-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add the option to opt out of service account token automounting #89
Add the option to opt out of service account token automounting #89
Conversation
gilles-gosuin
commented
Oct 11, 2023
- Allow the service account token automounting feature to be disabled on both the ServiceAccount itself and the Pod
- Allow for arbitrary volumes to be mounted in the Pod, so that the service account token can be manually injected into the Pod
…llow for volumes to be mountedd to mount the token manually
0bf3702
to
fab9ecb
Compare
@@ -16,6 +16,9 @@ spec: | |||
labels: | |||
{{- include "kubernetes-secret-generator.selectorLabels" . | nindent 8 }} | |||
spec: | |||
{{- if hasKey .Values "automountServiceAccountToken" }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since automountServiceAccountToken
is always defined in the values.yml
(albeit with an empty value), this will always be true
; maybe remove the empty default value from the values.yml, or test if it was explicitly set to false
, instead?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
hasKey
returns false
if the value is empty and nothing will get output to the manifests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A helm template
call (Helm v3.13.1) with default values generates the following manifest code in my case:
$ helm template ./deploy/helm-chart/kubernetes-secret-generator
[...]
spec:
automountServiceAccountToken:
serviceAccountName: release-name-kubernetes-secret-generator
securityContext:
{}
[...]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, my bad, I got mixed up with a similar PR I had on another repo...
You're right, that's what gets generated. Which should be fine: if the user does not override the value, the k8s default will be used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry this took a while. 🙏 LGTM now 👍