From 391562e14cef495d5b9f7d4dc854f890966e5f27 Mon Sep 17 00:00:00 2001
From: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
Date: Thu, 28 Feb 2019 21:07:12 +0100
Subject: [PATCH] helm: Add tiller service account

Initialize tiller service account with cluster-admin role [1].
While at it, use multiarch tiller image from [2], as recommended
in [3], at least until upstream gcr.io repo gets proper multiarch
support.

[1] https://helm.sh/docs/using_helm/#role-based-access-control
[2] https://github.com/jessestuart/tiller-multiarch
[3] https://github.com/helm/helm/issues/3269

Change-Id: I3719b648de0cbec9fc8802c74763c45233a04861
Signed-off-by: Alexandru Avadanii <Alexandru.Avadanii@enea.com>
---
 scripts/helm.sh | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/scripts/helm.sh b/scripts/helm.sh
index 524a770..3f575d2 100755
--- a/scripts/helm.sh
+++ b/scripts/helm.sh
@@ -1,6 +1,7 @@
 #!/bin/bash -ex
 
 VERSION='v2.12.3'
+TILLER_SA_RBAC=~/tiller-rbac.yaml
 if [ "$(uname -m)" == 'aarch64' ]; then
   FLAVOR='linux-arm64'
 else
@@ -16,3 +17,28 @@ if [ ! -e /usr/bin/helm ] || [ ! -e /usr/bin/tiller ]; then
     --transform "s|${FLAVOR}|/usr/bin|" "${FLAVOR}/"{helm,tiller}
   rm -f "/tmp/${TGZ_NAME}"
 fi
+
+if ! kubectl get serviceaccounts --namespace=kube-system | grep -q tiller; then
+  cat <<EOF > "${TILLER_SA_RBAC}"
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: tiller
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tiller
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+subjects:
+  - kind: ServiceAccount
+    name: tiller
+    namespace: kube-system
+EOF
+  kubectl create -f "${TILLER_SA_RBAC}"
+  helm init --service-account tiller --tiller-image="jessestuart/tiller:${VERSION}"
+fi
-- 
2.16.6