introduce `helm init --automount-service-account-token` (#4589)

Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>

cmd/helm/init.go

@@ -139,6 +139,7 @@ func newInitCmd(out io.Writer) *cobra.Command {
 	f.StringVar(&i.opts.NodeSelectors, "node-selectors", "", "labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)")
 	f.VarP(&i.opts.Output, "output", "o", "skip installation and output Tiller's manifest in specified format (json or yaml)")
 	f.StringArrayVar(&i.opts.Values, "override", []string{}, "override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)")
+	f.BoolVar(&i.opts.AutoMountServiceAccountToken, "automount-service-account-token", true, "auto-mount the given service account to tiller")
 
 	return cmd
 }

cmd/helm/installer/install.go

@@ -219,6 +219,7 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) {
 				},
 				Spec: v1.PodSpec{
 					ServiceAccountName:           opts.ServiceAccount,
+					AutomountServiceAccountToken: &opts.AutoMountServiceAccountToken,
 					Containers: []v1.Container{
 						{
 							Name:            "tiller",

cmd/helm/installer/install_test.go

@@ -80,7 +80,8 @@ func TestDeploymentForServiceAccount(t *testing.T) {
 		{"withoutSA", "", false, "gcr.io/kubernetes-helm/tiller:latest", "IfNotPresent", ""},
 	}
 	for _, tt := range tests {
-		d, err := Deployment(&Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount})
+		opts := &Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount}
+		d, err := Deployment(opts)
 		if err != nil {
 			t.Fatalf("%s: error %q", tt.name, err)
 		}
@@ -88,6 +89,18 @@ func TestDeploymentForServiceAccount(t *testing.T) {
 		if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount {
 			t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got)
 		}
+		if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != false {
+			t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, false, got)
+		}
+
+		opts.AutoMountServiceAccountToken = true
+		d, err = Deployment(opts)
+		if err != nil {
+			t.Fatalf("%s: error %q", tt.name, err)
+		}
+		if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != true {
+			t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, true, got)
+		}
 	}
 }
 

cmd/helm/installer/options.go

@@ -47,6 +47,9 @@ type Options struct {
 	// ServiceAccount is the Kubernetes service account to add to Tiller.
 	ServiceAccount string
 
+	// AutoMountServiceAccountToken determines whether or not the service account should be added to Tiller.
+	AutoMountServiceAccountToken bool
+
 	// Force allows to force upgrading tiller if deployed version is greater than current version
 	ForceUpgrade bool
 

docs/helm/helm_init.md

@@ -32,6 +32,7 @@ helm init [flags]
 ### Options
 
 ```
+      --automount-service-account-token   auto-mount the given service account to tiller (default true)
       --canary-image                      use the canary Tiller image
   -c, --client-only                       if set does not install Tiller
       --dry-run                           do not install local or remote
@@ -74,4 +75,4 @@ helm init [flags]
 
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
 
-###### Auto generated by spf13/cobra on 1-Sep-2018
+###### Auto generated by spf13/cobra on 4-Sep-2018

docs/install.md

@@ -132,6 +132,7 @@ You can explicitly tell `helm init` to...
 - Install to a particular cluster with `--kube-context`
 - Install into a particular namespace with `--tiller-namespace`
 - Install Tiller with a Service Account with `--service-account` (for [RBAC enabled clusters](securing_installation.md#rbac))
+- Install Tiller without mounting a service account with `--automount-service-account false`
 
 Once Tiller is installed, running `helm version` should show you both
 the client and server version. (If it shows only the client version,