Add the option to opt out of service account token automounting #89
Conversation
gilles-gosuin
commented
Oct 11, 2023
gilles-gosuin
commented
- Allow the service account token automounting feature to be disabled on both the ServiceAccount itself and the Pod
- Allow for arbitrary volumes to be mounted in the Pod, so that the service account token can be manually injected into the Pod
…llow for volumes to be mountedd to mount the token manually
gilles-gosuin
force-pushed
the
opt-out-service-account-token-automounting
branch
from
0bf3702
to
fab9ecb
Compare
| @@ -16,6 +16,9 @@ spec: | |||
| labels: | |||
| {{- include "kubernetes-secret-generator.selectorLabels" . | nindent 8 }} | |||
| spec: | |||
| {{- if hasKey .Values "automountServiceAccountToken" }} | |||
There was a problem hiding this comment.
Since automountServiceAccountToken is always defined in the values.yml (albeit with an empty value), this will always be true; maybe remove the empty default value from the values.yml, or test if it was explicitly set to false, instead?
There was a problem hiding this comment.
hasKey returns false if the value is empty and nothing will get output to the manifests.
There was a problem hiding this comment.
A helm template call (Helm v3.13.1) with default values generates the following manifest code in my case:
$ helm template ./deploy/helm-chart/kubernetes-secret-generator
[...]
spec:
automountServiceAccountToken:
serviceAccountName: release-name-kubernetes-secret-generator
securityContext:
{}
[...]
There was a problem hiding this comment.
Sorry, my bad, I got mixed up with a similar PR I had on another repo...
You're right, that's what gets generated. Which should be fine: if the user does not override the value, the k8s default will be used.
