Support serverPod.automountServiceAccountToken

Author: rjeberhard

documentation/domains/Cluster.json

@@ -234,6 +234,10 @@
             "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.2/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration"
           }
         },
+        "automountServiceAccountToken": {
+          "description": "Indicates whether a service account token should be automatically mounted on the pod. Defaults to true if not set. See `kubectl explain pods.spec.automountServiceAccountToken`.",
+          "type": "boolean"
+        },
         "readinessProbe": {
           "description": "Settings for the readiness probe associated with a WebLogic Server instance. If not specified, the operator will create an HTTP probe accessing the /weblogic/ready path. If an HTTP probe is specified then the operator will fill in `path`, `port`, and `scheme`, if they are missing. The operator will also fill in any missing tuning-related fields if they are unspecified. Tuning-related fields will be inherited from the domain and cluster scopes unless a more specific scope defines a different action, such as a different HTTP path to access.",
           "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.2/_definitions.json#/definitions/io.k8s.api.core.v1.Probe"

documentation/domains/Cluster.md

@@ -55,6 +55,7 @@ The specification of the operation of the WebLogic cluster. Required.
 | --- | --- | --- |
 | `affinity` | [Affinity](k8s1.28.2.md#affinity) | The Pod's scheduling constraints. More info: https://oracle.github.io/weblogic-kubernetes-operator/faq/node-heating/.  See `kubectl explain pods.spec.affinity`. |
 | `annotations` | Map | The annotations to be added to generated resources. |
+| `automountServiceAccountToken` | Boolean | Indicates whether a service account token should be automatically mounted on the pod. Defaults to true if not set. See `kubectl explain pods.spec.automountServiceAccountToken`. |
 | `containers` | Array of [Container](k8s1.28.2.md#container) | Additional containers to be included in the server Pod. See `kubectl explain pods.spec.containers`. |
 | `containerSecurityContext` | [Security Context](k8s1.28.2.md#security-context) | Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`. If no value is specified for this field, the operator will use default content for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/. |
 | `env` | Array of [Env Var](k8s1.28.2.md#env-var) | A list of environment variables to set in the container running a WebLogic Server instance. More info: https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-resource/#jvm-memory-and-java-option-environment-variables. See `kubectl explain pods.spec.containers.env`. |

documentation/domains/Domain.json

@@ -1107,6 +1107,10 @@
             "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.2/_definitions.json#/definitions/io.k8s.api.core.v1.Toleration"
           }
         },
+        "automountServiceAccountToken": {
+          "description": "Indicates whether a service account token should be automatically mounted on the pod. Defaults to true if not set. See `kubectl explain pods.spec.automountServiceAccountToken`.",
+          "type": "boolean"
+        },
         "readinessProbe": {
           "description": "Settings for the readiness probe associated with a WebLogic Server instance. If not specified, the operator will create an HTTP probe accessing the /weblogic/ready path. If an HTTP probe is specified then the operator will fill in `path`, `port`, and `scheme`, if they are missing. The operator will also fill in any missing tuning-related fields if they are unspecified. Tuning-related fields will be inherited from the domain and cluster scopes unless a more specific scope defines a different action, such as a different HTTP path to access.",
           "$ref": "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/v1.28.2/_definitions.json#/definitions/io.k8s.api.core.v1.Probe"

documentation/domains/Domain.md

@@ -156,6 +156,7 @@ The current status of the operation of the WebLogic domain. Updated automaticall
 | --- | --- | --- |
 | `affinity` | [Affinity](k8s1.28.2.md#affinity) | The Pod's scheduling constraints. More info: https://oracle.github.io/weblogic-kubernetes-operator/faq/node-heating/.  See `kubectl explain pods.spec.affinity`. |
 | `annotations` | Map | The annotations to be added to generated resources. |
+| `automountServiceAccountToken` | Boolean | Indicates whether a service account token should be automatically mounted on the pod. Defaults to true if not set. See `kubectl explain pods.spec.automountServiceAccountToken`. |
 | `containers` | Array of [Container](k8s1.28.2.md#container) | Additional containers to be included in the server Pod. See `kubectl explain pods.spec.containers`. |
 | `containerSecurityContext` | [Security Context](k8s1.28.2.md#security-context) | Container-level security attributes. Will override any matching Pod-level attributes. See `kubectl explain pods.spec.containers.securityContext`. If no value is specified for this field, the operator will use default content for container-level `securityContext`. More info: https://oracle.github.io/weblogic-kubernetes-operator/security/domain-security/pod-and-container/. |
 | `env` | Array of [Env Var](k8s1.28.2.md#env-var) | A list of environment variables to set in the container running a WebLogic Server instance. More info: https://oracle.github.io/weblogic-kubernetes-operator/userguide/managing-domains/domain-resource/#jvm-memory-and-java-option-environment-variables. See `kubectl explain pods.spec.containers.env`. |

integration-tests/src/test/java/oracle/weblogic/domain/ServerPod.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2020, 2022, Oracle and/or its affiliates.
+// Copyright (c) 2020, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.weblogic.domain;
@@ -96,6 +96,11 @@ public class ServerPod {
           + "ServiceAccount will be used. The ServiceAccount has to exist at the time the pod is created.")
   private String serviceAccountName;
 
+  @ApiModelProperty(
+      "Indicates whether a service account token should be automatically mounted on the pod. "
+          + "Defaults to true if not set. See `kubectl explain pods.spec.automountServiceAccountToken`.")
+  private Boolean automountServiceAccountToken = null;
+
   @ApiModelProperty("Memory and CPU minimum requirements and limits for the server.")
   private V1ResourceRequirements resources;
 
