Allow setting automountServiceAccountToken (kubeflow#2298)

* Allow setting automountServiceAccountToken on workloads and serviceAccounts

Signed-off-by: Aran Shavit <[email protected]>

* update helm docs

Signed-off-by: Aran Shavit <[email protected]>

---------

Signed-off-by: Aran Shavit <[email protected]>

charts/spark-operator-chart/README.md

@@ -97,6 +97,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum
 | controller.serviceAccount.create | bool | `true` | Specifies whether to create a service account for the controller. |
 | controller.serviceAccount.name | string | `""` | Optional name for the controller service account. |
 | controller.serviceAccount.annotations | object | `{}` | Extra annotations for the controller service account. |
+| controller.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the controller pods. |
 | controller.rbac.create | bool | `true` | Specifies whether to create RBAC resources for the controller. |
 | controller.rbac.annotations | object | `{}` | Extra annotations for the controller RBAC resources. |
 | controller.labels | object | `{}` | Extra labels for controller pods. |
@@ -134,6 +135,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum
 | webhook.serviceAccount.create | bool | `true` | Specifies whether to create a service account for the webhook. |
 | webhook.serviceAccount.name | string | `""` | Optional name for the webhook service account. |
 | webhook.serviceAccount.annotations | object | `{}` | Extra annotations for the webhook service account. |
+| webhook.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the webhook pods. |
 | webhook.rbac.create | bool | `true` | Specifies whether to create RBAC resources for the webhook. |
 | webhook.rbac.annotations | object | `{}` | Extra annotations for the webhook RBAC resources. |
 | webhook.labels | object | `{}` | Extra labels for webhook pods. |
@@ -157,6 +159,7 @@ See [helm uninstall](https://helm.sh/docs/helm/helm_uninstall) for command docum
 | spark.serviceAccount.create | bool | `true` | Specifies whether to create a service account for spark applications. |
 | spark.serviceAccount.name | string | `""` | Optional name for the spark service account. |
 | spark.serviceAccount.annotations | object | `{}` | Optional annotations for the spark service account. |
+| spark.serviceAccount.automountServiceAccountToken | bool | `true` | Auto-mount service account token to the spark applications pods. |
 | spark.rbac.create | bool | `true` | Specifies whether to create RBAC resources for spark applications. |
 | spark.rbac.annotations | object | `{}` | Optional annotations for the spark application RBAC resources. |
 | prometheus.metrics.enable | bool | `true` | Specifies whether to enable prometheus metrics scraping. |

charts/spark-operator-chart/templates/controller/deployment.yaml

@@ -171,6 +171,7 @@ spec:
       priorityClassName: {{ . }}
       {{- end }}
       serviceAccountName: {{ include "spark-operator.controller.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
       {{- with .Values.controller.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

charts/spark-operator-chart/templates/controller/serviceaccount.yaml

@@ -17,6 +17,7 @@ limitations under the License.
 {{- if .Values.controller.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.controller.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "spark-operator.controller.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}

charts/spark-operator-chart/templates/spark/serviceaccount.yaml

@@ -21,6 +21,7 @@ limitations under the License.
 ---
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ $.Values.spark.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "spark-operator.spark.serviceAccountName" $ }}
   namespace: {{ $jobNamespace }}

charts/spark-operator-chart/templates/webhook/deployment.yaml

@@ -141,6 +141,7 @@ spec:
       priorityClassName: {{ . }}
       {{- end }}
       serviceAccountName: {{ include "spark-operator.webhook.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
       {{- with .Values.webhook.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

charts/spark-operator-chart/templates/webhook/serviceaccount.yaml

@@ -18,6 +18,7 @@ limitations under the License.
 {{- if .Values.webhook.serviceAccount.create -}}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "spark-operator.webhook.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}

charts/spark-operator-chart/values.yaml

@@ -87,6 +87,8 @@ controller:
     name: ""
     # -- Extra annotations for the controller service account.
     annotations: {}
+    # -- Auto-mount service account token to the controller pods.
+    automountServiceAccountToken: true
 
   rbac:
     # -- Specifies whether to create RBAC resources for the controller.
@@ -231,6 +233,8 @@ webhook:
     name: ""
     # -- Extra annotations for the webhook service account.
     annotations: {}
+    # -- Auto-mount service account token to the webhook pods.
+    automountServiceAccountToken: true
 
   rbac:
     # -- Specifies whether to create RBAC resources for the webhook.
@@ -331,6 +335,8 @@ spark:
     name: ""
     # -- Optional annotations for the spark service account.
     annotations: {}
+    # -- Auto-mount service account token to the spark applications pods.
+    automountServiceAccountToken: true
 
   rbac:
     # -- Specifies whether to create RBAC resources for spark applications.