From ab066bded8b8b5959241fc9e88beb36bae77f089 Mon Sep 17 00:00:00 2001 From: Aran Shavit Date: Mon, 28 Oct 2024 18:10:19 +0200 Subject: [PATCH 1/2] Allow setting automountServiceAccountToken on workloads and serviceAccounts Signed-off-by: Aran Shavit --- .../templates/controller/deployment.yaml | 1 + .../templates/controller/serviceaccount.yaml | 1 + .../templates/spark/serviceaccount.yaml | 1 + .../spark-operator-chart/templates/webhook/deployment.yaml | 1 + .../templates/webhook/serviceaccount.yaml | 1 + charts/spark-operator-chart/values.yaml | 6 ++++++ 6 files changed, 11 insertions(+) diff --git a/charts/spark-operator-chart/templates/controller/deployment.yaml b/charts/spark-operator-chart/templates/controller/deployment.yaml index 2a1fd5f19..3d3fa97f4 100644 --- a/charts/spark-operator-chart/templates/controller/deployment.yaml +++ b/charts/spark-operator-chart/templates/controller/deployment.yaml @@ -171,6 +171,7 @@ spec: priorityClassName: {{ . }} {{- end }} serviceAccountName: {{ include "spark-operator.controller.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }} {{- with .Values.controller.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} diff --git a/charts/spark-operator-chart/templates/controller/serviceaccount.yaml b/charts/spark-operator-chart/templates/controller/serviceaccount.yaml index 49c235869..ead82d4fd 100644 --- a/charts/spark-operator-chart/templates/controller/serviceaccount.yaml +++ b/charts/spark-operator-chart/templates/controller/serviceaccount.yaml @@ -17,6 +17,7 @@ limitations under the License. {{- if .Values.controller.serviceAccount.create }} apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "spark-operator.controller.serviceAccountName" . }} namespace: {{ .Release.Namespace }} diff --git a/charts/spark-operator-chart/templates/spark/serviceaccount.yaml b/charts/spark-operator-chart/templates/spark/serviceaccount.yaml index de24d801e..e6f34b3c8 100644 --- a/charts/spark-operator-chart/templates/spark/serviceaccount.yaml +++ b/charts/spark-operator-chart/templates/spark/serviceaccount.yaml @@ -21,6 +21,7 @@ limitations under the License. --- apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ $.Values.spark.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "spark-operator.spark.serviceAccountName" $ }} namespace: {{ $jobNamespace }} diff --git a/charts/spark-operator-chart/templates/webhook/deployment.yaml b/charts/spark-operator-chart/templates/webhook/deployment.yaml index ae5167a6e..dd8c3a1ce 100644 --- a/charts/spark-operator-chart/templates/webhook/deployment.yaml +++ b/charts/spark-operator-chart/templates/webhook/deployment.yaml @@ -141,6 +141,7 @@ spec: priorityClassName: {{ . }} {{- end }} serviceAccountName: {{ include "spark-operator.webhook.serviceAccountName" . }} + automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }} {{- with .Values.webhook.podSecurityContext }} securityContext: {{- toYaml . | nindent 8 }} diff --git a/charts/spark-operator-chart/templates/webhook/serviceaccount.yaml b/charts/spark-operator-chart/templates/webhook/serviceaccount.yaml index fea4a6bbe..63c5044e2 100644 --- a/charts/spark-operator-chart/templates/webhook/serviceaccount.yaml +++ b/charts/spark-operator-chart/templates/webhook/serviceaccount.yaml @@ -18,6 +18,7 @@ limitations under the License. {{- if .Values.webhook.serviceAccount.create -}} apiVersion: v1 kind: ServiceAccount +automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }} metadata: name: {{ include "spark-operator.webhook.serviceAccountName" . }} namespace: {{ .Release.Namespace }} diff --git a/charts/spark-operator-chart/values.yaml b/charts/spark-operator-chart/values.yaml index 9032087c6..2cc1b70c7 100644 --- a/charts/spark-operator-chart/values.yaml +++ b/charts/spark-operator-chart/values.yaml @@ -87,6 +87,8 @@ controller: name: "" # -- Extra annotations for the controller service account. annotations: {} + # -- Auto-mount service account token to the controller pods. + automountServiceAccountToken: true rbac: # -- Specifies whether to create RBAC resources for the controller. @@ -231,6 +233,8 @@ webhook: name: "" # -- Extra annotations for the webhook service account. annotations: {} + # -- Auto-mount service account token to the webhook pods. + automountServiceAccountToken: true rbac: # -- Specifies whether to create RBAC resources for the webhook. @@ -331,6 +335,8 @@ spark: name: "" # -- Optional annotations for the spark service account. annotations: {} + # -- Auto-mount service account token to the spark applications pods. + automountServiceAccountToken: true rbac: # -- Specifies whether to create RBAC resources for spark applications. From 51c9630c0e8a08b5696539f2edf6c754bc57ef45 Mon Sep 17 00:00:00 2001 From: Aran Shavit Date: Tue, 29 Oct 2024 10:32:44 +0200 Subject: [PATCH 2/2] update helm docs Signed-off-by: Aran Shavit --- charts/spark-operator-chart/README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/charts/spark-operator-chart/README.md b/charts/spark-operator-chart/README.md index c0e683b75..1ca0424b0 100644 --- a/charts/spark-operator-chart/README.md +++ b/charts/spark-operator-chart/README.md @@ -97,6 +97,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | controller.serviceAccount.create | bool | `true` | Specifies whether to create a service account for the controller. | | controller.serviceAccount.name | string | `""` | Optional name for the controller service account. | | controller.serviceAccount.annotations | object | `{}` | Extra annotations for the controller service account. | +| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the controller pods. | | controller.rbac.create | bool | `true` | Specifies whether to create RBAC resources for the controller. | | controller.rbac.annotations | object | `{}` | Extra annotations for the controller RBAC resources. | | controller.labels | object | `{}` | Extra labels for controller pods. | @@ -134,6 +135,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | webhook.serviceAccount.create | bool | `true` | Specifies whether to create a service account for the webhook. | | webhook.serviceAccount.name | string | `""` | Optional name for the webhook service account. | | webhook.serviceAccount.annotations | object | `{}` | Extra annotations for the webhook service account. | +| webhook.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the webhook pods. | | webhook.rbac.create | bool | `true` | Specifies whether to create RBAC resources for the webhook. | | webhook.rbac.annotations | object | `{}` | Extra annotations for the webhook RBAC resources. | | webhook.labels | object | `{}` | Extra labels for webhook pods. | @@ -157,6 +159,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum | spark.serviceAccount.create | bool | `true` | Specifies whether to create a service account for spark applications. | | spark.serviceAccount.name | string | `""` | Optional name for the spark service account. | | spark.serviceAccount.annotations | object | `{}` | Optional annotations for the spark service account. | +| spark.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the spark applications pods. | | spark.rbac.create | bool | `true` | Specifies whether to create RBAC resources for spark applications. | | spark.rbac.annotations | object | `{}` | Optional annotations for the spark application RBAC resources. | | prometheus.metrics.enable | bool | `true` | Specifies whether to enable prometheus metrics scraping. |