@@ -462,6 +467,23 @@ public void setServiceAccountName(String serviceAccountName) {
     this.serviceAccountName = serviceAccountName;
   }
 
+  public ServerPod automountServiceAccountToken(Boolean automountServiceAccountToken) {
+    this.automountServiceAccountToken = automountServiceAccountToken;
+    return this;
+  }
+
+  public Boolean automountServiceAccountToken() {
+    return automountServiceAccountToken;
+  }
+
+  public Boolean getAutomountServiceAccountToken() {
+    return automountServiceAccountToken;
+  }
+
+  public void setAutomountServiceAccountToken(Boolean automountServiceAccountToken) {
+    this.automountServiceAccountToken = automountServiceAccountToken;
+  }
+
   public ServerPod resources(V1ResourceRequirements resources) {
     this.resources = resources;
     return this;

kubernetes/crd/cluster-crd.yaml

@@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    weblogic.sha256: 34ed6e0ff57580da665db440dce607569f175d0d93934c0e31b2ab26e7ede28d
+    weblogic.sha256: 251af6bc71a6c64c9f40bf8b60f5eee1a82dbf32a3439f7fe035c0baa89280bd
   name: clusters.weblogic.oracle
 spec:
   group: weblogic.oracle
@@ -329,6 +329,11 @@ spec:
                         operator:
                           type: string
                     type: array
+                  automountServiceAccountToken:
+                    description: Indicates whether a service account token should
+                      be automatically mounted on the pod. Defaults to true if not
+                      set. See `kubectl explain pods.spec.automountServiceAccountToken`.
+                    type: boolean
                   readinessProbe:
                     description: Settings for the readiness probe associated with
                       a WebLogic Server instance. If not specified, the operator will

kubernetes/crd/domain-crd.yaml

@@ -5,7 +5,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    weblogic.sha256: 3c9cb1077e51677d24c80535ad61c7b524c415e44dda7eda48e9e344f4bb3809
+    weblogic.sha256: d5781dca31795f836ae89e7139d88fce344b88395f61659d8c7c912467c70a98
   name: domains.weblogic.oracle
 spec:
   group: weblogic.oracle
@@ -1433,6 +1433,11 @@ spec:
                             operator:
                               type: string
                         type: array
+                      automountServiceAccountToken:
+                        description: Indicates whether a service account token should
+                          be automatically mounted on the pod. Defaults to true if
+                          not set. See `kubectl explain pods.spec.automountServiceAccountToken`.
+                        type: boolean
                       readinessProbe:
                         description: Settings for the readiness probe associated with
                           a WebLogic Server instance. If not specified, the operator
@@ -5216,6 +5221,11 @@ spec:
                         operator:
                           type: string
                     type: array
+                  automountServiceAccountToken:
+                    description: Indicates whether a service account token should
+                      be automatically mounted on the pod. Defaults to true if not
+                      set. See `kubectl explain pods.spec.automountServiceAccountToken`.
+                    type: boolean
                   readinessProbe:
                     description: Settings for the readiness probe associated with
                       a WebLogic Server instance. If not specified, the operator will
@@ -8107,6 +8117,11 @@ spec:
                                 type: string
                               operator:
                                 type: string
+                        automountServiceAccountToken:
+                          description: Indicates whether a service account token should
+                            be automatically mounted on the pod. Defaults to true
+                            if not set. See `kubectl explain pods.spec.automountServiceAccountToken`.
+                          type: boolean
                         readinessProbe:
                           description: Settings for the readiness probe associated
                             with a WebLogic Server instance. If not specified, the

operator/src/main/java/oracle/kubernetes/operator/helpers/BasePodStepContext.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2019, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2019, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.helpers;
@@ -228,6 +228,7 @@ protected V1PodSpec createPodSpec() {
         .topologySpreadConstraints(getTopologySpreadConstraints())
         .nodeSelector(getServerSpec().getNodeSelectors())
         .serviceAccountName(getServerSpec().getServiceAccountName())
+        .automountServiceAccountToken(getServerSpec().getAutomountServiceAccountToken())
         .nodeName(getServerSpec().getNodeName())
         .schedulerName(getServerSpec().getSchedulerName())
         .priorityClassName(getServerSpec().getPriorityClassName())

operator/src/main/java/oracle/kubernetes/operator/helpers/JobStepContext.java

@@ -584,6 +584,7 @@ protected V1PodSpec createPodSpec() {
             .activeDeadlineSeconds(getActiveDeadlineSeconds())
             .restartPolicy("Never")
             .serviceAccountName(info.getDomain().getSpec().getServiceAccountName())
+            .automountServiceAccountToken(info.getDomain().getSpec().getAutomountServiceAccountToken())
             .addVolumesItem(new V1Volume().name(SECRETS_VOLUME).secret(getSecretsVolume()))
             .addVolumesItem(
                 new V1Volume().name(SCRIPTS_VOLUME).configMap(getConfigMapVolumeSource()))

operator/src/main/java/oracle/kubernetes/operator/processing/EffectiveServerSpec.java

@@ -1,4 +1,4 @@
-// Copyright (c) 2018, 2024, Oracle and/or its affiliates.
+// Copyright (c) 2018, 2025, Oracle and/or its affiliates.
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl.
 
 package oracle.kubernetes.operator.processing;
@@ -162,6 +162,8 @@ public interface EffectiveServerSpec {
 
   String getServiceAccountName();
 
+  Boolean getAutomountServiceAccountToken();
+
   String getSchedulerName();
 
   List<V1Toleration> getTolerations();