Skip to content

Commit 8241478

Browse files
sjbermansjberman
authored
Move certs job service account token (#3951)
Problem: For security reasons, it's best practice to not have automountServiceToken on the ServiceAccount, and instead set in directly on the workloads that need the token. Solution: Set this field on the Pods instead of the ServiceAccounts. This was missed as part of the original PR.
1 parent 76184a9 commit 8241478

File tree

10 files changed

+20
-0
lines changed

10 files changed

+20
-0
lines changed

charts/nginx-gateway-fabric/templates/certs-job.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ metadata:
77
{{- include "nginx-gateway.labels" . | nindent 4 }}
88
annotations:
99
"helm.sh/hook": pre-install
10+
automountServiceAccountToken: false
1011
{{- if or .Values.nginxGateway.serviceAccount.imagePullSecret .Values.nginxGateway.serviceAccount.imagePullSecrets }}
1112
imagePullSecrets:
1213
{{- if .Values.nginxGateway.serviceAccount.imagePullSecret }}
@@ -120,6 +121,7 @@ spec:
120121
{{ toYaml . | nindent 8 }}
121122
{{- end }}
122123
spec:
124+
automountServiceAccountToken: true
123125
containers:
124126
- args:
125127
- generate-certs

deploy/azure/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -341,6 +342,7 @@ spec:
341342
metadata:
342343
annotations: null
343344
spec:
345+
automountServiceAccountToken: true
344346
containers:
345347
- args:
346348
- generate-certs

deploy/default/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -339,6 +340,7 @@ spec:
339340
metadata:
340341
annotations: null
341342
spec:
343+
automountServiceAccountToken: true
342344
containers:
343345
- args:
344346
- generate-certs

deploy/experimental-nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -348,6 +349,7 @@ spec:
348349
metadata:
349350
annotations: null
350351
spec:
352+
automountServiceAccountToken: true
351353
containers:
352354
- args:
353355
- generate-certs

deploy/experimental/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -344,6 +345,7 @@ spec:
344345
metadata:
345346
annotations: null
346347
spec:
348+
automountServiceAccountToken: true
347349
containers:
348350
- args:
349351
- generate-certs

deploy/nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -343,6 +344,7 @@ spec:
343344
metadata:
344345
annotations: null
345346
spec:
347+
automountServiceAccountToken: true
346348
containers:
347349
- args:
348350
- generate-certs

deploy/nodeport/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -339,6 +340,7 @@ spec:
339340
metadata:
340341
annotations: null
341342
spec:
343+
automountServiceAccountToken: true
342344
containers:
343345
- args:
344346
- generate-certs

deploy/openshift/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -361,6 +362,7 @@ spec:
361362
metadata:
362363
annotations: null
363364
spec:
365+
automountServiceAccountToken: true
364366
containers:
365367
- args:
366368
- generate-certs

deploy/snippets-filters-nginx-plus/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -346,6 +347,7 @@ spec:
346347
metadata:
347348
annotations: null
348349
spec:
350+
automountServiceAccountToken: true
349351
containers:
350352
- args:
351353
- generate-certs

deploy/snippets-filters/deploy.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,7 @@ metadata:
1515
namespace: nginx-gateway
1616
---
1717
apiVersion: v1
18+
automountServiceAccountToken: false
1819
kind: ServiceAccount
1920
metadata:
2021
labels:
@@ -342,6 +343,7 @@ spec:
342343
metadata:
343344
annotations: null
344345
spec:
346+
automountServiceAccountToken: true
345347
containers:
346348
- args:
347349
- generate-certs

0 commit comments

Comments
 (0)