diff --git a/elasticsearch/README.md b/elasticsearch/README.md index 25c6d40de..1306ca60e 100644 --- a/elasticsearch/README.md +++ b/elasticsearch/README.md @@ -153,7 +153,7 @@ support multiple versions with minimal changes. | `podSecurityPolicy` | Configuration for create a pod security policy with minimal permissions to run this Helm chart with `create: true`. Also can be used to reference an external pod security policy with `name: "externalPodSecurityPolicy"` | see [values.yaml][] | | `priorityClassName` | The name of the [PriorityClass][]. No default is supplied as the PriorityClass must be created first | `""` | | `protocol` | The protocol that will be used for the readiness [probe][]. Change this to `https` if you have `xpack.security.http.ssl.enabled` set | `http` | -| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"` | see [values.yaml][] | +| `rbac` | Configuration for creating a role, role binding and ServiceAccount as part of this Helm chart with `create: true`. Also can be used to reference an external ServiceAccount with `serviceAccountName: "externalServiceAccountName"`, or automount the service account token | see [values.yaml][] | | `readinessProbe` | Configuration fields for the readiness [probe][] | see [values.yaml][] | | `replicas` | Kubernetes replica count for the StatefulSet (i.e. how many pods) | `3` | | `resources` | Allows you to set the [resources][] for the StatefulSet | see [values.yaml][] | diff --git a/elasticsearch/templates/statefulset.yaml b/elasticsearch/templates/statefulset.yaml index e3a34c513..29db942b5 100644 --- a/elasticsearch/templates/statefulset.yaml +++ b/elasticsearch/templates/statefulset.yaml @@ -74,6 +74,7 @@ spec: {{- else if not (eq .Values.rbac.serviceAccountName "") }} serviceAccountName: {{ .Values.rbac.serviceAccountName | quote }} {{- end }} + automountServiceAccountToken: {{ .Values.rbac.automountToken }} {{- with .Values.tolerations }} tolerations: {{ toYaml . | indent 6 }} diff --git a/elasticsearch/tests/elasticsearch_test.py b/elasticsearch/tests/elasticsearch_test.py index 638c02066..63f60b900 100755 --- a/elasticsearch/tests/elasticsearch_test.py +++ b/elasticsearch/tests/elasticsearch_test.py @@ -1363,6 +1363,7 @@ def test_initial_master_nodes_when_using_full_name_override(): "value": "customfullName-0," + "customfullName-1," + "customfullName-2,", } in env +<<<<<<< HEAD def test_hostaliases(): config = """ @@ -1469,3 +1470,25 @@ def test_network_policy(): ] assert transport["ports"][0]["port"] == 9300 assert pod_selector == {"matchLabels": {"app": "elasticsearch-master",}} + +def test_default_no_automount_sa_token(): + ## Make sure we can use an externally defined service account + config = """ +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"]["automountServiceAccountToken"] + == False + ) + +def test_enable_automount_sa_token(): + ## Make sure we can use an externally defined service account + config = """ +rbac: + automountToken: true +""" + r = helm_template(config) + assert ( + r["statefulset"][uname]["spec"]["template"]["spec"]["automountServiceAccountToken"] + == True + ) diff --git a/elasticsearch/values.yaml b/elasticsearch/values.yaml index 8cf178a02..443b1c1a3 100755 --- a/elasticsearch/values.yaml +++ b/elasticsearch/values.yaml @@ -98,6 +98,7 @@ rbac: create: false serviceAccountAnnotations: {} serviceAccountName: "" + automountToken: false podSecurityPolicy: create: false