From 154677eae1810dda4a0805568de1c5de3776ee21 Mon Sep 17 00:00:00 2001
From: Jason Frey <fryguy9@gmail.com>
Date: Thu, 12 Oct 2023 13:26:55 -0400
Subject: [PATCH] Pass a service account to the Kubernetes runner for the task
 execution

---
 lib/manageiq/providers/workflows/engine.rb | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/manageiq/providers/workflows/engine.rb b/lib/manageiq/providers/workflows/engine.rb
index f6cecac..53375b5 100644
--- a/lib/manageiq/providers/workflows/engine.rb
+++ b/lib/manageiq/providers/workflows/engine.rb
@@ -41,12 +41,14 @@ def self.floe_docker_runner
           if MiqEnvironment::Command.is_podified?
             host = ENV.fetch("KUBERNETES_SERVICE_HOST")
             port = ENV.fetch("KUBERNETES_SERVICE_PORT")
+            sa   = ENV.fetch("AUTOMATION_JOB_SERVICE_ACCOUNT", nil)
 
             Floe::Workflow::Runner::Kubernetes.new(
-              "server"     => URI::HTTPS.build(:host => host, :port => port).to_s,
-              "token_file" => "/run/secrets/kubernetes.io/serviceaccount/token",
-              "ca_cert"    => "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
-              "namespace"  => File.read("/run/secrets/kubernetes.io/serviceaccount/namespace")
+              "server"               => URI::HTTPS.build(:host => host, :port => port).to_s,
+              "token_file"           => "/run/secrets/kubernetes.io/serviceaccount/token",
+              "ca_cert"              => "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+              "namespace"            => File.read("/run/secrets/kubernetes.io/serviceaccount/namespace"),
+              "task_service_account" => sa
             )
           elsif MiqEnvironment::Command.is_appliance? || MiqEnvironment::Command.supports_command?("podman")
             options = {}