feat: add token support for kubectl commands

.github/workflows/ci.yaml

@@ -87,7 +87,7 @@ jobs:
       - name: Set up Helm
         uses: azure/setup-helm@v4.2.0
         with:
-          version: v3.17.0
+          version: v3.18.0
 
       - name: Install unittest plugin
         run: |

helm/kagent-tools/templates/_helpers.tpl

@@ -65,6 +65,13 @@ Allows overriding it for multi-namespace deployments in combined charts.
 {{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
 {{- end }}
 
+{{/*
+Service account name: default when useDefaultServiceAccount is true, otherwise the chart fullname.
+*/}}
+{{- define "kagent.serviceAccountName" -}}
+{{- if .Values.useDefaultServiceAccount }}default{{- else }}{{ include "kagent.fullname" . }}{{- end }}
+{{- end }}
+
 {{/*
 Watch namespaces - transforms list of namespaces cached by the controller into comma-separated string
 Removes duplicates

helm/kagent-tools/templates/clusterrole.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.useDefaultServiceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
@@ -26,4 +27,5 @@ rules:
     verbs:
     - get
     - list
-    - watch
+    - watch
+{{- end }}

helm/kagent-tools/templates/clusterrolebinding.yaml

@@ -1,3 +1,4 @@
+{{- if not .Values.useDefaultServiceAccount }}
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
@@ -41,4 +42,5 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: {{ include "kagent.fullname" . }}
-  namespace: {{ include "kagent.namespace" . }}
+  namespace: {{ include "kagent.namespace" . }}
+{{- end }}

helm/kagent-tools/templates/deployment.yaml

@@ -51,7 +51,7 @@ spec:
 
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
-      serviceAccountName: {{ include "kagent.fullname" . }}
+      serviceAccountName: {{ include "kagent.serviceAccountName" . }}
       containers:
         - name: tools
           command:

helm/kagent-tools/templates/serviceaccount.yaml

@@ -1,7 +1,9 @@
+{{- if not .Values.useDefaultServiceAccount }}
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: {{ include "kagent.fullname" . }}
   namespace: {{ include "kagent.namespace" . }}
   labels:
-    {{- include "kagent.labels" . | nindent 4 }}
+    {{- include "kagent.labels" . | nindent 4 }}
+{{- end }}

helm/kagent-tools/tests/deployment_test.yaml

@@ -60,8 +60,17 @@ tests:
           path: spec.template.spec.containers[0].resources.limits.memory
           value: 512Mi
 
-  - it: should have correct service account name
+  - it: should use default service account when useDefaultServiceAccount is true
     template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.serviceAccountName
+          value: default
+
+  - it: should use dedicated service account when useDefaultServiceAccount is false
+    template: deployment.yaml
+    set:
+      useDefaultServiceAccount: false
     asserts:
       - equal:
           path: spec.template.spec.serviceAccountName
@@ -140,3 +149,19 @@ tests:
           value:
             app.kubernetes.io/name: kagent-tools
             app.kubernetes.io/instance: RELEASE-NAME
+
+  - it: should enable automountServiceAccountToken by default
+    template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: true
+
+  - it: should disable automountServiceAccountToken when configured
+    template: deployment.yaml
+    set:
+      automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

helm/kagent-tools/values.yaml

@@ -1,6 +1,10 @@
 # Default values for kagent
 replicaCount: 1
 
+# When true, pods use the default service account and no ClusterRole/ClusterRoleBinding are created.
+# When false, a dedicated ServiceAccount and RBAC are created for the tools deployment.
+useDefaultServiceAccount: false
+
 global:
   tag: ""
 

internal/commands/builder.go

@@ -29,6 +29,7 @@ type CommandBuilder struct {
 	namespace   string
 	context     string
 	kubeconfig  string
+	token       string
 	output      string
 	labels      map[string]string
 	annotations map[string]string
@@ -120,6 +121,14 @@ func (cb *CommandBuilder) WithKubeconfig(kubeconfig string) *CommandBuilder {
 	return cb
 }
 
+// WithToken sets the authentication token for kubectl commands
+func (cb *CommandBuilder) WithToken(token string) *CommandBuilder {
+	if token != "" {
+		cb.token = token
+	}
+	return cb
+}
+
 // WithOutput sets the output format
 func (cb *CommandBuilder) WithOutput(output string) *CommandBuilder {
 	validOutputs := []string{"json", "yaml", "wide", "name", "custom-columns", "custom-columns-file", "go-template", "go-template-file", "jsonpath", "jsonpath-file"}
@@ -240,6 +249,11 @@ func (cb *CommandBuilder) Build() (string, []string, error) {
 		args = append(args, "--kubeconfig", cb.kubeconfig)
 	}
 
+	// Add token if specified
+	if cb.token != "" {
+		args = append(args, "--token", cb.token)
+	}
+
 	// Add output format
 	if cb.output != "" {
 		args = append(args, "--output", cb.output)