Add support to disable automountServiceAccountToken (#74)

haproxy-ingress · Sep 1, 2023 · 16eb840 · 16eb840
1 parent ba9cead
commit 16eb840
Show file tree

Hide file tree

Showing 4 changed files with 9 additions and 0 deletions.
diff --git a/haproxy-ingress/README.md b/haproxy-ingress/README.md
@@ -98,6 +98,8 @@ Parameter | Description | Default
 `rbac.security.enable` | If true, and rbac.create is true, create & use PSP resources on Kubernetes clusters up to v1.25 | `false`
 `serviceAccount.create` | If true, create serviceAccount | `true`
 `serviceAccount.name` | ServiceAccount to be used | ``
+`serviceAccount.automountServiceAccountToken` | Automount API credentials for the ServiceAccount | `true` |
+`controller.automountServiceAccountToken` | Automount API credentials to the controller's pod | `true` |
 `controller.name` | name of the controller component | `controller`
 `controller.image.repository` | controller container image repository | `quay.io/jcmoraisjr/haproxy-ingress`
 `controller.image.tag` | controller container image tag | `v0.14.4`

diff --git a/haproxy-ingress/templates/_podtemplate.yaml b/haproxy-ingress/templates/_podtemplate.yaml
@@ -18,6 +18,7 @@ spec:
     {{- toYaml .Values.controller.podAffinity | nindent 4 }}
 {{- end }}
   serviceAccountName: {{ include "haproxy-ingress.serviceAccountName" . }}
+  automountServiceAccountToken: {{ .Values.controller.automountServiceAccountToken }}
 {{- if or .Values.controller.haproxy.enabled .Values.controller.initContainers }}
   initContainers:
 {{- if .Values.controller.haproxy.enabled }}

diff --git a/haproxy-ingress/templates/serviceaccount.yaml b/haproxy-ingress/templates/serviceaccount.yaml
@@ -1,6 +1,7 @@
 {{- if .Values.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   labels:
     {{- include "haproxy-ingress.labels" . | nindent 4 }}

diff --git a/haproxy-ingress/values.yaml b/haproxy-ingress/values.yaml
@@ -15,6 +15,8 @@ serviceAccount:
   # The name of the ServiceAccount to use.
   # If not set and create is true, a name is generated using the fullname template
   name:
+  # Automount API credentials for the ServiceAccount.
+  automountServiceAccountToken: true
 
 nameOverride: ""
 fullnameOverride: ""
@@ -148,6 +150,9 @@ controller:
   #  hello_again.lua: |
   #    core.Debug("Hello again HAProxy!\n")
 
+  # Automount API credentials to the controller's pod
+  automountServiceAccountToken: true
+
   # Required for use with CNI based kubernetes installations (such as ones set up by kubeadm),
   # since CNI and hostport don't mix yet. Can be deprecated once https://github.com/kubernetes/kubernetes/issues/23920
   # is merged