From: Alexandru Avadanii Date: Thu, 28 Feb 2019 20:07:12 +0000 (+0100) Subject: helm: Add tiller service account X-Git-Tag: 1.0.0~42 X-Git-Url: https://gerrit.akraino.org/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F29%2F429%2F2;p=iec.git helm: Add tiller service account Initialize tiller service account with cluster-admin role [1]. While at it, use multiarch tiller image from [2], as recommended in [3], at least until upstream gcr.io repo gets proper multiarch support. [1] https://helm.sh/docs/using_helm/#role-based-access-control [2] https://github.com/jessestuart/tiller-multiarch [3] https://github.com/helm/helm/issues/3269 Change-Id: I3719b648de0cbec9fc8802c74763c45233a04861 Signed-off-by: Alexandru Avadanii --- diff --git a/scripts/helm.sh b/scripts/helm.sh index 524a770..3f575d2 100755 --- a/scripts/helm.sh +++ b/scripts/helm.sh @@ -1,6 +1,7 @@ #!/bin/bash -ex VERSION='v2.12.3' +TILLER_SA_RBAC=~/tiller-rbac.yaml if [ "$(uname -m)" == 'aarch64' ]; then FLAVOR='linux-arm64' else @@ -16,3 +17,28 @@ if [ ! -e /usr/bin/helm ] || [ ! -e /usr/bin/tiller ]; then --transform "s|${FLAVOR}|/usr/bin|" "${FLAVOR}/"{helm,tiller} rm -f "/tmp/${TGZ_NAME}" fi + +if ! kubectl get serviceaccounts --namespace=kube-system | grep -q tiller; then + cat < "${TILLER_SA_RBAC}" +apiVersion: v1 +kind: ServiceAccount +metadata: + name: tiller + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: tiller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: tiller + namespace: kube-system +EOF + kubectl create -f "${TILLER_SA_RBAC}" + helm init --service-account tiller --tiller-image="jessestuart/tiller:${VERSION}" +fi