Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add automount_service_account_token to podSpec. #57

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions kubernetes/resource_kubernetes_pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -47,8 +47,6 @@ func resourceKubernetesPodCreate(d *schema.ResourceData, meta interface{}) error
return err
}

spec.AutomountServiceAccountToken = ptrToBool(false)

pod := api.Pod{
ObjectMeta: metadata,
Spec: spec,
Expand Down
54 changes: 54 additions & 0 deletions kubernetes/resource_kubernetes_pod_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -457,6 +457,42 @@ func TestAccKubernetesPod_with_nodeSelector(t *testing.T) {
})
}

func TestAccKubernetesPod_with_AutomountToken(t *testing.T) {
var conf api.Pod

podName := fmt.Sprintf("tf-acc-test-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))
imageName := "nginx:1.7.9"

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckKubernetesPodDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesPodAutomountToken(podName, imageName, ""),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesPodExists("kubernetes_pod.test", &conf),
resource.TestCheckResourceAttr("kubernetes_pod.test", "spec.0.automount_service_account_token", "true"),
),
},
{
Config: testAccKubernetesPodAutomountToken(podName, imageName, "automount_service_account_token = false"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesPodExists("kubernetes_pod.test", &conf),
resource.TestCheckResourceAttr("kubernetes_pod.test", "spec.0.automount_service_account_token", "false"),
),
},
{
Config: testAccKubernetesPodAutomountToken(podName, imageName, "automount_service_account_token = true"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesPodExists("kubernetes_pod.test", &conf),
resource.TestCheckResourceAttr("kubernetes_pod.test", "spec.0.automount_service_account_token", "true"),
),
},
},
})
}

func testAccCheckKubernetesPodDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*kubernetes.Clientset)

Expand Down Expand Up @@ -993,3 +1029,21 @@ resource "kubernetes_pod" "test" {
}
`, podName, imageName, args)
}

func testAccKubernetesPodAutomountToken(podName, imageName, automount string) string {
return fmt.Sprintf(`
resource "kubernetes_pod" "test" {
metadata {
name = "%s"
}

spec {
container {
image = "%s"
name = "containername"
}
%s
}
}
`, podName, imageName, automount)
}
2 changes: 0 additions & 2 deletions kubernetes/resource_kubernetes_replication_controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -82,8 +82,6 @@ func resourceKubernetesReplicationControllerCreate(d *schema.ResourceData, meta
return err
}

spec.Template.Spec.AutomountServiceAccountToken = ptrToBool(false)

rc := api.ReplicationController{
ObjectMeta: metadata,
Spec: spec,
Expand Down
61 changes: 61 additions & 0 deletions kubernetes/resource_kubernetes_replication_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -386,6 +386,41 @@ func TestAccKubernetesReplicationController_with_empty_dir_volume(t *testing.T)
})
}

func TestAccKubernetesReplicationController_with_AutomountToken(t *testing.T) {
var conf api.ReplicationController

podName := fmt.Sprintf("tf-acc-test-%s", acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum))

resource.Test(t, resource.TestCase{
PreCheck: func() { testAccPreCheck(t) },
Providers: testAccProviders,
CheckDestroy: testAccCheckKubernetesPodDestroy,
Steps: []resource.TestStep{
{
Config: testAccKubernetesReplicationControllerConfig_autoMountToken(podName, ""),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesReplicationControllerExists("kubernetes_replication_controller.test", &conf),
resource.TestCheckResourceAttr("kubernetes_replication_controller.test", "spec.0.template.0.automount_service_account_token", "true"),
),
},
{
Config: testAccKubernetesReplicationControllerConfig_autoMountToken(podName, "automount_service_account_token = false"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesReplicationControllerExists("kubernetes_replication_controller.test", &conf),
resource.TestCheckResourceAttr("kubernetes_replication_controller.test", "spec.0.template.0.automount_service_account_token", "false"),
),
},
{
Config: testAccKubernetesReplicationControllerConfig_autoMountToken(podName, "automount_service_account_token = true"),
Check: resource.ComposeAggregateTestCheckFunc(
testAccCheckKubernetesReplicationControllerExists("kubernetes_replication_controller.test", &conf),
resource.TestCheckResourceAttr("kubernetes_replication_controller.test", "spec.0.template.0.automount_service_account_token", "true"),
),
},
},
})
}

func testAccCheckKubernetesReplicationControllerDestroy(s *terraform.State) error {
conn := testAccProvider.Meta().(*kubernetes.Clientset)

Expand Down Expand Up @@ -848,3 +883,29 @@ resource "kubernetes_replication_controller" "test" {
}
`, rcName, imageName)
}

func testAccKubernetesReplicationControllerConfig_autoMountToken(name, automount string) string {
return fmt.Sprintf(`
resource "kubernetes_replication_controller" "test" {
metadata {
name = "%s"
labels {
TestLabelOne = "one"
}
}
spec {
replicas = 1 # This is intentionally high to exercise the waiter
selector {
TestLabelOne = "one"
}
template {
%s
container {
image = "nginx:1.7.8"
name = "tf-acc-test"
}
}
}
}
`, name, automount)
}
6 changes: 6 additions & 0 deletions kubernetes/schema_pod_spec.go
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,12 @@ func podSpecFields(isUpdatable bool) map[string]*schema.Schema {
Computed: true,
Description: "ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: http://releases.k8s.io/HEAD/docs/design/service_accounts.md.",
},
"automount_service_account_token": {
Type: schema.TypeBool,
Optional: true,
Default: true,
Description: "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted.",
},
"subdomain": {
Type: schema.TypeString,
Optional: true,
Expand Down
21 changes: 14 additions & 7 deletions kubernetes/structures_container.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package kubernetes

import (
"strconv"
"strings"

