From 63c115f06853f01748f44896ac720ca0d73695bf Mon Sep 17 00:00:00 2001
From: Brendan Burns <bburns@google.com>
Date: Mon, 18 May 2015 16:25:00 -0700
Subject: [PATCH] Switch Phabricator to use service accounts.

---
 examples/phabricator/README.md                     | 2 +-
 examples/phabricator/authenticator-controller.json | 4 ++--
 examples/phabricator/cloudsql-authenticator/run.sh | 9 ++++++---
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/examples/phabricator/README.md b/examples/phabricator/README.md
index 0f5fca7f8a6..4cf3211c7ca 100644
--- a/examples/phabricator/README.md
+++ b/examples/phabricator/README.md
@@ -140,7 +140,7 @@ To automate this process and make sure that a proper host is authorized even if
         "containers": [
           {
             "name": "authenticator",
-            "image": "fgrzadkowski/example-cloudsql-authenticator"
+            "image": "gcr.io.google_containers/cloudsql-authenticator:v1"
           }
         ]
       }
diff --git a/examples/phabricator/authenticator-controller.json b/examples/phabricator/authenticator-controller.json
index 6c834e3a7f9..1da45113e90 100644
--- a/examples/phabricator/authenticator-controller.json
+++ b/examples/phabricator/authenticator-controller.json
@@ -22,10 +22,10 @@
         "containers": [
           {
             "name": "authenticator",
-            "image": "fgrzadkowski/example-cloudsql-authenticator"
+            "image": "gcr.io/google_containers/cloudsql-authenticator:v1"
           }
         ]
       }
     }
   }
-}
\ No newline at end of file
+}
diff --git a/examples/phabricator/cloudsql-authenticator/run.sh b/examples/phabricator/cloudsql-authenticator/run.sh
index 82307825748..e2898c8bf14 100755
--- a/examples/phabricator/cloudsql-authenticator/run.sh
+++ b/examples/phabricator/cloudsql-authenticator/run.sh
@@ -18,10 +18,13 @@
 #       should only send updates if something changes. We should be able to do
 #       this by comparing pod creation time with the last scan time.
 while true; do
-  hostport="${KUBERNETES_RO_SERVICE_HOST}:${KUBERNETES_RO_SERVICE_PORT}"
-  path="api/v1beta1/pods"
+  hostport="https://kubernetes.default.cluster.local"
+  token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+  path="api/v1beta3/pods"
   query="labels=$SELECTOR"
-  ips_json=`curl ${hostport}/${path}?${query} 2>/dev/null | grep hostIP`
+
+  # TODO: load in the CAS cert when we distributed it on all platforms.
+  ips_json=`curl ${hostport}/${path}?${query} --insecure --header "Authorization: Bearer ${token}" 2>/dev/null | grep hostIP`
   ips=`echo $ips_json | cut -d'"' -f 4 | sed 's/,$//'`
   echo "Adding IPs $ips"
   gcloud sql instances patch $CLOUDSQL_DB --authorized-networks $ips