diff --git a/cmd/helm/init.go b/cmd/helm/init.go index 630847f3b..425c10074 100644 --- a/cmd/helm/init.go +++ b/cmd/helm/init.go @@ -139,6 +139,7 @@ func newInitCmd(out io.Writer) *cobra.Command { f.StringVar(&i.opts.NodeSelectors, "node-selectors", "", "labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)") f.VarP(&i.opts.Output, "output", "o", "skip installation and output Tiller's manifest in specified format (json or yaml)") f.StringArrayVar(&i.opts.Values, "override", []string{}, "override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)") + f.BoolVar(&i.opts.AutoMountServiceAccountToken, "automount-service-account-token", true, "auto-mount the given service account to tiller") return cmd } diff --git a/cmd/helm/installer/install.go b/cmd/helm/installer/install.go index 055601440..c9ba1b0ca 100644 --- a/cmd/helm/installer/install.go +++ b/cmd/helm/installer/install.go @@ -218,7 +218,8 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) { Labels: labels, }, Spec: v1.PodSpec{ - ServiceAccountName: opts.ServiceAccount, + ServiceAccountName: opts.ServiceAccount, + AutomountServiceAccountToken: &opts.AutoMountServiceAccountToken, Containers: []v1.Container{ { Name: "tiller", diff --git a/cmd/helm/installer/install_test.go b/cmd/helm/installer/install_test.go index d5f3dfec0..561b3ed6d 100644 --- a/cmd/helm/installer/install_test.go +++ b/cmd/helm/installer/install_test.go @@ -80,7 +80,8 @@ func TestDeploymentForServiceAccount(t *testing.T) { {"withoutSA", "", false, "gcr.io/kubernetes-helm/tiller:latest", "IfNotPresent", ""}, } for _, tt := range tests { - d, err := Deployment(&Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount}) + opts := &Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount} + d, err := Deployment(opts) if err != nil { t.Fatalf("%s: error %q", tt.name, err) } @@ -88,6 +89,18 @@ func TestDeploymentForServiceAccount(t *testing.T) { if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount { t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got) } + if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != false { + t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, false, got) + } + + opts.AutoMountServiceAccountToken = true + d, err = Deployment(opts) + if err != nil { + t.Fatalf("%s: error %q", tt.name, err) + } + if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != true { + t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, true, got) + } } } diff --git a/cmd/helm/installer/options.go b/cmd/helm/installer/options.go index 95aa3988d..729bdf20b 100644 --- a/cmd/helm/installer/options.go +++ b/cmd/helm/installer/options.go @@ -47,6 +47,9 @@ type Options struct { // ServiceAccount is the Kubernetes service account to add to Tiller. ServiceAccount string + // AutoMountServiceAccountToken determines whether or not the service account should be added to Tiller. + AutoMountServiceAccountToken bool + // Force allows to force upgrading tiller if deployed version is greater than current version ForceUpgrade bool diff --git a/docs/helm/helm_init.md b/docs/helm/helm_init.md index f1aad3159..72fd9e86b 100644 --- a/docs/helm/helm_init.md +++ b/docs/helm/helm_init.md @@ -32,30 +32,31 @@ helm init [flags] ### Options ``` - --canary-image use the canary Tiller image - -c, --client-only if set does not install Tiller - --dry-run do not install local or remote - --force-upgrade force upgrade of Tiller to the current helm version - -h, --help help for init - --history-max int limit the maximum number of revisions saved per release. Use 0 for no limit. - --local-repo-url string URL for local repository (default "http://127.0.0.1:8879/charts") - --net-host install Tiller with net=host - --node-selectors string labels to specify the node on which Tiller is installed (app=tiller,helm=rocks) - -o, --output OutputFormat skip installation and output Tiller's manifest in specified format (json or yaml) - --override stringArray override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2) - --replicas int amount of tiller instances to run on the cluster (default 1) - --service-account string name of service account - --skip-refresh do not refresh (download) the local repository cache - --stable-repo-url string URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com") - -i, --tiller-image string override Tiller image - --tiller-tls install Tiller with TLS enabled - --tiller-tls-cert string path to TLS certificate file to install with Tiller - --tiller-tls-hostname string the server name used to verify the hostname on the returned certificates from Tiller - --tiller-tls-key string path to TLS key file to install with Tiller - --tiller-tls-verify install Tiller with TLS enabled and to verify remote certificates - --tls-ca-cert string path to CA root certificate - --upgrade upgrade if Tiller is already installed - --wait block until Tiller is running and ready to receive requests + --automount-service-account-token auto-mount the given service account to tiller (default true) + --canary-image use the canary Tiller image + -c, --client-only if set does not install Tiller + --dry-run do not install local or remote + --force-upgrade force upgrade of Tiller to the current helm version + -h, --help help for init + --history-max int limit the maximum number of revisions saved per release. Use 0 for no limit. + --local-repo-url string URL for local repository (default "http://127.0.0.1:8879/charts") + --net-host install Tiller with net=host + --node-selectors string labels to specify the node on which Tiller is installed (app=tiller,helm=rocks) + -o, --output OutputFormat skip installation and output Tiller's manifest in specified format (json or yaml) + --override stringArray override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2) + --replicas int amount of tiller instances to run on the cluster (default 1) + --service-account string name of service account + --skip-refresh do not refresh (download) the local repository cache + --stable-repo-url string URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com") + -i, --tiller-image string override Tiller image + --tiller-tls install Tiller with TLS enabled + --tiller-tls-cert string path to TLS certificate file to install with Tiller + --tiller-tls-hostname string the server name used to verify the hostname on the returned certificates from Tiller + --tiller-tls-key string path to TLS key file to install with Tiller + --tiller-tls-verify install Tiller with TLS enabled and to verify remote certificates + --tls-ca-cert string path to CA root certificate + --upgrade upgrade if Tiller is already installed + --wait block until Tiller is running and ready to receive requests ``` ### Options inherited from parent commands @@ -74,4 +75,4 @@ helm init [flags] * [helm](helm.md) - The Helm package manager for Kubernetes. -###### Auto generated by spf13/cobra on 1-Sep-2018 +###### Auto generated by spf13/cobra on 4-Sep-2018 diff --git a/docs/install.md b/docs/install.md index 52b55baef..6e2426f75 100755 --- a/docs/install.md +++ b/docs/install.md @@ -132,6 +132,7 @@ You can explicitly tell `helm init` to... - Install to a particular cluster with `--kube-context` - Install into a particular namespace with `--tiller-namespace` - Install Tiller with a Service Account with `--service-account` (for [RBAC enabled clusters](securing_installation.md#rbac)) +- Install Tiller without mounting a service account with `--automount-service-account false` Once Tiller is installed, running `helm version` should show you both the client and server version. (If it shows only the client version,