fix(argo-cd): make automountServiceAccountToken configurable

[stefan-caraiman]

Keeps the default behaviour of having automountServiceAccountToken set to true for deployments/statefulsets.

Checklist:

• I have bumped the chart version according to versioning
• I have updated the documentation according to documentation
• I have updated the chart changelog with all the changes that come with this pull request according to changelog.
• Any new values are backwards compatible and/or have sensible default.
• I have signed off all my commits as required by DCO.
• My build is green (troubleshooting builds).

[mkilchhofer]

Just to probably learn something new: is there a difference setting it on the deployment/statefulset or ServiceAccount?
Because this toggle is already supported on all ServiceAccounts:

$ grep automount README.md
| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| server.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| dex.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| redis.serviceAccount.automountServiceAccountToken | bool | `false` | Automount API credentials for the Service Account |
| applicationSet.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |

[stefan-caraiman]

Just to probably learn something new: is there a difference setting it on the deployment/statefulset or ServiceAccount? Because this toggle is already supported on all ServiceAccounts:

$ grep automount README.md
| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| server.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| dex.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| redis.serviceAccount.automountServiceAccountToken | bool | `false` | Automount API credentials for the Service Account |
| applicationSet.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |

Yep 😄 as per the K8s docs:

The pod spec takes precedence over the service account if both specify a automountServiceAccountToken value.

Setting automountServiceAccountToken on a ServiceAccount applies the setting to all pods using that account, defaulting them to either mount or not mount the service account token. Setting it on a Deployment or StatefulSet allows for specific control over that particular workload, overriding the ServiceAccount's default.

[mkilchhofer]

Setting automountServiceAccountToken on a ServiceAccount applies the setting to all pods using that account, defaulting them to either mount or not mount the service account token. Setting it on a Deployment or StatefulSet allows for specific control over that particular workload, overriding the ServiceAccount's default.

Ok but do you create your own SA's or why do you like this change? By default every deployment/component of Argo CD has its own SA :)

[stefan-caraiman]

Not really no, we do not create our own SA, we rely on the defaults, but due to the following Azure AKS Security policy:

"Kubernetes clusters should disable automounting API credentials" - Disable automounting API credentials to prevent a potentially compromised Pod resource to run API commands against Kubernetes clusters.

TLDR: We need to basically set automountServiceAccountToken: false to both the SA and Deployments/StatefulSets for ArgoCD and then mount the serviceaccounttoken through extra volumes/volumeMounts for resources that do need access to the API. (similar to what K8s Admission controller already does for automountServiceAccountToken behind the curtains )

Example values & issue from cert-manager on this topic.

In the end the result is the same as with automountServiceAccountToken: true, but it is a "hardening" requirement to be compliant with the Azure Security Score 😅

[mkilchhofer]

In the end the result is the same as with automountServiceAccountToken: true, but it is a "hardening" requirement to be compliant with the Azure Security Score 😅

Oh boy 🙈 . I now definitively learned something new. But IMHO this is only to satisfy the security scanner, it doesn't really improve security.
There was a good talk at KubeCon: Malicious compliance ;)

Lets wait on some other opinions of my colleagues.

[stefan-caraiman]

Yep totally agree. No harm though in adding in the option to customize it since it defaults to true just as before. 😄

[mbevc1]

Hah, nice work Microsoft :)

Good reference @mkilchhofer 👍

Happy we add it in for people on Azure as long as the defaults are not changing.

[stefan-caraiman]

@mbevc1 indeed, no defaults are changing so the change is harmless 👍

[stefan-caraiman]

@mbevc1 @mkilchhofer just to exemplify further, the following 2 example values achieve the same injection of the Service account token into the pod in order to make K8s api calls.

# Example 1 ( the default now and with this MR too)
# Automatically injection done as explained here
# https://kubernetes.io/docs/reference/access-authn-authz/service-accounts-admin/#serviceaccount-admission-controller
controller:
  automountServiceAccountToken: true
  serviceAccount:
    automountServiceAccountToken: true

same as with

# Example 2 values for disabling auto-mounting and opting to inject it via volumes instead
# for "hardened" AKS setups
controller:
  automountServiceAccountToken: false
  serviceAccount:
    automountServiceAccountToken: false
  volumeMounts:
    - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
      name: serviceaccount-token
      readOnly: true
  volumes:
    - name: serviceaccount-token
      projected:
        defaultMode: 0444
        sources:
        - serviceAccountToken:
            expirationSeconds: 3607
            path: token
        - configMap:
            name: kube-root-ca.crt
            items:
            - key: ca.crt
              path: ca.crt
        - downwardAPI:
            items:
            - path: namespace
              fieldRef:
                apiVersion: v1
                fieldPath: metadata.namespace

[yu-croco]

Thank you for your contribution. LGTM.

[mbevc1]

Thanks @stefan-caraiman