From 091c0dc5f73f72453d1e6eb2df2367d849b48db6 Mon Sep 17 00:00:00 2001
From: Simon Ostendorf <github@simon-ostendorf.de>
Date: Wed, 29 May 2024 20:15:53 +0200
Subject: [PATCH] feat: read HCLOUD_TOKEN from file (#142)

* feat: read HCLOUD_TOKEN from file

* feat(helm): add serviceaccount, role and rolebinding

* fix(helm): add serviceaccount to pod

* fix(helm): remove apiGroup from RoleBinding subject
---
 .../templates/_helpers.tpl                    | 12 ++++++++
 .../templates/deployment.yaml                 |  8 ++++++
 .../templates/role-binding.yaml               | 18 ++++++++++++
 .../templates/role.yaml                       | 12 ++++++++
 .../templates/serviceaccount.yaml             | 12 ++++++++
 helm/hcloud-pricing-exporter/values.yaml      | 28 +++++++++++++++++++
 main.go                                       | 10 +++++++
 7 files changed, 100 insertions(+)
 create mode 100644 helm/hcloud-pricing-exporter/templates/role-binding.yaml
 create mode 100644 helm/hcloud-pricing-exporter/templates/role.yaml
 create mode 100644 helm/hcloud-pricing-exporter/templates/serviceaccount.yaml

diff --git a/helm/hcloud-pricing-exporter/templates/_helpers.tpl b/helm/hcloud-pricing-exporter/templates/_helpers.tpl
index 94ba816..3a9d691 100644
--- a/helm/hcloud-pricing-exporter/templates/_helpers.tpl
+++ b/helm/hcloud-pricing-exporter/templates/_helpers.tpl
@@ -49,3 +49,15 @@ Selector labels
 app.kubernetes.io/name: {{ include "hcloud-pricing-exporter.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hcloud-pricing-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "hcloud-pricing-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
diff --git a/helm/hcloud-pricing-exporter/templates/deployment.yaml b/helm/hcloud-pricing-exporter/templates/deployment.yaml
index 63401e8..0ec811b 100644
--- a/helm/hcloud-pricing-exporter/templates/deployment.yaml
+++ b/helm/hcloud-pricing-exporter/templates/deployment.yaml
@@ -17,7 +17,13 @@ spec:
       {{- end }}
       labels:
         {{- include "hcloud-pricing-exporter.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
     spec:
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+      {{- end }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
@@ -33,6 +39,8 @@ spec:
                 secretKeyRef:
                   name: {{ include "hcloud-pricing-exporter.fullname" . }}
                   key: token
+              {{- else if .Values.secret.file }}
+              value: {{ printf "file:%s" .Values.secret.file }}
               {{- else }}
               valueFrom:
                 secretKeyRef:
diff --git a/helm/hcloud-pricing-exporter/templates/role-binding.yaml b/helm/hcloud-pricing-exporter/templates/role-binding.yaml
new file mode 100644
index 0000000..28d9cc8
--- /dev/null
+++ b/helm/hcloud-pricing-exporter/templates/role-binding.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ printf "%sBinding" .Values.rbac.kind }}
+metadata:
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+    {{- if eq .Values.rbac.kind "ClusterRole" }}
+    namespace: {{ .Release.Namespace }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.rbac.kind }}
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+{{- end }}
diff --git a/helm/hcloud-pricing-exporter/templates/role.yaml b/helm/hcloud-pricing-exporter/templates/role.yaml
new file mode 100644
index 0000000..c22ea55
--- /dev/null
+++ b/helm/hcloud-pricing-exporter/templates/role.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.rbac.kind }}
+metadata:
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+{{- with .Values.rbac.rules }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/helm/hcloud-pricing-exporter/templates/serviceaccount.yaml b/helm/hcloud-pricing-exporter/templates/serviceaccount.yaml
new file mode 100644
index 0000000..8b68782
--- /dev/null
+++ b/helm/hcloud-pricing-exporter/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/helm/hcloud-pricing-exporter/values.yaml b/helm/hcloud-pricing-exporter/values.yaml
index ccc74d1..aabd465 100644
--- a/helm/hcloud-pricing-exporter/values.yaml
+++ b/helm/hcloud-pricing-exporter/values.yaml
@@ -9,6 +9,8 @@ imagePullSecrets: [ ]
 nameOverride: ""
 fullnameOverride: ""
 
+podLabels: { }
+
 podAnnotations: { }
 
 service:
@@ -28,6 +30,9 @@ secret:
   reference:
     name:
     key:
+  # to read HCLOUD_TOKEN from file, set file to your file path (e.g. /secrets/token)
+  # the file must be provided manually (e.g. via secret injection)
+  file: ""
 
 serviceMonitor:
   create: false
@@ -42,3 +47,26 @@ nodeSelector: { }
 tolerations: [ ]
 
 affinity: { }
+
+serviceAccount:
+  create: false
+  name: ""
+  annotations: { }
+
+rbac:
+  create: false
+  # can be set to ClusterRole or Role
+  kind: ClusterRole
+  rules: [ ]
+    # - apiGroups:
+    #     - authorization.k8s.io
+    #   resources:
+    #     - subjectaccessreviews
+    #   verbs:
+    #     - create
+    # - apiGroups:
+    #     - authentication.k8s.io
+    #   resources:
+    #     - tokenreviews
+    #   verbs:
+    #     - create
diff --git a/main.go b/main.go
index 771cf1a..9555672 100644
--- a/main.go
+++ b/main.go
@@ -44,6 +44,16 @@ func handleFlags() {
 	if hcloudAPIToken == "" {
 		panic(fmt.Errorf("no API token for HCloud specified, but required"))
 	}
+	if strings.HasPrefix(hcloudAPIToken, "file:") {
+		hcloudAPITokenBytes, err := os.ReadFile(strings.TrimPrefix(hcloudAPIToken, "file:"))
+		if err != nil {
+			panic(fmt.Errorf("failed to read HCLOUD_TOKEN from file: %s", err.Error()))
+		}
+		hcloudAPIToken = strings.TrimSpace(string(hcloudAPITokenBytes))
+	}
+	if len(hcloudAPIToken) != 64 {
+		panic(fmt.Errorf("invalid API token for HCloud specified, must be 64 characters long"))
+	}
 
 	additionalLabelsFlag = strings.TrimSpace(strings.ReplaceAll(additionalLabelsFlag, " ", ""))
 	additionalLabelsSlice := strings.Split(additionalLabelsFlag, ",")