test service_account_name

matifali · matifali · commit 296d352a94bd · 2023-08-09T07:32:19.000Z
diff --git a/.github/pr-deployments/rbac.yaml b/.github/pr-deployments/rbac.yaml
@@ -1,16 +1,16 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: coder-workspace
+  name: coder-workspace-pr${PR_NUMBER}
   namespace: pr${PR_NUMBER}
-secrets:
-  - name: coder-workspace-token
+# secrets:
+#   - name: coder-workspace-token
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
 metadata:
-  name: coder-workspace
+  name: coder-workspace-pr${PR_NUMBER}
   namespace: pr${PR_NUMBER}
 rules:
   - apiGroups: ["*"]
@@ -21,23 +21,23 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: coder-workspace
+  name: coder-workspace-pr${PR_NUMBER}
   namespace: pr${PR_NUMBER}
 subjects:
   - kind: ServiceAccount
-    name: coder-workspace
+    name: coder-workspace-pr${PR_NUMBER}
     namespace: pr${PR_NUMBER}
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: Role
-  name: coder-workspace
+  name: coder-workspace-pr${PR_NUMBER}
 
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: coder-workspace-token
-  namespace: pr${PR_NUMBER}
-  annotations:
-    kubernetes.io/service-account.name: coder-workspace
-type: kubernetes.io/service-account-token
+# ---
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: coder-workspace-token-pr${PR_NUMBER}
+#   namespace: pr${PR_NUMBER}
+#   annotations:
+#     kubernetes.io/service-account.name: coder-workspace
+# type: kubernetes.io/service-account-token
diff --git a/.github/pr-deployments/template/main.tf b/.github/pr-deployments/template/main.tf
@@ -115,10 +115,10 @@ resource "coder_agent" "main" {
     curl -fsSL https://code-server.dev/install.sh | sh -s -- --method=standalone --prefix=/tmp/code-server
     /tmp/code-server/bin/code-server --auth none --port 13337 >/tmp/code-server.log 2>&1 &
 
-    # Set KUBECONFIG env var to the path of the mounted secret
-    mkdir -p /home/coder/.kube
-    sudo cp /tmp/config /home/coder/.kube/config
-    export KUBECONFIG=/home/coder/.kube/config
+    # # Set KUBECONFIG env var to the path of the mounted secret
+    # mkdir -p /home/coder/.kube
+    # sudo cp /tmp/config /home/coder/.kube/config
+    # export KUBECONFIG=/home/coder/.kube/config
 
   EOT
 
@@ -271,6 +271,7 @@ resource "kubernetes_deployment" "main" {
           fs_group    = 1000
         }
 
+        service_account_name = "coder-workspace-${var.namespace}"
         container {
           name              = "dev"
           image             = "bencdr/devops-tools"
diff --git a/.github/pr-deployments/values.yaml b/.github/pr-deployments/values.yaml
@@ -14,15 +14,15 @@ coder:
       enable: true
       secretName: pr${PR_NUMBER}-tls
       wildcardSecretName: pr${PR_NUMBER}-tls
-  volumes:
-    - name: coder-namespace-kubeconfig
-      secret:
-        secretName: coder-namespace-kubeconfig
-  volumeMounts:
-    - name: coder-namespace-kubeconfig
-      mountPath: /home/coder/.kube/config
-      subPath: kubeconfig
-      readOnly: true
+  # volumes:
+  #   - name: coder-namespace-kubeconfig
+  #     secret:
+  #       secretName: coder-namespace-kubeconfig
+  # volumeMounts:
+  #   - name: coder-namespace-kubeconfig
+  #     mountPath: /home/coder/.kube/config
+  #     subPath: kubeconfig
+  #     readOnly: true
   env:
     - name: "CODER_ACCESS_URL"
       value: "https://${PR_DEPLOYMENT_ACCESS_URL}"
diff --git a/.github/workflows/pr-deploy.yaml b/.github/workflows/pr-deploy.yaml
@@ -303,21 +303,21 @@ jobs:
         if: needs.get_info.outputs.NEW == 'true' || github.event.inputs.deploy == 'true'
         run: |
           set -euo pipefail
-          # Create service account, role, rolebinding and secret
+          # Create service account, role, rolebinding
           envsubst < ./.github/pr-deployments/rbac.yaml | kubectl apply -f -
 
-          # Get the token for the service account
-          export TOKEN=$(kubectl -n pr${{ env.PR_NUMBER }} get secret coder-workspace-token -o jsonpath='{.data.token}' | base64 --decode)
+          # # Get the token for the service account
+          # export TOKEN=$(kubectl -n pr${{ env.PR_NUMBER }} get secret coder-workspace-token -o jsonpath='{.data.token}' | base64 --decode)
 
-          # get CLUSTER_CA and CLUSTER_ENDPOINT
-          export CLUSTER_CA=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
-          export CLUSTER_ENDPOINT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
+          # # get CLUSTER_CA and CLUSTER_ENDPOINT
+          # export CLUSTER_CA=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.certificate-authority-data}')
+          # export CLUSTER_ENDPOINT=$(kubectl config view --raw --minify --flatten -o jsonpath='{.clusters[].cluster.server}')
 
-          # Create a kubeconfig for the namespace to be used in the workspace
-          envsubst < ./.github/pr-deployments/kubeconfig.yaml > ./namespace-kubeconfig.yaml
+          # # Create a kubeconfig for the namespace to be used in the workspace
+          # envsubst < ./.github/pr-deployments/kubeconfig.yaml > ./namespace-kubeconfig.yaml
 
-          # Create a secret from the kubeconfig
-          kubectl create secret generic coder-namespace-kubeconfig -n pr${{ env.PR_NUMBER }} --from-file=kubeconfig=./namespace-kubeconfig.yaml
+          # # Create a secret from the kubeconfig
+          # kubectl create secret generic coder-namespace-kubeconfig -n pr${{ env.PR_NUMBER }} --from-file=kubeconfig=./namespace-kubeconfig.yaml
 
       - name: Create values.yaml
         if: github.event_name == 'workflow_dispatch'
