feat: read HCLOUD_TOKEN from file (#142)

* feat: read HCLOUD_TOKEN from file * feat(helm): add serviceaccount, role and rolebinding * fix(helm): add serviceaccount to pod * fix(helm): remove apiGroup from RoleBinding subject
2024-11-10 05:54:15 +00:00 · 2024-05-29 20:15:53 +02:00 · 2024-05-29 20:15:53 +02:00 · 091c0dc5f7
commit 091c0dc5f7
parent a7db29dc1d
7 changed files with 100 additions and 0 deletions
--- a/helm/hcloud-pricing-exporter/templates/_helpers.tpl
+++ b/helm/hcloud-pricing-exporter/templates/_helpers.tpl
@ -49,3 +49,15 @@ Selector labels
 app.kubernetes.io/name: {{ include "hcloud-pricing-exporter.name" . }}
 app.kubernetes.io/instance: {{ .Release.Name }}
 {{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "hcloud-pricing-exporter.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "hcloud-pricing-exporter.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
+
--- a/helm/hcloud-pricing-exporter/templates/deployment.yaml
+++ b/helm/hcloud-pricing-exporter/templates/deployment.yaml
@ -17,7 +17,13 @@ spec:
      {{- end }}
      labels:
        {{- include "hcloud-pricing-exporter.selectorLabels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
    spec:
+      {{- if .Values.serviceAccount.create }}
+      serviceAccountName: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+      {{- end }}
      {{- with .Values.imagePullSecrets }}
      imagePullSecrets:
        {{- toYaml . | nindent 8 }}
@ -33,6 +39,8 @@ spec:
                secretKeyRef:
                  name: {{ include "hcloud-pricing-exporter.fullname" . }}
                  key: token
+              {{- else if .Values.secret.file }}
+              value: {{ printf "file:%s" .Values.secret.file }}
              {{- else }}
              valueFrom:
                secretKeyRef:
--- a/helm/hcloud-pricing-exporter/templates/role-binding.yaml
+++ b/helm/hcloud-pricing-exporter/templates/role-binding.yaml
@ -0,0 +1,18 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ printf "%sBinding" .Values.rbac.kind }}
+metadata:
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+    {{- if eq .Values.rbac.kind "ClusterRole" }}
+    namespace: {{ .Release.Namespace }}
+    {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: {{ .Values.rbac.kind }}
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+{{- end }}
--- a/helm/hcloud-pricing-exporter/templates/role.yaml
+++ b/helm/hcloud-pricing-exporter/templates/role.yaml
@ -0,0 +1,12 @@
+{{- if .Values.rbac.create -}}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: {{ .Values.rbac.kind }}
+metadata:
+  name: {{ include "hcloud-pricing-exporter.fullname" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+{{- with .Values.rbac.rules }}
+rules:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
--- a/helm/hcloud-pricing-exporter/templates/serviceaccount.yaml
+++ b/helm/hcloud-pricing-exporter/templates/serviceaccount.yaml
@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "hcloud-pricing-exporter.serviceAccountName" . }}
+  labels:
+    {{- include "hcloud-pricing-exporter.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
--- a/helm/hcloud-pricing-exporter/values.yaml
+++ b/helm/hcloud-pricing-exporter/values.yaml
@ -9,6 +9,8 @@ imagePullSecrets: [ ]
 nameOverride: ""
 fullnameOverride: ""

+podLabels: { }
+
 podAnnotations: { }

 service:
@ -28,6 +30,9 @@ secret:
  reference:
    name:
    key:
+  # to read HCLOUD_TOKEN from file, set file to your file path (e.g. /secrets/token)
+  # the file must be provided manually (e.g. via secret injection)
+  file: ""

 serviceMonitor:
  create: false
@ -42,3 +47,26 @@ nodeSelector: { }
 tolerations: [ ]

 affinity: { }
+
+serviceAccount:
+  create: false
+  name: ""
+  annotations: { }
+
+rbac:
+  create: false
+  # can be set to ClusterRole or Role
+  kind: ClusterRole
+  rules: [ ]
+    # - apiGroups:
+    #     - authorization.k8s.io
+    #   resources:
+    #     - subjectaccessreviews
+    #   verbs:
+    #     - create
+    # - apiGroups:
+    #     - authentication.k8s.io
+    #   resources:
+    #     - tokenreviews
+    #   verbs:
+    #     - create
--- a/main.go
+++ b/main.go
@ -44,6 +44,16 @@ func handleFlags() {
 	if hcloudAPIToken == "" {
 		panic(fmt.Errorf("no API token for HCloud specified, but required"))
 	}
+	if strings.HasPrefix(hcloudAPIToken, "file:") {
+		hcloudAPITokenBytes, err := os.ReadFile(strings.TrimPrefix(hcloudAPIToken, "file:"))
+		if err != nil {
+			panic(fmt.Errorf("failed to read HCLOUD_TOKEN from file: %s", err.Error()))
+		}
+		hcloudAPIToken = strings.TrimSpace(string(hcloudAPITokenBytes))
+	}
+	if len(hcloudAPIToken) != 64 {
+		panic(fmt.Errorf("invalid API token for HCloud specified, must be 64 characters long"))
+	}

 	additionalLabelsFlag = strings.TrimSpace(strings.ReplaceAll(additionalLabelsFlag, " ", ""))
 	additionalLabelsSlice := strings.Split(additionalLabelsFlag, ",")