chore: don't automount sa tokens (#686)

helm/charts/hydra/README.md

@@ -53,7 +53,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | deployment.annotations | object | `{}` | Set custom deployment level annotations |
 | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
 | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected - name: FOO   value: BAR |
-| deployment.automountServiceAccountToken | bool | `true` |  |
+| deployment.automountServiceAccountToken | bool | `false` |  |
 | deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA |
 | deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
 | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |
@@ -185,13 +185,15 @@ A Helm chart for deploying ORY Hydra in Kubernetes
 | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
 | test.labels | object | `{}` | Provide additional labels to the test pod |
+| watcher.automountServiceAccountToken | bool | `true` |  |
 | watcher.enabled | bool | `false` |  |
 | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` |  |
 | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
 | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
 | watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment |
+| watcher.resources | object | `{}` |  |
 | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
 | watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment |
 | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |

helm/charts/hydra/templates/deployment-watcher.yaml

@@ -38,7 +38,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
+      automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
       serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher
       terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }}
       containers:
@@ -60,6 +60,8 @@ spec:
               value: {{ .Values.watcher.mountFile | quote }}
             - name: LABEL_SELECTOR
               value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}'
+          resources:
+            {{- toYaml .Values.watcher.resources | nindent 12 }}
           volumeMounts:
           {{- with .Values.deployment.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}

helm/charts/hydra/templates/janitor-cron-job-rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end -}}

helm/charts/hydra/templates/job-rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end -}}

helm/charts/hydra/templates/rbac-watcher.yaml

@@ -10,6 +10,7 @@ metadata:
   labels:
     app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher
     app.kubernetes.io/instance: {{ .Release.Name }}
+automountServiceAccountToken: false
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

helm/charts/hydra/templates/rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}

helm/charts/hydra/values.yaml

@@ -346,8 +346,7 @@ deployment:
     periodSeconds: 1
     timeoutSeconds: 1
 
-  # https://github.com/kubernetes/kubernetes/issues/57601
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
 
   terminationGracePeriodSeconds: 60
 
@@ -488,6 +487,8 @@ watcher:
 
   # -- pod securityContext for watcher deployment
   podSecurityContext: {}
+  resources: {}
+  automountServiceAccountToken: true
 
   # -- container securityContext for watcher deployment
   securityContext:

helm/charts/keto/README.md

@@ -86,7 +86,7 @@ Access Control Policies as a Server
 | ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` |  |
 | ingress.write.tls | list | `[]` |  |
 | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
-| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
+| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token |
 | job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
 | job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO   value: BAR |
 | job.extraInitContainers | string | `""` | If you want to add extra init containers. |
@@ -165,12 +165,14 @@ Access Control Policies as a Server
 | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
 | test.labels | object | `{}` | Provide additional labels to the test pod |
+| watcher.automountServiceAccountToken | bool | `true` |  |
 | watcher.enabled | bool | `false` |  |
 | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` |  |
 | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
 | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
+| watcher.resources | object | `{}` |  |
 | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
 | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
 

helm/charts/keto/templates/deployment-watcher.yaml

@@ -38,7 +38,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
+      automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
       serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
@@ -62,6 +62,8 @@ spec:
               value: {{ .Values.watcher.mountFile | quote }}
             - name: LABEL_SELECTOR
               value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}'
+          resources:
+            {{- toYaml .Values.watcher.resources | nindent 12 }}
           volumeMounts:
           {{- with .Values.deployment.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}

helm/charts/keto/templates/job-rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end -}}

helm/charts/keto/templates/rbac-watcher.yaml

@@ -10,6 +10,7 @@ metadata:
   labels:
     app.kubernetes.io/name: {{ include "keto.name" . }}-watcher
     app.kubernetes.io/instance: {{ .Release.Name }}
+automountServiceAccountToken: false
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: Role

helm/charts/keto/templates/rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}

helm/charts/keto/values.yaml

@@ -103,7 +103,7 @@ job:
   #       command: [...]
 
