From 2d4b7344e82ffeefc876346dbce70732bf99b2db Mon Sep 17 00:00:00 2001 From: guethb <73618908+guethb@users.noreply.github.com> Date: Thu, 14 Jul 2022 15:16:05 +0200 Subject: [PATCH] feat(kubernetes/chart): explicitly mount service-account-token in deployment (#885) --- helm/sealed-secrets/README.md | 20 ++++++++++--------- helm/sealed-secrets/templates/deployment.yaml | 3 +++ .../templates/service-account.yaml | 3 +++ helm/sealed-secrets/values.yaml | 6 ++++++ 4 files changed, 23 insertions(+), 9 deletions(-) diff --git a/helm/sealed-secrets/README.md b/helm/sealed-secrets/README.md index 77dfd0a9a..4848e975b 100644 --- a/helm/sealed-secrets/README.md +++ b/helm/sealed-secrets/README.md @@ -84,7 +84,7 @@ The command removes all the Kubernetes components associated with the chart and | Name | Description | Value | | ------------------------------------------------- | ------------------------------------------------------------------------------------ | ----------------------------------- | -| `image.registry` | Sealed Secrets image registry | `docker.io` | +| `image.registry` | Sealed Secrets image registry | `docker.io` | | `image.repository` | Sealed Secrets image repository | `bitnami/sealed-secrets-controller` | | `image.tag` | Sealed Secrets image tag (immutable tags are recommended) | `v0.18.0` | | `image.pullPolicy` | Sealed Secrets image pull policy | `IfNotPresent` | @@ -124,6 +124,7 @@ The command removes all the Kubernetes components associated with the chart and | `containerSecurityContext.readOnlyRootFilesystem` | Whether the Sealed Secret container has a read-only root filesystem | `true` | | `containerSecurityContext.runAsNonRoot` | Indicates that the Sealed Secret container must run as a non-root user | `true` | | `containerSecurityContext.runAsUser` | Set Sealed Secret containers' Security Context runAsUser | `1001` | +| `automountServiceAccountToken` | Whether to automatically mount the service account API-token to a particular pod | `""` | | `podLabels` | Extra labels for Sealed Secret pods | `{}` | | `podAnnotations` | Annotations for Sealed Secret pods | `{}` | | `priorityClassName` | Sealed Secret pods' priorityClassName | `""` | @@ -159,14 +160,15 @@ The command removes all the Kubernetes components associated with the chart and ### Other Parameters -| Name | Description | Value | -| ----------------------- | ---------------------------------------------------- | ------- | -| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | -| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | -| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | -| `rbac.create` | Specifies whether RBAC resources should be created | `true` | -| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | -| `rbac.pspEnabled` | PodSecurityPolicy | `false` | +| Name | Description | Value | +| --------------------------------------------- | --------------------------------------------------------- | ------- | +| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` | +| `serviceAccount.labels` | Extra labels to be added to the ServiceAccount | `{}` | +| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` | +| `serviceAccount.automountServiceAccountToken` | Specifies, whether to mount the service account API-token | `""` | +| `rbac.create` | Specifies whether RBAC resources should be created | `true` | +| `rbac.labels` | Extra labels to be added to RBAC resources | `{}` | +| `rbac.pspEnabled` | PodSecurityPolicy | `false` | ### Metrics parameters diff --git a/helm/sealed-secrets/templates/deployment.yaml b/helm/sealed-secrets/templates/deployment.yaml index eb675ceec..53e426789 100644 --- a/helm/sealed-secrets/templates/deployment.yaml +++ b/helm/sealed-secrets/templates/deployment.yaml @@ -46,6 +46,9 @@ spec: securityContext: {{- omit .Values.podSecurityContext "enabled" | toYaml | nindent 8 }} {{- end }} serviceAccountName: {{ include "sealed-secrets.serviceAccountName" . }} + {{- if .Values.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} + {{- end }} containers: - name: controller command: diff --git a/helm/sealed-secrets/templates/service-account.yaml b/helm/sealed-secrets/templates/service-account.yaml index 05a3898f2..11c346715 100644 --- a/helm/sealed-secrets/templates/service-account.yaml +++ b/helm/sealed-secrets/templates/service-account.yaml @@ -1,6 +1,9 @@ {{ if .Values.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount +{{- if .Values.serviceAccount.automountServiceAccountToken }} +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} +{{- end }} metadata: name: {{ include "sealed-secrets.serviceAccountName" . }} namespace: {{ include "sealed-secrets.namespace" . }} diff --git a/helm/sealed-secrets/values.yaml b/helm/sealed-secrets/values.yaml index 159d2f5e0..8ca02a348 100644 --- a/helm/sealed-secrets/values.yaml +++ b/helm/sealed-secrets/values.yaml @@ -154,6 +154,10 @@ containerSecurityContext: readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1001 + +## @param automountServiceAccountToken whether to automatically mount the service account API-token to a particular pod +automountServiceAccountToken: "" + ## @param podLabels [object] Extra labels for Sealed Secret pods ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/ ## @@ -313,6 +317,8 @@ serviceAccount: ## If not set and create is true, a name is generated using the sealed-secrets.fullname template ## name: "" + ## @param serviceAccount.automountServiceAccountToken Specifies, whether to mount the service account API-token + automountServiceAccountToken: "" ## RBAC configuration ## rbac: