Skip to content

Commit

Permalink
feat(kubernetes/chart): explicitly mount service-account-token in dep…
Browse files Browse the repository at this point in the history 
…loyment (bitnami-labs#885)
  • Loading branch information
@guethb
guethb authored Jul 14, 2022
1 parent 1ee17f1 commit 2d4b734
Show file tree
Hide file tree
Showing 4 changed files with 23 additions and 9 deletions.
20 changes: 11 additions & 9 deletions helm/sealed-secrets/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -84,7 +84,7 @@ The command removes all the Kubernetes components associated with the chart and

| Name | Description | Value |
| ------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------- |
| `image.registry` | Sealed Secrets image registry | `docker.io` |
| `image.registry` | Sealed Secrets image registry | `docker.io` |
| `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` |
| `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `v0.18.0` |
| `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` |
Expand Down Expand Up @@ -124,6 +124,7 @@ The command removes all the Kubernetes components associated with the chart and
| `containerSecurityContext.readOnlyRootFilesystem` | Whether the Sealed Secret container has a read-only root filesystem | `true` |
| `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` |
| `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` |
| `automountServiceAccountToken` | Whether to automatically mount the service account API-token to a particular pod | `""` |
| `podLabels` | Extra labels for Sealed Secret pods | `{}` |
| `podAnnotations` | Annotations for Sealed Secret pods | `{}` |
| `priorityClassName` | Sealed Secret pods' priorityClassName | `""` |
Expand Down Expand Up @@ -159,14 +160,15 @@ The command removes all the Kubernetes components associated with the chart and

### Other Parameters

| Name | Description | Value |
| ----------------------- | ---------------------------------------------------- | ------- |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |
| Name | Description | Value |
| --------------------------------------------- | --------------------------------------------------------- | ------- |
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` |
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `serviceAccount.automountServiceAccountToken` | Specifies, whether to mount the service account API-token | `""` |
| `rbac.create` | Specifies whether RBAC resources should be created | `true` |
| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` |
| `rbac.pspEnabled` | PodSecurityPolicy | `false` |


### Metrics parameters
Expand Down
3 changes: 3 additions & 0 deletions helm/sealed-secrets/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ spec:
securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "sealed-secrets.serviceAccountName" . }}
{{- if .Values.automountServiceAccountToken }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- end }}
containers:
- name: controller
command:
Expand Down
3 changes: 3 additions & 0 deletions helm/sealed-secrets/templates/service-account.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
{{ if .Values.serviceAccount.create }}
apiVersion: v1
kind: ServiceAccount
{{- if .Values.serviceAccount.automountServiceAccountToken }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
metadata:
name: {{ include "sealed-secrets.serviceAccountName" . }}
namespace: {{ include "sealed-secrets.namespace" . }}
Expand Down
6 changes: 6 additions & 0 deletions helm/sealed-secrets/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,10 @@ containerSecurityContext:
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1001

## @param automountServiceAccountToken whether to automatically mount the service account API-token to a particular pod
automountServiceAccountToken: ""

## @param podLabels [object] Extra labels for Sealed Secret pods
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
##
Expand Down Expand Up @@ -313,6 +317,8 @@ serviceAccount:
## If not set and create is true, a name is generated using the sealed-secrets.fullname template
##
name: ""
## @param serviceAccount.automountServiceAccountToken Specifies, whether to mount the service account API-token
automountServiceAccountToken: ""
## RBAC configuration
##
rbac:
Expand Down

0 comments on commit 2d4b734

Please sign in to comment.