   # -- Set automounting of the SA token
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
 
   # -- Set sharing process namespace
   shareProcessNamespace: false
@@ -427,6 +427,8 @@ watcher:
   watchLabelKey: "ory.sh/watcher"
   # -- Number of revisions kept in history
   revisionHistoryLimit: 5
+  automountServiceAccountToken: true
+  resources: {}
 
 ## -- PodDistributionBudget configuration
 pdb:

helm/charts/kratos/README.md

@@ -38,7 +38,7 @@ A ORY Kratos Helm chart for Kubernetes
 | deployment.annotations | object | `{}` |  |
 | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer |
 | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected - name: FOO   value: BAR |
-| deployment.automountServiceAccountToken | bool | `true` |  |
+| deployment.automountServiceAccountToken | bool | `false` |  |
 | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |
 | deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object |
 | deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object |
@@ -94,7 +94,7 @@ A ORY Kratos Helm chart for Kubernetes
 | ingress.public.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` |  |
 | ingress.public.tls | list | `[]` |  |
 | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. |
-| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token |
+| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token |
 | job.extraContainers | string | `""` | If you want to add extra sidecar containers. |
 | job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO   value: BAR |
 | job.extraInitContainers | string | `""` | If you want to add extra init containers. |
@@ -203,12 +203,14 @@ A ORY Kratos Helm chart for Kubernetes
 | strategy.rollingUpdate.maxUnavailable | string | `"25%"` |  |
 | strategy.type | string | `"RollingUpdate"` |  |
 | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository |
+| watcher.automountServiceAccountToken | bool | `true` |  |
 | watcher.enabled | bool | `false` |  |
 | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` |  |
 | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo |
 | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects |
 | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations |
 | watcher.podMetadata.labels | object | `{}` | Extra pod level labels |
+| watcher.resources | object | `{}` |  |
 | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history |
 | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications |
 

helm/charts/kratos/templates/deployment-watcher.yaml

@@ -38,7 +38,7 @@ spec:
           {{- toYaml . | nindent 8 }}
         {{- end }}
     spec:
-      automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }}
+      automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }}
       serviceAccountName: {{ include "kratos.serviceAccountName" . }}-watcher
       {{- with .Values.podSecurityContext }}
       securityContext:
@@ -64,6 +64,8 @@ spec:
               value: {{ .Values.watcher.mountFile | quote }}
             - name: LABEL_SELECTOR
               value: '{{ $.Values.watcher.watchLabelKey }}={{ include "kratos.name" . }}'
+          resources:
+            {{- toYaml .Values.watcher.resources | nindent 12 }}
           volumeMounts:
           {{- with .Values.deployment.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}

helm/charts/kratos/templates/job-rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end -}}

helm/charts/kratos/templates/rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}

helm/charts/kratos/values.yaml

@@ -351,8 +351,7 @@ deployment:
     # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
     name: ""
 
-  # https://github.com/kubernetes/kubernetes/issues/57601
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
 
   terminationGracePeriodSeconds: 60
 
@@ -579,7 +578,7 @@ job:
   #       command: [...]
 
   # -- Set automounting of the SA token
-  automountServiceAccountToken: true
+  automountServiceAccountToken: false
 
   # -- Set sharing process namespace
   shareProcessNamespace: false
@@ -630,6 +629,8 @@ watcher:
   watchLabelKey: "ory.sh/watcher"
   # -- Number of revisions kept in history
   revisionHistoryLimit: 5
+  automountServiceAccountToken: true
+  resources: {}
 
 # -- SQL cleanup cron job configuration
 cleanup:

helm/charts/oathkeeper/README.md

@@ -31,7 +31,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes
 | configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods |
 | demo | bool | `false` | If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated. |
 | deployment.annotations | object | `{}` |  |
-| deployment.automountServiceAccountToken | bool | `false` |  |
+| deployment.automountServiceAccountToken | bool | `true` |  |
 | deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":5,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure horizontal pod autoscaler for deployment |
 | deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior |
 | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object |

helm/charts/oathkeeper/templates/rbac.yaml

@@ -13,4 +13,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: false
 {{- end }}

helm/charts/oathkeeper/values.yaml

@@ -283,8 +283,7 @@ deployment:
     # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
     name: ""
 
-  # https://github.com/kubernetes/kubernetes/issues/57601
-  automountServiceAccountToken: false
+  automountServiceAccountToken: true
 
   terminationGracePeriodSeconds: 60