diff --git a/README.md b/README.md index 290f09ac..1ad81b79 100644 --- a/README.md +++ b/README.md @@ -128,6 +128,7 @@ helm delete --namespace test my-application | deployment.securityContext | object | `nil` | Security Context for the pod. | | deployment.command | list | `[]` | Command for the app container. | | deployment.args | list | `[]` | Args for the app container. | +| deployment.automountServiceAccountToken | bool | `true` | Mount Service Account token. | | deployment.ports | list | `nil` | List of ports for the app container. | | deployment.hostNetwork | bool | `nil` | Host network connectivity. | | deployment.terminationGracePeriodSeconds | int | `nil` | Gracefull termination period. | diff --git a/application/templates/cronjob.yaml b/application/templates/cronjob.yaml index 58fc87df..0240752a 100644 --- a/application/templates/cronjob.yaml +++ b/application/templates/cronjob.yaml @@ -60,6 +60,7 @@ spec: annotations: {{ toYaml . | nindent 12 }} {{- end }} spec: + automountServiceAccountToken: {{ kindIs "invalid" $job.automountServiceAccountToken | ternary true $job.automountServiceAccountToken }} {{- if $.Values.rbac.enabled }} {{- if $.Values.rbac.serviceAccount.name }} serviceAccountName: {{ $.Values.rbac.serviceAccount.name }} diff --git a/application/templates/deployment.yaml b/application/templates/deployment.yaml index ea5b9012..3ae25a07 100644 --- a/application/templates/deployment.yaml +++ b/application/templates/deployment.yaml @@ -327,6 +327,7 @@ spec: serviceAccountName: {{ template "application.name" $ }} {{- end }} {{- end }} + automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} {{- if .Values.deployment.hostNetwork }} hostNetwork: {{ .Values.deployment.hostNetwork }} {{- end }} diff --git a/application/templates/job.yaml b/application/templates/job.yaml index 4ec5b5df..a4f84b09 100644 --- a/application/templates/job.yaml +++ b/application/templates/job.yaml @@ -40,6 +40,7 @@ spec: annotations: {{ toYaml . | nindent 8 }} {{- end }} spec: + automountServiceAccountToken: {{ kindIs "invalid" $job.automountServiceAccountToken | ternary true $job.automountServiceAccountToken }} {{- if $.Values.rbac.enabled }} {{- if $.Values.rbac.serviceAccount.name }} serviceAccountName: {{ $.Values.rbac.serviceAccount.name }} diff --git a/application/tests/cronjob_test.yaml b/application/tests/cronjob_test.yaml index df170653..e22fbd0d 100644 --- a/application/tests/cronjob_test.yaml +++ b/application/tests/cronjob_test.yaml @@ -329,3 +329,47 @@ tests: - equal: path: spec.jobTemplate.spec.template.spec.containers[0].image value: custom-image + + - it: configures automount service account token by default + set: + cronJob: + enabled: true + jobs: + example: + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.automountServiceAccountToken + value: true + + - it: enable automount service account token when configured + set: + cronJob: + enabled: true + jobs: + example: + automountServiceAccountToken: true + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.automountServiceAccountToken + value: true + + - it: disable automount service account token when configured + set: + cronJob: + enabled: true + jobs: + example: + automountServiceAccountToken: false + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.jobTemplate.spec.template.spec.automountServiceAccountToken + value: false diff --git a/application/tests/deployment_test.yaml b/application/tests/deployment_test.yaml index 08f8ee97..fb274d01 100644 --- a/application/tests/deployment_test.yaml +++ b/application/tests/deployment_test.yaml @@ -114,6 +114,20 @@ tests: path: spec.template.spec.serviceAccountName value: example-app + - it: configures automount service account token by default + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + + - it: disable automount service account token when configured + set: + deployment.automountServiceAccountToken: false + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false + - it: uses grpc probing when set set: applicationName: example-app diff --git a/application/tests/job_test.yaml b/application/tests/job_test.yaml index 52e1c61a..bbe144a5 100644 --- a/application/tests/job_test.yaml +++ b/application/tests/job_test.yaml @@ -328,3 +328,47 @@ tests: - equal: path: spec.template.spec.containers[0].image value: custom-image + + - it: configures automount service account token by default + set: + job: + enabled: true + jobs: + example: + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + + - it: enable automount service account token when configured + set: + job: + enabled: true + jobs: + example: + automountServiceAccountToken: true + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: true + + - it: disable automount service account token when configured + set: + job: + enabled: true + jobs: + example: + automountServiceAccountToken: false + image: + repository: example-image + tag: example-tag + asserts: + - equal: + path: spec.template.spec.automountServiceAccountToken + value: false diff --git a/application/values.yaml b/application/values.yaml index 661e2e04..a60f4798 100644 --- a/application/values.yaml +++ b/application/values.yaml @@ -443,6 +443,9 @@ deployment: # -- (list) Args for the app container. # @section -- Deployment Parameters args: [] + # -- (bool) Mount Service Account token. + # @section -- Deployment Parameters + automountServiceAccountToken: true # -- (list) List of ports for the app container. # @section -- Deployment Parameters ports: