introduce `helm init --automount-service-account-token` (#4589)

Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>

introduce `helm init --automount-service-account-token` (#4589)
Signed-off-by: Matthew Fisher <matt.fisher@microsoft.com>
10db6a6f · Matthew Fisher · GitHub · bef59e40 · 10db6a6f · 10db6a6f
Unverified Commit 10db6a6f authored Sep 07, 2018 by Matthew Fisher Committed by GitHub Sep 07, 2018
6 changed files
--- a/cmd/helm/init.go
+++ b/cmd/helm/init.go
@@ -139,6 +139,7 @@ func newInitCmd(out io.Writer) *cobra.Command {
 	f.StringVar(&i.opts.NodeSelectors, "node-selectors", "", "labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)")
 	f.VarP(&i.opts.Output, "output", "o", "skip installation and output Tiller's manifest in specified format (json or yaml)")
 	f.StringArrayVar(&i.opts.Values, "override", []string{}, "override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)")
+	f.BoolVar(&i.opts.AutoMountServiceAccountToken, "automount-service-account-token", true, "auto-mount the given service account to tiller")
 	return cmd
 }

--- a/cmd/helm/installer/install.go
+++ b/cmd/helm/installer/install.go
@@ -218,7 +218,8 @@ func generateDeployment(opts *Options) (*v1beta1.Deployment, error) {
 					Labels: labels,
 				},
 				Spec: v1.PodSpec{
-					ServiceAccountName: opts.ServiceAccount,
+					ServiceAccountName:           opts.ServiceAccount,
+					AutomountServiceAccountToken: &opts.AutoMountServiceAccountToken,
 					Containers: []v1.Container{
 						{
 							Name:            "tiller",

--- a/cmd/helm/installer/install_test.go
+++ b/cmd/helm/installer/install_test.go
@@ -80,7 +80,8 @@ func TestDeploymentForServiceAccount(t *testing.T) {
 		{"withoutSA", "", false, "gcr.io/kubernetes-helm/tiller:latest", "IfNotPresent", ""},
 	}
 	for _, tt := range tests {
-		d, err := Deployment(&Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount})
+		opts := &Options{Namespace: v1.NamespaceDefault, ImageSpec: tt.image, UseCanary: tt.canary, ServiceAccount: tt.serviceAccount}
+		d, err := Deployment(opts)
 		if err != nil {
 			t.Fatalf("%s: error %q", tt.name, err)
 		}
@@ -88,6 +89,18 @@ func TestDeploymentForServiceAccount(t *testing.T) {
 		if got := d.Spec.Template.Spec.ServiceAccountName; got != tt.serviceAccount {
 			t.Errorf("%s: expected service account value %q, got %q", tt.name, tt.serviceAccount, got)
 		}
+		if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != false {
+			t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, false, got)
+		}
+		opts.AutoMountServiceAccountToken = true
+		d, err = Deployment(opts)
+		if err != nil {
+			t.Fatalf("%s: error %q", tt.name, err)
+		}
+		if got := *d.Spec.Template.Spec.AutomountServiceAccountToken; got != true {
+			t.Errorf("%s: expected AutomountServiceAccountToken = %t, got %t", tt.name, true, got)
+		}
 	}
 }

--- a/cmd/helm/installer/options.go
+++ b/cmd/helm/installer/options.go
@@ -47,6 +47,9 @@ type Options struct {
 	// ServiceAccount is the Kubernetes service account to add to Tiller.
 	ServiceAccount string
+	// AutoMountServiceAccountToken determines whether or not the service account should be added to Tiller.
+	AutoMountServiceAccountToken bool
 	// Force allows to force upgrading tiller if deployed version is greater than current version
 	ForceUpgrade bool

