Pass a service account to the Kubernetes runner for the task execution

ManageIQ · Oct 12, 2023 · 61ae5dc · 61ae5dc
1 parent bc28c48
commit 61ae5dc
Showing 1 changed file with 9 additions and 6 deletions.
diff --git a/lib/manageiq/providers/workflows/engine.rb b/lib/manageiq/providers/workflows/engine.rb
@@ -42,12 +42,15 @@ def self.floe_docker_runner
             host = ENV.fetch("KUBERNETES_SERVICE_HOST")
             port = ENV.fetch("KUBERNETES_SERVICE_PORT")
 
-            Floe::Workflow::Runner::Kubernetes.new(
-              "server"     => URI::HTTPS.build(:host => host, :port => port).to_s,
-              "token_file" => "/run/secrets/kubernetes.io/serviceaccount/token",
-              "ca_cert"    => "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
-              "namespace"  => File.read("/run/secrets/kubernetes.io/serviceaccount/namespace")
-            )
+            options = {
+              "server"               => URI::HTTPS.build(:host => host, :port => port).to_s,
+              "token_file"           => "/run/secrets/kubernetes.io/serviceaccount/token",
+              "ca_cert"              => "/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+              "namespace"            => File.read("/run/secrets/kubernetes.io/serviceaccount/namespace"),
+              "task_service_account" => ENV.fetch("AUTOMATION_JOB_SERVICE_ACCOUNT")
+            }
+
+            Floe::Workflow::Runner::Kubernetes.new(options)
           elsif MiqEnvironment::Command.is_appliance? || MiqEnvironment::Command.supports_command?("podman")
             options = {}
             if Rails.env.production?