Fix account.yaml

Author: agapoff

README.md

@@ -122,15 +122,15 @@ For numerical checks, the number is returned on success and zero or a negative n
 
 ## ServiceAccount and token
 
-All the needed objects (ServiceAccount, ClusterRole, RoleBinding) can be created with this command:
+All the needed objects (ServiceAccount, Secret, ClusterRole, RoleBinding) can be created by Terraform with terraform.tf file or with this command:
 
     kubectl apply -f https://raw.githubusercontent.com/agapoff/check_kubernetes/master/account.yaml
 
 For mode pvc or tls you need to enable the permissions in the yaml first. Those two can have security implications and are thus disabled by default.
 
 Then in order to get the token just issue this command:
 
-    kubectl -n monitoring get secret "$(kubectl -n monitoring get serviceaccount monitoring -o 'jsonpath={.secrets[0].name}')" -o "jsonpath={.data.token}" | openssl enc -d -base64 -A
+    kubectl -n monitoring get secret monitoring -o "jsonpath={.data.token}" | openssl enc -d -base64 -A
 
 ## Example configuration for Icinga
 

account.tf

@@ -0,0 +1,78 @@
+resource "kubernetes_namespace_v1" "monitoring" {
+  metadata {
+    annotations = {
+      name = "monitoring"
+    }
+
+    name = "monitoring"
+  }
+}
+
+resource "kubernetes_service_account_v1" "monitoring" {
+  metadata {
+    name      = "monitoring"
+    namespace = kubernetes_namespace_v1.monitoring.metadata.0.name
+  }
+
+  secret {
+    name = "monitoring"
+  }
+}
+
+resource "kubernetes_secret_v1" "monitoring" {
+  depends_on = [
+    kubernetes_service_account_v1.monitoring
+  ]
+
+  metadata {
+    name      = "monitoring"
+    namespace = kubernetes_namespace_v1.monitoring.metadata.0.name
+
+    annotations = {
+      "kubernetes.io/service-account.name"      = "monitoring"
+      "kubernetes.io/service-account.namespace" = "monitoring"
+    }
+  }
+
+  type = "kubernetes.io/service-account-token"
+}
+
+resource "kubernetes_cluster_role_v1" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+
+  rule {
+    api_groups = [""]
+    resources  = ["pods", "nodes", "secrets", "persistentvolumes"]
+    verbs      = ["get", "list"]
+  }
+
+  rule {
+    api_groups = ["extensions", "apps"]
+    resources  = ["deployments", "replicasets", "daemonsets", "statefulsets"]
+    verbs      = ["get", "list"]
+  }
+
+  rule {
+    api_groups = ["batch"]
+    resources  = ["jobs"]
+    verbs      = ["get", "list"]
+  }
+}
+
+resource "kubernetes_cluster_role_binding_v1" "monitoring" {
+  metadata {
+    name = "monitoring"
+  }
+  role_ref {
+    api_group = "rbac.authorization.k8s.io"
+    kind      = "ClusterRole"
+    name      = "monitoring"
+  }
+  subject {
+    kind      = "ServiceAccount"
+    name      = "monitoring"
+    namespace = kubernetes_namespace_v1.monitoring.metadata.0.name
+  }
+}

account.yaml

@@ -11,6 +11,16 @@ metadata:
   name: monitoring
   namespace: monitoring
 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: monitoring
+  namespace: monitoring
+  annotations:
+    kubernetes.io/service-account.name: "monitoring"
+type: kubernetes.io/service-account-token
+
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1