introduce `helm init --automount-service-account-token` (#4589)

Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
pull/4608/head
Matthew Fisher 6 years ago committed by GitHub
parent bef59e40dc
commit 10db6a6fb5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -139,6 +139,7 @@ func newInitCmd(out io.Writer) *cobra.Command {
f.StringVar(&i.opts.NodeSelectors, "node-selectors", "", "labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)") f.StringVar(&i.opts.NodeSelectors, "node-selectors", "", "labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)")
f.VarP(&i.opts.Output, "output", "o", "skip installation and output Tiller's manifest in specified format (json or yaml)") f.VarP(&i.opts.Output, "output", "o", "skip installation and output Tiller's manifest in specified format (json or yaml)")
f.StringArrayVar(&i.opts.Values, "override", []string{}, "override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)") f.StringArrayVar(&i.opts.Values, "override", []string{}, "override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)")
f.BoolVar(&i.opts.AutoMountServiceAccountToken, "automount-service-account-token", true, "auto-mount the given service account to tiller")
return cmd return cmd
} }

@ -218,7 +218,8 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) {
Labels: labels, Labels: labels,
}, },
Spec: v1.PodSpec{ Spec: v1.PodSpec{
ServiceAccountName: opts.ServiceAccount, ServiceAccountName: opts.ServiceAccount,
AutomountServiceAccountToken: &opts.AutoMountServiceAccountToken,
Containers: []v1.Container{ Containers: []v1.Container{
{ {
Name: "tiller", Name: "tiller",

@ -80,7 +80,8 @@ func TestDeploymentForServiceAccount(t *testing.T) {
{"withoutSA", "", false, "gcr.io/kubernetes-helm/tiller:latest", "IfNotPresent", ""}, {"withoutSA", "", false, "gcr.io/kubernetes-helm/tiller:latest", "IfNotPresent", ""},
} }
for _, tt := range tests { for _, tt := range tests {
d, err := Deployment(&Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount}) opts := &Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount}
d, err := Deployment(opts)
if err != nil { if err != nil {
t.Fatalf("%s: error %q", tt.name, err) t.Fatalf("%s: error %q", tt.name, err)
} }
@ -88,6 +89,18 @@ func TestDeploymentForServiceAccount(t *testing.T) {
if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount { if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount {
t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got) t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got)
} }
if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != false {
t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, false, got)
}
opts.AutoMountServiceAccountToken = true
d, err = Deployment(opts)
if err != nil {
t.Fatalf("%s: error %q", tt.name, err)
}
if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != true {
t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, true, got)
}
} }
} }

@ -47,6 +47,9 @@ type Options struct {
// ServiceAccount is the Kubernetes service account to add to Tiller. // ServiceAccount is the Kubernetes service account to add to Tiller.
ServiceAccount string ServiceAccount string
// AutoMountServiceAccountToken determines whether or not the service account should be added to Tiller.
AutoMountServiceAccountToken bool
// Force allows to force upgrading tiller if deployed version is greater than current version // Force allows to force upgrading tiller if deployed version is greater than current version
ForceUpgrade bool ForceUpgrade bool

@ -32,30 +32,31 @@ helm init [flags]
### Options ### Options
``` ```
--canary-image use the canary Tiller image --automount-service-account-token auto-mount the given service account to tiller (default true)
-c, --client-only if set does not install Tiller --canary-image use the canary Tiller image
--dry-run do not install local or remote -c, --client-only if set does not install Tiller
--force-upgrade force upgrade of Tiller to the current helm version --dry-run do not install local or remote
-h, --help help for init --force-upgrade force upgrade of Tiller to the current helm version
--history-max int limit the maximum number of revisions saved per release. Use 0 for no limit. -h, --help help for init
--local-repo-url string URL for local repository (default "http://127.0.0.1:8879/charts") --history-max int limit the maximum number of revisions saved per release. Use 0 for no limit.
--net-host install Tiller with net=host --local-repo-url string URL for local repository (default "http://127.0.0.1:8879/charts")
--node-selectors string labels to specify the node on which Tiller is installed (app=tiller,helm=rocks) --net-host install Tiller with net=host
-o, --output OutputFormat skip installation and output Tiller's manifest in specified format (json or yaml) --node-selectors string labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)
--override stringArray override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2) -o, --output OutputFormat skip installation and output Tiller's manifest in specified format (json or yaml)
--replicas int amount of tiller instances to run on the cluster (default 1) --override stringArray override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)
--service-account string name of service account --replicas int amount of tiller instances to run on the cluster (default 1)
--skip-refresh do not refresh (download) the local repository cache --service-account string name of service account
--stable-repo-url string URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com") --skip-refresh do not refresh (download) the local repository cache
-i, --tiller-image string override Tiller image --stable-repo-url string URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com")
--tiller-tls install Tiller with TLS enabled -i, --tiller-image string override Tiller image
--tiller-tls-cert string path to TLS certificate file to install with Tiller --tiller-tls install Tiller with TLS enabled
--tiller-tls-hostname string the server name used to verify the hostname on the returned certificates from Tiller --tiller-tls-cert string path to TLS certificate file to install with Tiller
--tiller-tls-key string path to TLS key file to install with Tiller --tiller-tls-hostname string the server name used to verify the hostname on the returned certificates from Tiller
--tiller-tls-verify install Tiller with TLS enabled and to verify remote certificates --tiller-tls-key string path to TLS key file to install with Tiller
--tls-ca-cert string path to CA root certificate --tiller-tls-verify install Tiller with TLS enabled and to verify remote certificates
--upgrade upgrade if Tiller is already installed --tls-ca-cert string path to CA root certificate
--wait block until Tiller is running and ready to receive requests --upgrade upgrade if Tiller is already installed
--wait block until Tiller is running and ready to receive requests
``` ```
### Options inherited from parent commands ### Options inherited from parent commands
@ -74,4 +75,4 @@ helm init [flags]
* [helm](helm.md) - The Helm package manager for Kubernetes. * [helm](helm.md) - The Helm package manager for Kubernetes.
###### Auto generated by spf13/cobra on 1-Sep-2018 ###### Auto generated by spf13/cobra on 4-Sep-2018

@ -132,6 +132,7 @@ You can explicitly tell `helm init` to...
- Install to a particular cluster with `--kube-context` - Install to a particular cluster with `--kube-context`
- Install into a particular namespace with `--tiller-namespace` - Install into a particular namespace with `--tiller-namespace`
- Install Tiller with a Service Account with `--service-account` (for [RBAC enabled clusters](securing_installation.md#rbac)) - Install Tiller with a Service Account with `--service-account` (for [RBAC enabled clusters](securing_installation.md#rbac))
- Install Tiller without mounting a service account with `--automount-service-account false`
Once Tiller is installed, running `helm version` should show you both Once Tiller is installed, running `helm version` should show you both
the client and server version. (If it shows only the client version, the client and server version. (If it shows only the client version,

Loading…
Cancel
Save