-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(argo-cd): make automountServiceAccountToken configurable #2625
fix(argo-cd): make automountServiceAccountToken configurable #2625
Conversation
31e8f70
to
5968839
Compare
5968839
to
5c27b10
Compare
Just to probably learn something new: is there a difference setting it on the deployment/statefulset or ServiceAccount? $ grep automount README.md
| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| repoServer.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| server.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| dex.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| redis.serviceAccount.automountServiceAccountToken | bool | `false` | Automount API credentials for the Service Account |
| applicationSet.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account |
| notifications.serviceAccount.automountServiceAccountToken | bool | `true` | Automount API credentials for the Service Account | |
Yep 😄 as per the K8s docs:
Setting automountServiceAccountToken on a ServiceAccount applies the setting to all pods using that account, defaulting them to either mount or not mount the service account token. Setting it on a Deployment or StatefulSet allows for specific control over that particular workload, overriding the ServiceAccount's default. |
Ok but do you create your own SA's or why do you like this change? By default every deployment/component of Argo CD has its own SA :) |
Not really no, we do not create our own SA, we rely on the defaults, but due to the following Azure AKS Security policy:
TLDR: We need to basically set Example values & issue from cert-manager on this topic. In the end the result is the same as with |
Yep totally agree. No harm though in adding in the option to customize it since it defaults to true just as before. 😄 |
Hah, nice work Microsoft :) Good reference @mkilchhofer 👍 Happy we add it in for people on Azure as long as the defaults are not changing. |
@mbevc1 indeed, no defaults are changing so the change is harmless 👍 |
5c27b10
to
bfb6745
Compare
Keeps the default behaviour of having automountServiceAccountToken set to true for deployments/statefulsets. Signed-off-by: Stefan Caraiman <stefanc.caraiman@gmail.com>
bfb6745
to
979bf1c
Compare
@mbevc1 @mkilchhofer just to exemplify further, the following 2 example
same as with
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution. LGTM.
Thanks @stefan-caraiman |
Keeps the default behaviour of having automountServiceAccountToken set to true for deployments/statefulsets.
Checklist: