From 4fcfd79ad26203ae212146226a06bd70815ac6e7 Mon Sep 17 00:00:00 2001
From: kevencript <kevencript@gmail.com>
Date: Tue, 21 Mar 2023 17:05:18 -0300
Subject: [PATCH] test: :alembic: ServiceAccount: Inject script to test k8s API
 access (curl)

Here we have a simple script injection into our Go app in order to do a CURL requisition to local K8S Api from within the Pod. This will be important to validate that if we can access it when ServiceAccount its added.
---
 k8s/configmap-script-test.yaml | 29 +++++++++++++++++++++++++++++
 k8s/deployment.yaml            | 11 +++++++++++
 2 files changed, 40 insertions(+)
 create mode 100644 k8s/configmap-script-test.yaml

diff --git a/k8s/configmap-script-test.yaml b/k8s/configmap-script-test.yaml
new file mode 100644
index 0000000..3981202
--- /dev/null
+++ b/k8s/configmap-script-test.yaml
@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: test-api-k8s-script
+  namespace: server
+data:
+  script: |
+    #!/bin/sh
+
+    # TESTING ACCESS FROM POD TO K8S APISERVER:
+    # with this script we can check if the pod can list pods via k8s api.
+    # We are doing this to validate the ServiceAccounts
+
+    # Export the internal Kubernetes API server hostname
+    APISERVER=https://kubernetes.default.svc
+
+    # Export the path to ServiceAccount mount directory
+    SERVICEACCOUNT=/var/run/secrets/kubernetes.io/serviceaccount
+
+    # Read the ServiceAccount bearer token
+    TOKEN=$(cat ${SERVICEACCOUNT}/token)
+
+    # Reference the internal Kubernetes certificate authority (CA)
+    CACERT=${SERVICEACCOUNT}/ca.crt
+
+    # Make a call to the Kubernetes API with TOKEN
+    echo "ACTION1: Trying to list PODS from Kubernetes Api:"
+    curl --cacert ${CACERT} --header "Authorization: Bearer ${TOKEN}" -X GET ${APISERVER}/api/v1/namespaces/default/pods
+    
diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
index ae824a3..defbc4b 100644
--- a/k8s/deployment.yaml
+++ b/k8s/deployment.yaml
@@ -53,10 +53,15 @@ spec:
             - secretRef:
                 name: secret-app
           volumeMounts:
+            # Generic example of File Injection
             - mountPath: "/go/myfamily"
               name: file-injection
+            # Generic example of Persistent Volume
             - mountPath: "/go/persistence"
               name: persistent-volume
+            # Here we inject a script to test ServiceAccount (Access to k8s API->LIST_PODS)
+            - mountPath: "/go/test-serviceaccount"
+              name: inject-test-api-k8s-script
       volumes:
         - name: persistent-volume
           persistentVolumeClaim:
@@ -67,3 +72,9 @@ spec:
             items:
               - key: config
                 path: family.txt
+        - name: inject-test-api-k8s-script
+          configMap:
+            name: test-api-k8s-script
+            items:
+              - key: script
+                path: test-k8s-api-access.sh