mirrors/external-dns
1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/external-dns.git synced 2025-08-06 09:36:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Allow opt-out of service account token automounting (#3983)

Browse Source 
* Allow opt-out of service account token automounting

* Add default (empty) values for automountServiceAccountToken flags

* Fix typo

* Correct default values for SA token autoumounting in the Helm chart's README

* Add changelog entry
This commit is contained in:
Gilles Gosuin 2023-10-25 21:17:50 +02:00 committed by GitHub
parent 95dadddbc9
commit 6abbef1443
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 82 additions and 64 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
charts/external-dns/CHANGELOG.md
View File

@ -20,6 +20,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [UNRELEASED]
### Added
- Added the option to explicitly enable or disable service account token automounting. ([#3983](https://github.com/kubernetes-sigs/external-dns/pull/3983)) [@gilles-gosuin](https://github.com/gilles-gosuin)
## [v1.13.1] - 2023-09-07
### Added

4
charts/external-dns/README.md
View File

@ -21,7 +21,7 @@ helm upgrade --install external-dns external-dns/external-dns
The following table lists the configurable parameters of the _ExternalDNS_ chart and their default values.
| Parameter | Description | Default |
|------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
|-----------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------|
| `image.repository` | Image repository. | `registry.k8s.io/external-dns/external-dns` |
| `image.tag` | Image tag, will override the default tag derived from the chart app version. | `""` |
| `image.pullPolicy` | Image pull policy. | `IfNotPresent` |
@ -32,6 +32,7 @@ The following table lists the configurable parameters of the _ExternalDNS_ chart
| `serviceAccount.annotations` | Annotations to add to the service account. | `{}` |
| `serviceAccount.labels` | Labels to add to the service account. | `{}` |
| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the full name template. | `""` |
| `serviceAccount.automountServiceAccountToken` | Opt out of the [service account token automounting feature](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the service account | `null` |
| `rbac.create` | If `true`, create the RBAC resources. | `true` |
| `rbac.additionalPermissions` | Additional permissions to be added to the cluster role. | `{}` |
| `initContainers` | Add init containers to the pod. | `[]` |
@ -84,6 +85,7 @@ The following table lists the configurable parameters of the _ExternalDNS_ chart
| `secretConfiguration.mountPath` | Mount path of secret configuration secret (this can be templated). | `""` |
| `secretConfiguration.data` | Secret configuration secret data. Could be used to store DNS provider credentials. | `{}` |
| `secretConfiguration.subPath` | Sub-path of secret configuration secret (this can be templated). | `""` |
| `automountServiceAccountToken` | Opt out of the [service account token automounting feature](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#opt-out-of-api-credential-automounting) for the pod | `null` |
## Namespaced scoped installation

3
charts/external-dns/templates/deployment.yaml
View File

@ -33,6 +33,9 @@ spec:
{{- end }}
{{- end }}
spec:
{{- if hasKey .Values "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
{{- end }}
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}

3
charts/external-dns/templates/serviceaccount.yaml
View File

@ -1,6 +1,9 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
{{- if hasKey .Values.serviceAccount "automountServiceAccountToken" }}
automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
{{- end }}
metadata:
name: {{ include "external-dns.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}

6
charts/external-dns/values.yaml
View File

@ -16,6 +16,9 @@ fullnameOverride: ""
commonLabels: {}
serviceAccount:
# opt out of the service account token automounting (at the service account level)
automountServiceAccountToken:
# Specifies whether a service account should be created
create: true
# Annotations to add to the service account
@ -193,3 +196,6 @@ secretConfiguration:
deploymentStrategy:
type: Recreate
# opt out of the service account token automounting (at the pod level)
automountServiceAccountToken: