Switch Phabricator to use service accounts.

examples/phabricator/README.md

@@ -140,7 +140,7 @@ To automate this process and make sure that a proper host is authorized even if
         "containers": [
           {
             "name": "authenticator",
-            "image": "fgrzadkowski/example-cloudsql-authenticator"
+            "image": "gcr.io.google_containers/cloudsql-authenticator:v1"
           }
         ]
       }

examples/phabricator/authenticator-controller.json

@@ -22,7 +22,7 @@
         "containers": [
           {
             "name": "authenticator",
-            "image": "fgrzadkowski/example-cloudsql-authenticator"
+            "image": "gcr.io/google_containers/cloudsql-authenticator:v1"
           }
         ]
       }

examples/phabricator/cloudsql-authenticator/run.sh

@@ -18,10 +18,13 @@
 #       should only send updates if something changes. We should be able to do
 #       this by comparing pod creation time with the last scan time.
 while true; do
-  hostport="${KUBERNETES_RO_SERVICE_HOST}:${KUBERNETES_RO_SERVICE_PORT}"
+  hostport="https://kubernetes.default.cluster.local"
-  path="api/v1beta1/pods"
+  token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)
+  path="api/v1beta3/pods"
   query="labels=$SELECTOR"
-  ips_json=`curl ${hostport}/${path}?${query} 2>/dev/null | grep hostIP`
+
+  # TODO: load in the CAS cert when we distributed it on all platforms.
+  ips_json=`curl ${hostport}/${path}?${query} --insecure --header "Authorization: Bearer ${token}" 2>/dev/null | grep hostIP`
   ips=`echo $ips_json | cut -d'"' -f 4 | sed 's/,$//'`
   echo "Adding IPs $ips"
   gcloud sql instances patch $CLOUDSQL_DB --authorized-networks $ips