From a2b070f73d5956418a7dbe13597e65e7c7139f43 Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Fri, 9 Sep 2022 17:11:30 -0700 Subject: [PATCH 1/6] Initial draft for adding automountServiceAccountToken to helm chart --- deployments/helm-chart/README.md | 1 + deployments/helm-chart/templates/controller-daemonset.yaml | 1 + deployments/helm-chart/templates/controller-deployment.yaml | 1 + deployments/helm-chart/values.yaml | 3 +++ docs/content/installation/installation-with-helm.md | 1 + 5 files changed, 7 insertions(+) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 38bb5f5757..c142633acb 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -168,6 +168,7 @@ Parameter | Description | Default `controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None +`controller.automountServiceAccountToken` | Setting for automountServiceAccountToken for NGINX Ingress. | true `controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} `controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 `controller.tolerations` | The tolerations of the Ingress Controller pods. | [] diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index 259567b28b..ffc1db7a78 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -38,6 +38,7 @@ spec: {{- end }} spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index e0770143d4..fe9523c03b 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -70,6 +70,7 @@ spec: priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }} terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} containers: diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index 926eac1ce2..af694eab9b 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -96,6 +96,9 @@ controller: ## Format: / secret: + ## The option to toggle automountServiceToken. + automountServiceToken: true + ## The node selector for pod assignment for the Ingress Controller pods. nodeSelector: {} diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index ec7366fec4..c13a6923fc 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -171,6 +171,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |``controller.wildcardTLS.cert`` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.key`` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.secret`` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.wildcardTLS.cert`` and ``controller.wildcardTLS.key`` parameters. | None | +``controller.automountServiceAccountToken`` | Setting automountServiceAccountToken at the pod level | true |``controller.nodeSelector`` | The node selector for pod assignment for the Ingress Controller pods. | {} | |``controller.terminationGracePeriodSeconds`` | The termination grace period of the Ingress Controller pod. | 30 | |``controller.tolerations`` | The tolerations of the Ingress Controller pods. | [] | From 9b5aafe4acfd1beaafc6f6ea23cb80942272cc1d Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Fri, 9 Sep 2022 19:06:57 -0700 Subject: [PATCH 2/6] Update deployments/helm-chart/values.yaml Co-authored-by: Luca Comellini --- deployments/helm-chart/values.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index af694eab9b..8f019344c7 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -96,8 +96,8 @@ controller: ## Format: / secret: - ## The option to toggle automountServiceToken. - automountServiceToken: true + ## The option to toggle automountServiceAccountToken at the pod level. + automountServiceAccountToken: true ## The node selector for pod assignment for the Ingress Controller pods. nodeSelector: {} From 2db01fbf4a6893fefe7b16ae5f090ed040f37b77 Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Fri, 9 Sep 2022 19:07:07 -0700 Subject: [PATCH 3/6] Update docs/content/installation/installation-with-helm.md Co-authored-by: Luca Comellini --- docs/content/installation/installation-with-helm.