf596d..14ef1c0 100644
--- a/plugin.go
+++ b/plugin.go
@@ -21,6 +21,7 @@ type (
 	Config struct {
 		APIServer      string   `json:"api_server"`
 		Token          string   `json:"token"`
+		Certificate    string   `json:"certificate"`
 		ServiceAccount string   `json:"service_account"`
 		KubeConfig     string   `json:"kube_config"`
 		HelmCommand    string   `json:"helm_command"`
@@ -220,7 +221,9 @@ func (p *Plugin) Exec() error {
 		if p.Config.Token == "" {
 			return fmt.Errorf("Error: Token is needed to deploy.")
 		}
-
+		if p.Config.SkipTLSVerify == false && p.Config.Certificate == "" {
+			return fmt.Errorf("Error: Certificate is needed to deploy when SKIP_TLS_VERIFY is false.")
+		}
 		initialiseKubeconfig(&p.Config, KUBECONFIG, p.Config.KubeConfig)
 	}
 
@@ -296,6 +299,9 @@ func resolveSecrets(p *Plugin) {
 	if p.Config.Token == "" {
 		p.Config.Token = resolveEnvVar("${KUBERNETES_TOKEN}", p.Config.Prefix, p.Config.Debug)
 	}
+	if p.Config.Certificate == "" {
+		p.Config.Certificate = resolveEnvVar("${KUBERNETES_CERTIFICATE}", p.Config.Prefix, p.Config.Debug)
+	}
 	if p.Config.ServiceAccount == "" {
 		p.Config.ServiceAccount = resolveEnvVar("${SERVICE_ACCOUNT}", p.Config.Prefix, p.Config.Debug)
 		if p.Config.ServiceAccount == "" {
diff --git a/plugin_test.go b/plugin_test.go
index 4abd4aa..d450ee0 100644
--- a/plugin_test.go
+++ b/plugin_test.go
@@ -14,10 +14,11 @@ func TestInitialiseKubeconfig(t *testing.T) {
 		Config: Config{
 			APIServer:      "http://myapiserver",
 			Token:          "secret-token",
+			Certificate:    "my-cert-data",
 			ServiceAccount: "default-account",
 			HelmCommand:    "",
 			Namespace:      "default",
-			SkipTLSVerify:  true,
+			SkipTLSVerify:  false, // if set the true with Certificate, this test will fail
 		},
 	}
 
@@ -38,7 +39,9 @@ func TestInitialiseKubeconfig(t *testing.T) {
 	if !strings.Contains(kubeConfigStr, "default-account") {
 		t.Errorf("Kubeconfig doesn't render serviceaccount")
 	}
-
+	if !strings.Contains(kubeConfigStr, "my-cert-data") {
+		t.Errorf("Kubeconfig doesn't render certificate")
+	}
 }
 
 func TestGetHelmCommandEmptyPushEvent(t *testing.T) {