Merge pull request #420 from uselagoon/no-automountserviceaccounttoken

chore: dont automount serviceaccount token

Author: rocketeerbkw

internal/templating/templates_cronjob.go

@@ -99,6 +99,10 @@ func GenerateCronjobTemplate(
 						},
 					},
 				}
+
+				// disable automounted service account
+				cronjob.Spec.JobTemplate.Spec.Template.Spec.AutomountServiceAccountToken = helpers.BoolPtr(false)
+
 				cronjob.Spec.Schedule = nCronjob.Schedule
 				cronjob.Spec.ConcurrencyPolicy = batchv1.ForbidConcurrent
 				cronjob.Spec.SuccessfulJobsHistoryLimit = helpers.Int32Ptr(0)

internal/templating/templates_deployment.go

@@ -101,6 +101,9 @@ func GenerateDeploymentTemplate(
 			deployment.ObjectMeta.Labels = labels
 			deployment.ObjectMeta.Annotations = annotations
 
+			// disable automounted service account
+			deployment.Spec.Template.Spec.AutomountServiceAccountToken = helpers.BoolPtr(false)
+
 			if serviceValues.UseSpotInstances {
 				// handle spot instance label and affinity/tolerations/selectors
 				additionalLabels["lagoon.sh/spot"] = "true"

internal/templating/test-resources/cronjob/result-cli-1.yaml

@@ -45,6 +45,7 @@ spec:
             lagoon.sh/service-type: cli
             lagoon.sh/template: cli-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh
@@ -138,6 +139,7 @@ spec:
             lagoon.sh/service-type: cli
             lagoon.sh/template: cli-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh
@@ -231,6 +233,7 @@ spec:
             lagoon.sh/service-type: cli-persistent
             lagoon.sh/template: cli-persistent-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh

internal/templating/test-resources/cronjob/result-cli-2.yaml

@@ -45,6 +45,7 @@ spec:
             lagoon.sh/service-type: cli
             lagoon.sh/template: cli-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh
@@ -143,6 +144,7 @@ spec:
             lagoon.sh/service-type: cli
             lagoon.sh/template: cli-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh
@@ -241,6 +243,7 @@ spec:
             lagoon.sh/service-type: cli-persistent
             lagoon.sh/template: cli-persistent-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh

internal/templating/test-resources/cronjob/result-cli-3.yaml

@@ -45,6 +45,7 @@ spec:
             lagoon.sh/service-type: cli
             lagoon.sh/template: cli-0.1.0
         spec:
+          automountServiceAccountToken: false
           containers:
           - command:
             - /lagoon/cronjob.sh

internal/templating/test-resources/deployment/result-basic-1.yaml

@@ -44,6 +44,7 @@ spec:
         lagoon.sh/service-type: basic
         lagoon.sh/template: basic-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA
@@ -142,6 +143,7 @@ spec:
               - key: lagoon.sh/spot
                 operator: Exists
             weight: 1
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA
@@ -234,6 +236,7 @@ spec:
         lagoon.sh/service-type: basic-persistent
         lagoon.sh/template: basic-persistent-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA
@@ -326,6 +329,7 @@ spec:
         lagoon.sh/service-type: basic-persistent
         lagoon.sh/template: basic-persistent-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA
@@ -418,6 +422,7 @@ spec:
         lagoon.sh/service-type: basic-persistent
         lagoon.sh/template: basic-persistent-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA

internal/templating/test-resources/deployment/result-basic-2.yaml

@@ -54,6 +54,7 @@ spec:
               - key: lagoon.sh/spot
                 operator: Exists
             weight: 1
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA

internal/templating/test-resources/deployment/result-basic-3.yaml

@@ -54,6 +54,7 @@ spec:
               - key: lagoon.sh/spot
                 operator: Exists
             weight: 1
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA

internal/templating/test-resources/deployment/result-basic-4.yaml

@@ -48,6 +48,7 @@ spec:
         lagoon.sh/service-type: basic-single
         lagoon.sh/template: basic-single-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA

internal/templating/test-resources/deployment/result-basic-5.yaml

@@ -44,6 +44,7 @@ spec:
         lagoon.sh/service-type: basic
         lagoon.sh/template: basic-0.1.0
     spec:
+      automountServiceAccountToken: false
       containers:
       - env:
         - name: LAGOON_GIT_SHA