"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/kubernetes/pkg/api/v1"
Expand Down Expand Up @@ -236,23 +237,29 @@ func flattenValueFrom(in *v1.EnvVarSource) []interface{} {
}

func flattenContainerVolumeMounts(in []v1.VolumeMount) ([]interface{}, error) {
att := make([]interface{}, len(in))
for i, v := range in {
var att []interface{}
for _, v := range in {
m := map[string]interface{}{}
if v.Name != "" {
if strings.HasPrefix(m["name"].(string), "default-token-") {
// This is a volume mount created server side to auto mount
// the service account token in the pod.
// Ignore it so we don't cause a diff.
continue
}
m["name"] = v.Name
}
m["read_only"] = v.ReadOnly

if v.MountPath != "" {
m["mount_path"] = v.MountPath

}
if v.Name != "" {
m["name"] = v.Name

}
if v.SubPath != "" {
m["sub_path"] = v.SubPath
}
att[i] = m

att = append(att, m)
}
return att, nil
}
Expand Down
23 changes: 19 additions & 4 deletions kubernetes/structures_pod.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ package kubernetes

import (
"strconv"
"strings"

"github.com/hashicorp/terraform/helper/schema"
"k8s.io/kubernetes/pkg/api/v1"
Expand Down Expand Up @@ -44,6 +45,11 @@ func flattenPodSpec(in v1.PodSpec) ([]interface{}, error) {
if in.SecurityContext != nil {
att["security_context"] = flattenPodSecurityContext(in.SecurityContext)
}

if in.AutomountServiceAccountToken != nil {
att["automount_service_account_token"] = *in.AutomountServiceAccountToken
}

if in.ServiceAccountName != "" {
att["service_account_name"] = in.ServiceAccountName
}
Expand Down Expand Up @@ -112,11 +118,16 @@ func flattenSeLinuxOptions(in *v1.SELinuxOptions) []interface{} {
}

func flattenVolumes(volumes []v1.Volume) ([]interface{}, error) {
att := make([]interface{}, len(volumes))
for i, v := range volumes {
var att []interface{}
for _, v := range volumes {
obj := map[string]interface{}{}

if v.Name != "" {
if strings.HasPrefix(v.Name, "default-token-") {
// This is a volume added server side to auto mount
// the service account token in the pod.
// Ignore it so we don't cause a diff.
continue
}
obj["name"] = v.Name
}
if v.ConfigMap != nil {
Expand Down Expand Up @@ -188,7 +199,7 @@ func flattenVolumes(volumes []v1.Volume) ([]interface{}, error) {
if v.PhotonPersistentDisk != nil {
obj["photon_persistent_disk"] = flattenPhotonPersistentDiskVolumeSource(v.PhotonPersistentDisk)
}
att[i] = obj
att = append(att, obj)
}
return att, nil
}
Expand Down Expand Up @@ -376,6 +387,10 @@ func expandPodSpec(p []interface{}) (v1.PodSpec, error) {
obj.ServiceAccountName = v
}

if v, ok := in["automount_service_account_token"]; ok {
obj.AutomountServiceAccountToken = ptrToBool(v.(bool))
}

if v, ok := in["subdomain"].(string); ok {
obj.Subdomain = v
}
Expand Down
1 change: 1 addition & 0 deletions website/docs/r/pod.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ The following arguments are supported:
* `restart_policy` - (Optional) Restart policy for all containers within the pod. One of Always, OnFailure, Never. More info: http://kubernetes.io/docs/user-guide/pod-states#restartpolicy.
* `security_context` - (Optional) SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty
* `service_account_name` - (Optional) ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: http://releases.k8s.io/HEAD/docs/design/service_accounts.md.
* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to true.
* `subdomain` - (Optional) If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all..
* `termination_grace_period_seconds` - (Optional) Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process.
* `volume` - (Optional) List of volumes that can be mounted by containers belonging to the pod. More info: http://kubernetes.io/docs/user-guide/volumes
Expand Down
1 change: 1 addition & 0 deletions website/docs/r/replication_controller.html.markdown
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ The following arguments are supported:
* `security_context` - (Optional) SecurityContext holds pod-level security attributes and common container settings. Optional: Defaults to empty
* `service_account_name` - (Optional) ServiceAccountName is the name of the ServiceAccount to use to run this pod. More info: http://releases.k8s.io/HEAD/docs/design/service_accounts.md.
* `subdomain` - (Optional) If specified, the fully qualified Pod hostname will be "...svc.". If not specified, the pod will not have a domainname at all..
* `automount_service_account_token` - (Optional) Indicates whether a service account token should be automatically mounted. Defaults to true.
* `termination_grace_period_seconds` - (Optional) Optional duration in seconds the pod needs to terminate gracefully. May be decreased in delete request. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period will be used instead. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process.
* `volume` - (Optional) List of volumes that can be mounted by containers belonging to the pod. More info: http://kubernetes.io/docs/user-guide/volumes

Expand Down