From 944e2b7b1d91f45fe76d1cf06201edee41bc7ccc Mon Sep 17 00:00:00 2001 From: Gus Luxton Date: Fri, 18 Oct 2024 14:29:44 -0300 Subject: [PATCH] teleport-cluster: set automountServiceAccountToken to false on ServiceAccounts when using newer Kubernetes distributions (#47703) --- .../templates/auth/serviceaccount.yaml | 4 ++++ .../templates/proxy/serviceaccount.yaml | 4 ++++ .../tests/auth_serviceaccount_test.yaml | 22 +++++++++++++++++++ .../tests/proxy_serviceaccount_test.yaml | 22 +++++++++++++++++++ 4 files changed, 52 insertions(+) diff --git a/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml b/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml index 0eb96f032e54..d060ea83844f 100644 --- a/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml +++ b/examples/chart/teleport-cluster/templates/auth/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- if $auth.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -19,4 +20,7 @@ metadata: azure.workload.identity/client-id: "{{ $auth.azure.clientID }}" {{- end }} {{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} {{- end }} diff --git a/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml b/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml index 7f5ecd8c2d6f..4e26c23852c9 100644 --- a/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml +++ b/examples/chart/teleport-cluster/templates/proxy/serviceaccount.yaml @@ -1,4 +1,5 @@ {{- $proxy := mustMergeOverwrite (mustDeepCopy .Values) .Values.proxy -}} +{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }} {{- if $proxy.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount @@ -13,4 +14,7 @@ metadata: {{- if $proxy.annotations.serviceAccount }} annotations: {{- toYaml $proxy.annotations.serviceAccount | nindent 4 }} {{- end -}} +{{- if $projectedServiceAccountToken }} +automountServiceAccountToken: false +{{- end }} {{- end }} diff --git a/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml b/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml index 49e279933a97..2165131bac9f 100644 --- a/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml +++ b/examples/chart/teleport-cluster/tests/auth_serviceaccount_test.yaml @@ -50,3 +50,25 @@ tests: - equal: path: metadata.labels.baz value: overridden + + - it: does not set automountServiceAccountToken if cluster version is <1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - notEqual: + path: automountServiceAccountToken + value: false + + - it: sets automountServiceAccountToken to false if cluster version is >=1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 20 + asserts: + - equal: + path: automountServiceAccountToken + value: false diff --git a/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml b/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml index 70198bd93902..fe3dee41bbc0 100644 --- a/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml +++ b/examples/chart/teleport-cluster/tests/proxy_serviceaccount_test.yaml @@ -40,3 +40,25 @@ tests: - equal: path: metadata.labels.baz value: overridden + + - it: does not set automountServiceAccountToken if cluster version is <1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 18 + asserts: + - notEqual: + path: automountServiceAccountToken + value: false + + - it: sets automountServiceAccountToken to false if cluster version is >=1.20 + set: + clusterName: helm-lint + capabilities: + majorVersion: 1 + minorVersion: 20 + asserts: + - equal: + path: automountServiceAccountToken + value: false