Handle instance permission set in k8s runner resource. (#682)

Domas Monkus · 0x2b3bfa0 · web-flow · commit 0ff27a3cc013 · 2022-09-29T15:16:17.000+03:00
Co-authored-by: Helio Machado &lt;0x2b3bfa0+git@googlemail.com&gt;
diff --git a/iterative/kubernetes/provider.go b/iterative/kubernetes/provider.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"io"
 	"log"
+	"net/http"
 	"os"
 	"strconv"
 	"time"
@@ -83,6 +84,12 @@ func ResourceMachineCreate(ctx context.Context, d *terraform_schema.ResourceData
 		}
 	}
 
+	// Lookup service account if set.
+	svcAccount, svcTokenAutomount, err := getServiceAccount(ctx, conn, namespace, d.Get("instance_permission_set").(string))
+	if err != nil {
+		return err
+	}
+
 	// Leave the job running for 30 seconds after the termination signal, but remove it immediately after terminating.
 	jobTTLSecondsAfterFinished := int32(0)
 	jobTerminationGracePeriod := int64(30)
@@ -126,6 +133,8 @@ func ResourceMachineCreate(ctx context.Context, d *terraform_schema.ResourceData
 							},
 						},
 					},
+					ServiceAccountName:           svcAccount,
+					AutomountServiceAccountToken: svcTokenAutomount,
 				},
 			},
 		},
@@ -434,3 +443,17 @@ func ResourceMachineLogs(ctx context.Context, d *terraform_schema.ResourceData,
 
 	return buf.String(), nil
 }
+
+func getServiceAccount(ctx context.Context, client kubernetes.Interface, namespace string, accountName string) (account string, automountToken *bool, err error) {
+	if accountName == "" {
+		return "", nil, nil
+	}
+	acct, err := client.CoreV1().ServiceAccounts(namespace).Get(ctx, accountName, kubernetes_meta.GetOptions{})
+	if err != nil {
+		if statusErr, ok := err.(*kubernetes_errors.StatusError); ok && statusErr.ErrStatus.Code == http.StatusNotFound {
+			return "", nil, fmt.Errorf("service account %q does not exist in namespace %q", accountName, namespace)
+		}
+		return "", nil, fmt.Errorf("failed to lookup service account %q in namespace %q: %w", accountName, namespace, err)
+	}
+	return accountName, acct.AutomountServiceAccountToken, nil
+}
diff --git a/task/k8s/resources/data_source_permission_set.go b/task/k8s/resources/data_source_permission_set.go
@@ -41,8 +41,7 @@ func (ps *PermissionSet) Read(ctx context.Context) error {
 			return fmt.Errorf("service account %q does not exist in namespace %q: %w",
 				ps.Identifier, ps.client.Namespace, common.NotFoundError)
 		}
-		return fmt.Errorf("failed to lookup service account %q in namespace %q: %w",
-			ps.Identifier, ps.client.Namespace, common.NotFoundError)
+		return fmt.Errorf("failed to lookup service account %q in namespace %q: %w", ps.Identifier, ps.client.Namespace, err)
 
 	}
 	ps.Resource.ServiceAccountName = ps.Identifier

Original file line number	Diff line number	Diff line change
`@@ -41,8 +41,7 @@ func (ps *PermissionSet) Read(ctx context.Context) error {`
`41`	`41`	`return fmt.Errorf("service account %q does not exist in namespace %q: %w",`
`42`	`42`	`ps.Identifier, ps.client.Namespace, common.NotFoundError)`
`43`	`43`	`}`
`44`		`- return fmt.Errorf("failed to lookup service account %q in namespace %q: %w",`
`45`		`- ps.Identifier, ps.client.Namespace, common.NotFoundError)`
	`44`	`+ return fmt.Errorf("failed to lookup service account %q in namespace %q: %w", ps.Identifier, ps.client.Namespace, err)`
`46`	`45`
`47`	`46`	`}`
`48`	`47`	`ps.Resource.ServiceAccountName = ps.Identifier`