Skip to content

Commit 1d3ce3a

Browse files
sjbermansjberman
authored
Move certs job service account token (#3951) (#3952)
Problem: For security reasons, it's best practice to not have automountServiceToken on the ServiceAccount, and instead set in directly on the workloads that need the token. Solution: Set this field on the Pods instead of the ServiceAccounts. This was missed as part of the original PR.
1 parent 4b7ff0e commit 1d3ce3a

File tree

10 files changed

+20
-0
lines changed

10 files changed

+20
-0
lines changed

charts/nginx-gateway-fabric/templates/certs-job.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ metadata:
77
{{- include "nginx-gateway.labels" . | nindent 4 }}
88
annotations:
99
"helm.sh/hook": pre-install
10+
automountServiceAccountToken: false
1011
{{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
1112
imagePullSecrets:
1213
{{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
@@ -120,6 +121,7 @@ spec:
120121
{{ toYaml . | nindent 8 }}
121122
{{- end }}
122123
spec:
124+
automountServiceAccountToken: true
123125
containers:
124126
- args:
125127
- generate-certs

deploy/azure/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -341,6 +342,7 @@ spec:
341342
metadata:
342343
annotations: null
343344
spec:
345+
automountServiceAccountToken: true
344346
containers:
345347
- args:
346348
- generate-certs

deploy/default/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -339,6 +340,7 @@ spec:
339340
metadata:
340341
annotations: null
341342
spec:
343+
automountServiceAccountToken: true
342344
containers:
343345
- args:
344346
- generate-certs

deploy/experimental-nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -347,6 +348,7 @@ spec:
347348
metadata:
348349
annotations: null
349350
spec:
351+
automountServiceAccountToken: true
350352
containers:
351353
- args:
352354
- generate-certs

deploy/experimental/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -344,6 +345,7 @@ spec:
344345
metadata:
345346
annotations: null
346347
spec:
348+
automountServiceAccountToken: true
347349
containers:
348350
- args:
349351
- generate-certs

deploy/nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -342,6 +343,7 @@ spec:
342343
metadata:
343344
annotations: null
344345
spec:
346+
automountServiceAccountToken: true
345347
containers:
346348
- args:
347349
- generate-certs

deploy/nodeport/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -339,6 +340,7 @@ spec:
339340
metadata:
340341
annotations: null
341342
spec:
343+
automountServiceAccountToken: true
342344
containers:
343345
- args:
344346
- generate-certs

deploy/openshift/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -361,6 +362,7 @@ spec:
361362
metadata:
362363
annotations: null
363364
spec:
365+
automountServiceAccountToken: true
364366
containers:
365367
- args:
366368
- generate-certs

deploy/snippets-filters-nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -345,6 +346,7 @@ spec:
345346
metadata:
346347
annotations: null
347348
spec:
349+
automountServiceAccountToken: true
348350
containers:
349351
- args:
350352
- generate-certs

deploy/snippets-filters/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -342,6 +343,7 @@ spec:
342343
metadata:
343344
annotations: null
344345
spec:
346+
automountServiceAccountToken: true
345347
containers:
346348
- args:
347349
- generate-certs

0 commit comments

Comments
 (0)