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index c13a6923fc..4209209126 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -171,7 +171,7 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |``controller.wildcardTLS.cert`` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.key`` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.secret`` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.wildcardTLS.cert`` and ``controller.wildcardTLS.key`` parameters. | None | -``controller.automountServiceAccountToken`` | Setting automountServiceAccountToken at the pod level | true +|``controller.automountServiceAccountToken`` | Setting automountServiceAccountToken at the pod level | true |``controller.nodeSelector`` | The node selector for pod assignment for the Ingress Controller pods. | {} | |``controller.terminationGracePeriodSeconds`` | The termination grace period of the Ingress Controller pod. | 30 | |``controller.tolerations`` | The tolerations of the Ingress Controller pods. | [] | From b2b4eac3a7b2afa0ae6f0484a928eafd0e7fe545 Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Fri, 9 Sep 2022 19:07:19 -0700 Subject: [PATCH 4/6] Update deployments/helm-chart/README.md Co-authored-by: Luca Comellini --- deployments/helm-chart/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index c142633acb..25c9256f83 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -168,7 +168,7 @@ Parameter | Description | Default `controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None -`controller.automountServiceAccountToken` | Setting for automountServiceAccountToken for NGINX Ingress. | true +`controller.automountServiceAccountToken` | The toggle for automountServiceAccountToken for the Ingress Controller. | true `controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} `controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 `controller.tolerations` | The tolerations of the Ingress Controller pods. | [] From 321a00a57f66f0b4fe5cac11cc9425f352856c16 Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Mon, 12 Sep 2022 08:37:01 -0700 Subject: [PATCH 5/6] Added manifest options for autmounttoken --- deployments/common/ns-and-sa.yaml | 3 ++- deployments/daemon-set/nginx-ingress.yaml | 1 + deployments/daemon-set/nginx-plus-ingress.yaml | 1 + deployments/deployment/nginx-ingress.yaml | 1 + deployments/deployment/nginx-plus-ingress.yaml | 1 + 5 files changed, 6 insertions(+), 1 deletion(-) diff --git a/deployments/common/ns-and-sa.yaml b/deployments/common/ns-and-sa.yaml index 994af5ae45..0bdee73511 100644 --- a/deployments/common/ns-and-sa.yaml +++ b/deployments/common/ns-and-sa.yaml @@ -7,4 +7,5 @@ apiVersion: v1 kind: ServiceAccount metadata: name: nginx-ingress - namespace: nginx-ingress \ No newline at end of file + namespace: nginx-ingress +#automountServiceAccountToken: false \ No newline at end of file diff --git a/deployments/daemon-set/nginx-ingress.yaml b/deployments/daemon-set/nginx-ingress.yaml index 7e79f03c02..d9f53a624f 100644 --- a/deployments/daemon-set/nginx-ingress.yaml +++ b/deployments/daemon-set/nginx-ingress.yaml @@ -17,6 +17,7 @@ spec: #prometheus.io/scheme: http spec: serviceAccountName: nginx-ingress + automountServiceAccountToken: true containers: - image: nginx/nginx-ingress:2.3.0 imagePullPolicy: IfNotPresent diff --git a/deployments/daemon-set/nginx-plus-ingress.yaml b/deployments/daemon-set/nginx-plus-ingress.yaml index b0bdca2a86..106e019417 100644 --- a/deployments/daemon-set/nginx-plus-ingress.yaml +++ b/deployments/daemon-set/nginx-plus-ingress.yaml @@ -17,6 +17,7 @@ spec: #prometheus.io/scheme: http spec: serviceAccountName: nginx-ingress + automountServiceAccountToken: true containers: - image: nginx-plus-ingress:2.3.0 imagePullPolicy: IfNotPresent diff --git a/deployments/deployment/nginx-ingress.yaml b/deployments/deployment/nginx-ingress.yaml index 8c8af43d83..575177be83 100644 --- a/deployments/deployment/nginx-ingress.yaml +++ b/deployments/deployment/nginx-ingress.yaml @@ -18,6 +18,7 @@ spec: #prometheus.io/scheme: http spec: serviceAccountName: nginx-ingress + automountServiceAccountToken: true containers: - image: nginx/nginx-ingress:2.3.0 imagePullPolicy: IfNotPresent diff --git a/deployments/deployment/nginx-plus-ingress.yaml b/deployments/deployment/nginx-plus-ingress.yaml index 8eaa51052d..fdac89b4b5 100644 --- a/deployments/deployment/nginx-plus-ingress.yaml +++ b/deployments/deployment/nginx-plus-ingress.yaml @@ -18,6 +18,7 @@ spec: #prometheus.io/scheme: http spec: serviceAccountName: nginx-ingress + automountServiceAccountToken: true containers: - image: nginx-plus-ingress:2.3.0 imagePullPolicy: IfNotPresent From cfa058da53207fdcf4632f5919dd57fb612b766b Mon Sep 17 00:00:00 2001 From: Jason Williams Date: Wed, 14 Sep 2022 10:56:46 -0700 Subject: [PATCH 6/6] Updated automounttoken setting for helm chart --- deployments/helm-chart/README.md | 1 - deployments/helm-chart/templates/controller-daemonset.yaml | 2 +- deployments/helm-chart/templates/controller-deployment.yaml | 2 +- deployments/helm-chart/values.yaml | 3 --- docs/content/installation/installation-with-helm.md | 1 - 5 files changed, 2 insertions(+), 7 deletions(-) diff --git a/deployments/helm-chart/README.md b/deployments/helm-chart/README.md index 72432eefd0..60009d657f 100644 --- a/deployments/helm-chart/README.md +++ b/deployments/helm-chart/README.md @@ -169,7 +169,6 @@ Parameter | Description | Default `controller.wildcardTLS.cert` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.key` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None `controller.wildcardTLS.secret` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: `/`. Used as an alternative to specifying a certificate and key using `controller.wildcardTLS.cert` and `controller.wildcardTLS.key` parameters. | None -`controller.automountServiceAccountToken` | The toggle for automountServiceAccountToken for the Ingress Controller. | true `controller.nodeSelector` | The node selector for pod assignment for the Ingress Controller pods. | {} `controller.terminationGracePeriodSeconds` | The termination grace period of the Ingress Controller pod. | 30 `controller.tolerations` | The tolerations of the Ingress Controller pods. | [] diff --git a/deployments/helm-chart/templates/controller-daemonset.yaml b/deployments/helm-chart/templates/controller-daemonset.yaml index ad389e06cc..5bd50843a2 100644 --- a/deployments/helm-chart/templates/controller-daemonset.yaml +++ b/deployments/helm-chart/templates/controller-daemonset.yaml @@ -38,7 +38,7 @@ spec: {{- end }} spec: serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }} + automountServiceAccountToken: true terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} {{- if .Values.controller.nodeSelector }} nodeSelector: diff --git a/deployments/helm-chart/templates/controller-deployment.yaml b/deployments/helm-chart/templates/controller-deployment.yaml index 197872cd4f..44f074e853 100644 --- a/deployments/helm-chart/templates/controller-deployment.yaml +++ b/deployments/helm-chart/templates/controller-deployment.yaml @@ -70,7 +70,7 @@ spec: priorityClassName: {{ .Values.controller.priorityClassName }} {{- end }} serviceAccountName: {{ include "nginx-ingress.serviceAccountName" . }} - automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }} + automountServiceAccountToken: true terminationGracePeriodSeconds: {{ .Values.controller.terminationGracePeriodSeconds }} hostNetwork: {{ .Values.controller.hostNetwork }} containers: diff --git a/deployments/helm-chart/values.yaml b/deployments/helm-chart/values.yaml index c73ffa74fb..55db05c822 100644 --- a/deployments/helm-chart/values.yaml +++ b/deployments/helm-chart/values.yaml @@ -100,9 +100,6 @@ controller: ## Format: / secret: - ## The option to toggle automountServiceAccountToken at the pod level. - automountServiceAccountToken: true - ## The node selector for pod assignment for the Ingress Controller pods. nodeSelector: {} diff --git a/docs/content/installation/installation-with-helm.md b/docs/content/installation/installation-with-helm.md index 7ba6d1afaf..b3dad400a7 100644 --- a/docs/content/installation/installation-with-helm.md +++ b/docs/content/installation/installation-with-helm.md @@ -172,7 +172,6 @@ The following tables lists the configurable parameters of the NGINX Ingress Cont |``controller.wildcardTLS.cert`` | The base64-encoded TLS certificate for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.key`` | The base64-encoded TLS key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. If the parameter is not set, for such Ingress/VirtualServer hosts NGINX will break any attempt to establish a TLS connection. | None | |``controller.wildcardTLS.secret`` | The secret with a TLS certificate and key for every Ingress/VirtualServer host that has TLS enabled but no secret specified. The value must follow the following format: ``/``. Used as an alternative to specifying a certificate and key using ``controller.wildcardTLS.cert`` and ``controller.wildcardTLS.key`` parameters. | None | -|``controller.automountServiceAccountToken`` | Setting automountServiceAccountToken at the pod level | true |``controller.nodeSelector`` | The node selector for pod assignment for the Ingress Controller pods. | {} | |``controller.terminationGracePeriodSeconds`` | The termination grace period of the Ingress Controller pod. | 30 | |``controller.tolerations`` | The tolerations of the Ingress Controller pods. | [] |