Fix tiller deployment on RBAC clusters

Adds automountServiceAccountToken when a serviceAccount is specified. Prior to this, tiller falls back to contacting the KUBERNETES_SERVICE on localhost:8080 rather than respecting the cluster IP in the KUBERNETES_SERVICE_{HOST,PORT} environment variables. Fixes #3460, fixes #3467.
7 years ago · 1e03f1bce5
parent d32a6ef63b
commit 1e03f1bce5
2 changed files with 6 additions and 1 deletions
--- a/cmd/helm/installer/install.go
+++ b/cmd/helm/installer/install.go
@ -176,6 +176,7 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) {
 			return nil, err
 		}
 	}
+	automountServiceAccountToken := opts.ServiceAccount != ""
 	d := &v1beta1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: opts.Namespace,
@ -189,7 +190,8 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) {
 					Labels: labels,
 				},
 				Spec: v1.PodSpec{
-					ServiceAccountName: opts.ServiceAccount,
+					ServiceAccountName:           opts.ServiceAccount,
+					AutomountServiceAccountToken: &automountServiceAccountToken,
 					Containers: []v1.Container{
 						{
 							Name:            "tiller",
--- a/cmd/helm/installer/install_test.go
+++ b/cmd/helm/installer/install_test.go
@ -96,6 +96,9 @@ func TestDeploymentManifestForServiceAccount(t *testing.T) {
 		if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount {
 			t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got)
 		}
+		if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != (tt.serviceAccount != "") {
+			t.Errorf("%s: unexpected automountServiceAccountToken = %t for serviceAccount %q", tt.name, got, tt.serviceAccount)
+		}
 	}
 }