--- a/docs/helm/helm_init.md
+++ b/docs/helm/helm_init.md
@@ -32,30 +32,31 @@ helm init [flags]
 ### Options
 ```
-      --canary-image                 use the canary Tiller image
+      --automount-service-account-token   auto-mount the given service account to tiller (default true)
-  -c, --client-only                  if set does not install Tiller
+      --canary-image                      use the canary Tiller image
-      --dry-run                      do not install local or remote
+  -c, --client-only                       if set does not install Tiller
-      --force-upgrade                force upgrade of Tiller to the current helm version
+      --dry-run                           do not install local or remote
-  -h, --help                         help for init
+      --force-upgrade                     force upgrade of Tiller to the current helm version
-      --history-max int              limit the maximum number of revisions saved per release. Use 0 for no limit.
+  -h, --help                              help for init
-      --local-repo-url string        URL for local repository (default "http://127.0.0.1:8879/charts")
+      --history-max int                   limit the maximum number of revisions saved per release. Use 0 for no limit.
-      --net-host                     install Tiller with net=host
+      --local-repo-url string             URL for local repository (default "http://127.0.0.1:8879/charts")
-      --node-selectors string        labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)
+      --net-host                          install Tiller with net=host
-  -o, --output OutputFormat          skip installation and output Tiller's manifest in specified format (json or yaml)
+      --node-selectors string             labels to specify the node on which Tiller is installed (app=tiller,helm=rocks)
-      --override stringArray         override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)
+  -o, --output OutputFormat               skip installation and output Tiller's manifest in specified format (json or yaml)
-      --replicas int                 amount of tiller instances to run on the cluster (default 1)
+      --override stringArray              override values for the Tiller Deployment manifest (can specify multiple or separate values with commas: key1=val1,key2=val2)
-      --service-account string       name of service account
+      --replicas int                      amount of tiller instances to run on the cluster (default 1)
-      --skip-refresh                 do not refresh (download) the local repository cache
+      --service-account string            name of service account
-      --stable-repo-url string       URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com")
+      --skip-refresh                      do not refresh (download) the local repository cache
-  -i, --tiller-image string          override Tiller image
+      --stable-repo-url string            URL for stable repository (default "https://kubernetes-charts.storage.googleapis.com")
-      --tiller-tls                   install Tiller with TLS enabled
+  -i, --tiller-image string               override Tiller image
-      --tiller-tls-cert string       path to TLS certificate file to install with Tiller
+      --tiller-tls                        install Tiller with TLS enabled
-      --tiller-tls-hostname string   the server name used to verify the hostname on the returned certificates from Tiller
+      --tiller-tls-cert string            path to TLS certificate file to install with Tiller
-      --tiller-tls-key string        path to TLS key file to install with Tiller
+      --tiller-tls-hostname string        the server name used to verify the hostname on the returned certificates from Tiller
-      --tiller-tls-verify            install Tiller with TLS enabled and to verify remote certificates
+      --tiller-tls-key string             path to TLS key file to install with Tiller
-      --tls-ca-cert string           path to CA root certificate
+      --tiller-tls-verify                 install Tiller with TLS enabled and to verify remote certificates
-      --upgrade                      upgrade if Tiller is already installed
+      --tls-ca-cert string                path to CA root certificate
-      --wait                         block until Tiller is running and ready to receive requests
+      --upgrade                           upgrade if Tiller is already installed
+      --wait                              block until Tiller is running and ready to receive requests
 ```
 ### Options inherited from parent commands
@@ -74,4 +75,4 @@ helm init [flags]
 * [helm](helm.md)	 - The Helm package manager for Kubernetes.
-###### Auto generated by spf13/cobra on 1-Sep-2018
+###### Auto generated by spf13/cobra on 4-Sep-2018
--- a/docs/install.md
+++ b/docs/install.md
@@ -132,6 +132,7 @@ You can explicitly tell `helm init` to...
 - Install to a particular cluster with `--kube-context`
 - Install into a particular namespace with `--tiller-namespace`
 - Install Tiller with a Service Account with `--service-account` (for [RBAC enabled clusters](securing_installation.md#rbac))
+- Install Tiller without mounting a service account with `--automount-service-account false`
 Once Tiller is installed, running `helm version` should show you both
 the client and server version. (If it shows only the client version,