diff --git a/deploy/eck-operator/profile-disable-automounting-api.yaml b/deploy/eck-operator/profile-disable-automounting-api.yaml new file mode 100644 index 00000000000..50f97157dbf --- /dev/null +++ b/deploy/eck-operator/profile-disable-automounting-api.yaml @@ -0,0 +1,29 @@ +automountServiceAccountToken: false + +serviceAccount: + automountServiceAccountToken: false + +volumeMounts: +- mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: serviceaccount-token + readOnly: true + +volumes: +- name: serviceaccount-token + projected: + defaultMode: 0444 + sources: + - serviceAccountToken: + expirationSeconds: 3607 + path: token + - configMap: + name: kube-root-ca.crt + items: + - key: ca.crt + path: ca.crt + - downwardAPI: + items: + - path: namespace + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace diff --git a/deploy/eck-operator/templates/service-account.yaml b/deploy/eck-operator/templates/service-account.yaml index a8901590176..f91acdccf87 100644 --- a/deploy/eck-operator/templates/service-account.yaml +++ b/deploy/eck-operator/templates/service-account.yaml @@ -2,6 +2,7 @@ --- apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "eck-operator.serviceAccountName" . }} namespace: {{ .Release.Namespace }} diff --git a/deploy/eck-operator/templates/statefulset.yaml b/deploy/eck-operator/templates/statefulset.yaml index 7f6a8f716b1..e692c3d64ca 100644 --- a/deploy/eck-operator/templates/statefulset.yaml +++ b/deploy/eck-operator/templates/statefulset.yaml @@ -31,6 +31,7 @@ spec: spec: terminationGracePeriodSeconds: 10 serviceAccountName: {{ include "eck-operator.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.automountServiceAccountToken }} {{- with .Values.priorityClassName }} priorityClassName: {{ . }} {{- end }} @@ -121,11 +122,16 @@ spec: - "--tls-cert-file=/tls/tls.crt" - "--tls-private-key-file=/tls/tls.key" {{- end }} - {{- if .Values.config.metrics.secureMode.tls.certificateSecret }} + {{- if or .Values.config.metrics.secureMode.tls.certificateSecret .Values.config.metrics.secureMode.volumeMounts }} volumeMounts: - - mountPath: "/tls" - name: tls-certificate - readOnly: true + {{- with .Values.config.metrics.secureMode.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} + {{- if .Values.config.metrics.secureMode.tls.certificateSecret }} + - mountPath: "/tls" + name: tls-certificate + readOnly: true + {{- end }} {{- end }} ports: - containerPort: {{ $metricsPort }} diff --git a/deploy/eck-operator/values.yaml b/deploy/eck-operator/values.yaml index 6a124650829..46de24fbcf9 100644 --- a/deploy/eck-operator/values.yaml +++ b/deploy/eck-operator/values.yaml @@ -87,9 +87,14 @@ volumes: [] # createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created. createClusterScopedResources: true +# Automount API credentials for the Service Account into the pod. +automountServiceAccountToken: true + serviceAccount: # create specifies whether a service account should be created for the operator. create: true + # Specifies whether a service account should automount API-Credentials + automountServiceAccountToken: true # annotations to add to the service account annotations: {} # name of the service account to use. If not set and create is true, a name is generated using the fullname template. @@ -188,6 +193,8 @@ config: # serviceMonitorNamespaceSelector: {} # serviceMonitorSelectorNilUsesHelmValues: false enabled: false + # additional volume mounts for the kube-rbac-proxy container. + volumeMounts: [] tls: # certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint. #