Merge pull request #24 from factorhouse/feature/FAC-823_disable-automount-of-api-credentials

jaehyeon-kim · web-flow · commit 6379917b2685 · 2025-12-10T14:45:40.000+11:00
Add automountServiceAccountToken value and default to false
diff --git a/charts/flex-ce/templates/deployment.yaml b/charts/flex-ce/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "flex-ce.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/flex-ce/values.schema.json b/charts/flex-ce/values.schema.json
@@ -167,6 +167,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/flex-ce/values.yaml b/charts/flex-ce/values.yaml
@@ -25,6 +25,10 @@ serviceAccount:
   annotations: {}
   name: flex-ce
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: {}
 
 podSecurityContext: {}
diff --git a/charts/flex/templates/deployment.yaml b/charts/flex/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "flex.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/flex/values.schema.json b/charts/flex/values.schema.json
@@ -167,6 +167,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/flex/values.yaml b/charts/flex/values.yaml
@@ -25,6 +25,10 @@ serviceAccount:
   annotations: {}
   name: flex
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: {}
 
 podSecurityContext: {}
diff --git a/charts/kpow-aws-annual/templates/deployment.yaml b/charts/kpow-aws-annual/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kpow.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/kpow-aws-annual/values.schema.json b/charts/kpow-aws-annual/values.schema.json
@@ -210,6 +210,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/kpow-aws-annual/values.yaml b/charts/kpow-aws-annual/values.yaml
@@ -41,6 +41,10 @@ serviceAccount:
   annotations: {}
   name: kpow
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: {}
 
 podSecurityContext: {}
diff --git a/charts/kpow-aws-hourly/templates/deployment.yaml b/charts/kpow-aws-hourly/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kpow.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/kpow-aws-hourly/values.schema.json b/charts/kpow-aws-hourly/values.schema.json
@@ -202,6 +202,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/kpow-aws-hourly/values.yaml b/charts/kpow-aws-hourly/values.yaml
@@ -37,6 +37,10 @@ serviceAccount:
   annotations: { }
   name: kpow
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: { }
 
 podSecurityContext: { }
diff --git a/charts/kpow-ce/templates/deployment.yaml b/charts/kpow-ce/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kpow-ce.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/kpow-ce/values.schema.json b/charts/kpow-ce/values.schema.json
@@ -202,6 +202,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/kpow-ce/values.yaml b/charts/kpow-ce/values.yaml
@@ -37,6 +37,10 @@ serviceAccount:
   annotations: { }
   name: kpow-ce
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: { }
 
 podSecurityContext: { }
diff --git a/charts/kpow/templates/deployment.yaml b/charts/kpow/templates/deployment.yaml
@@ -28,6 +28,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "kpow.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       containers:
diff --git a/charts/kpow/values.schema.json b/charts/kpow/values.schema.json
@@ -202,6 +202,9 @@
                 }
             }
         },
+        "automountServiceAccountToken": {
+            "type": "boolean"
+        },
         "tolerations": {
             "type": "array"
         },
diff --git a/charts/kpow/values.yaml b/charts/kpow/values.yaml
@@ -37,6 +37,10 @@ serviceAccount:
   annotations: { }
   name: kpow
 
+# Controls if the K8s API token should be mounted in the pod.
+# It is set on the Pod to ensure enforcement.
+automountServiceAccountToken: false
+
 podAnnotations: { }
 
 podSecurityContext: { }

Original file line number	Diff line number	Diff line change
`@@ -167,6 +167,9 @@`
`167`	`167`	`}`
`168`	`168`	`}`
`169`	`169`	`},`
	`170`	`+ "automountServiceAccountToken": {`
	`171`	`+ "type": "boolean"`
	`172`	`+ },`
`170`	`173`	`"tolerations": {`
`171`	`174`	`"type": "array"`
`172`	`175`	`},`
Original file line number	Diff line number	Diff line change
`@@ -210,6 +210,9 @@`
`210`	`210`	`}`
`211`	`211`	`}`
`212`	`212`	`},`
	`213`	`+ "automountServiceAccountToken": {`
	`214`	`+ "type": "boolean"`
	`215`	`+ },`
`213`	`216`	`"tolerations": {`
`214`	`217`	`"type": "array"`
`215`	`218`	`},`