diff --git a/helm/charts/hydra/README.md b/helm/charts/hydra/README.md index 6d65ade97d..40c3ecb933 100644 --- a/helm/charts/hydra/README.md +++ b/helm/charts/hydra/README.md @@ -53,7 +53,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | deployment.annotations | object | `{}` | Set custom deployment level annotations | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected - name: FOO value: BAR | -| deployment.automountServiceAccountToken | bool | `true` | | +| deployment.automountServiceAccountToken | bool | `false` | | | deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":3,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure HPA | | deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object | @@ -185,6 +185,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | test.labels | object | `{}` | Provide additional labels to the test pod | +| watcher.automountServiceAccountToken | bool | `true` | | | watcher.enabled | bool | `false` | | | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` | | | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | @@ -192,6 +193,7 @@ A Helm chart for deploying ORY Hydra in Kubernetes | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | | watcher.podMetadata.labels | object | `{}` | Extra pod level labels | | watcher.podSecurityContext | object | `{}` | pod securityContext for watcher deployment | +| watcher.resources | object | `{}` | | | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | | watcher.securityContext | object | `{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"privileged":false,"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":100,"seccompProfile":{"type":"RuntimeDefault"}}` | container securityContext for watcher deployment | | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | diff --git a/helm/charts/hydra/templates/deployment-watcher.yaml b/helm/charts/hydra/templates/deployment-watcher.yaml index 1fa38ae544..a0393806f2 100644 --- a/helm/charts/hydra/templates/deployment-watcher.yaml +++ b/helm/charts/hydra/templates/deployment-watcher.yaml @@ -38,7 +38,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} serviceAccountName: {{ include "hydra.serviceAccountName" . }}-watcher terminationGracePeriodSeconds: {{ .Values.deployment.terminationGracePeriodSeconds }} containers: @@ -60,6 +60,8 @@ spec: value: {{ .Values.watcher.mountFile | quote }} - name: LABEL_SELECTOR value: '{{ $.Values.watcher.watchLabelKey }}={{ include "hydra.name" . }}' + resources: + {{- toYaml .Values.watcher.resources | nindent 12 }} volumeMounts: {{- with .Values.deployment.extraVolumeMounts }} {{- toYaml . | nindent 12 }} diff --git a/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml index dcb2aa4a16..8a1d92d097 100644 --- a/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml +++ b/helm/charts/hydra/templates/janitor-cron-job-rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra/templates/job-rbac.yaml b/helm/charts/hydra/templates/job-rbac.yaml index c630ff57ec..96998d8ca0 100644 --- a/helm/charts/hydra/templates/job-rbac.yaml +++ b/helm/charts/hydra/templates/job-rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end -}} \ No newline at end of file diff --git a/helm/charts/hydra/templates/rbac-watcher.yaml b/helm/charts/hydra/templates/rbac-watcher.yaml index 476d3b4035..d684993082 100644 --- a/helm/charts/hydra/templates/rbac-watcher.yaml +++ b/helm/charts/hydra/templates/rbac-watcher.yaml @@ -10,6 +10,7 @@ metadata: labels: app.kubernetes.io/name: {{ include "hydra.name" . }}-watcher app.kubernetes.io/instance: {{ .Release.Name }} +automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/helm/charts/hydra/templates/rbac.yaml b/helm/charts/hydra/templates/rbac.yaml index 7f7e8c91bb..3194899785 100644 --- a/helm/charts/hydra/templates/rbac.yaml +++ b/helm/charts/hydra/templates/rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/helm/charts/hydra/values.yaml b/helm/charts/hydra/values.yaml index 8d916beda7..61a5e1aa04 100644 --- a/helm/charts/hydra/values.yaml +++ b/helm/charts/hydra/values.yaml @@ -346,8 +346,7 @@ deployment: periodSeconds: 1 timeoutSeconds: 1 - # https://github.com/kubernetes/kubernetes/issues/57601 - automountServiceAccountToken: true + automountServiceAccountToken: false terminationGracePeriodSeconds: 60 @@ -488,6 +487,8 @@ watcher: # -- pod securityContext for watcher deployment podSecurityContext: {} + resources: {} + automountServiceAccountToken: true # -- container securityContext for watcher deployment securityContext: diff --git a/helm/charts/keto/README.md b/helm/charts/keto/README.md index 24262cb157..7d9712f31f 100644 --- a/helm/charts/keto/README.md +++ b/helm/charts/keto/README.md @@ -86,7 +86,7 @@ Access Control Policies as a Server | ingress.write.hosts[0].paths[0].pathType | string | `"Prefix"` | | | ingress.write.tls | list | `[]` | | | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | -| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | +| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token | | job.extraContainers | string | `""` | If you want to add extra sidecar containers. | | job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO value: BAR | | job.extraInitContainers | string | `""` | If you want to add extra init containers. | @@ -165,12 +165,14 @@ Access Control Policies as a Server | serviceMonitor.tlsConfig | object | `{}` | TLS configuration to use when scraping the endpoint | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | | test.labels | object | `{}` | Provide additional labels to the test pod | +| watcher.automountServiceAccountToken | bool | `true` | | | watcher.enabled | bool | `false` | | | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` | | | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | | watcher.podMetadata.labels | object | `{}` | Extra pod level labels | +| watcher.resources | object | `{}` | | | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | diff --git a/helm/charts/keto/templates/deployment-watcher.yaml b/helm/charts/keto/templates/deployment-watcher.yaml index d7029e714f..ba05cfd07e 100644 --- a/helm/charts/keto/templates/deployment-watcher.yaml +++ b/helm/charts/keto/templates/deployment-watcher.yaml @@ -38,7 +38,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} serviceAccountName: {{ include "keto.serviceAccountName" . }}-watcher securityContext: {{- toYaml .Values.podSecurityContext | nindent 8 }} @@ -62,6 +62,8 @@ spec: value: {{ .Values.watcher.mountFile | quote }} - name: LABEL_SELECTOR value: '{{ $.Values.watcher.watchLabelKey }}={{ include "keto.name" . }}' + resources: + {{- toYaml .Values.watcher.resources | nindent 12 }} volumeMounts: {{- with .Values.deployment.extraVolumeMounts }} {{- toYaml . | nindent 12 }} diff --git a/helm/charts/keto/templates/job-rbac.yaml b/helm/charts/keto/templates/job-rbac.yaml index 1b9e00f77f..a788af6c00 100644 --- a/helm/charts/keto/templates/job-rbac.yaml +++ b/helm/charts/keto/templates/job-rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end -}} \ No newline at end of file diff --git a/helm/charts/keto/templates/rbac-watcher.yaml b/helm/charts/keto/templates/rbac-watcher.yaml index b75eb4e117..15a693a9f8 100644 --- a/helm/charts/keto/templates/rbac-watcher.yaml +++ b/helm/charts/keto/templates/rbac-watcher.yaml @@ -10,6 +10,7 @@ metadata: labels: app.kubernetes.io/name: {{ include "keto.name" . }}-watcher app.kubernetes.io/instance: {{ .Release.Name }} +automountServiceAccountToken: false --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/helm/charts/keto/templates/rbac.yaml b/helm/charts/keto/templates/rbac.yaml index 39657565a8..f616731adb 100644 --- a/helm/charts/keto/templates/rbac.yaml +++ b/helm/charts/keto/templates/rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} \ No newline at end of file diff --git a/helm/charts/keto/values.yaml b/helm/charts/keto/values.yaml index 7356a9076b..8ebfaff42a 100644 --- a/helm/charts/keto/values.yaml +++ b/helm/charts/keto/values.yaml @@ -103,7 +103,7 @@ job: # command: [...] # -- Set automounting of the SA token - automountServiceAccountToken: true + automountServiceAccountToken: false # -- Set sharing process namespace shareProcessNamespace: false @@ -427,6 +427,8 @@ watcher: watchLabelKey: "ory.sh/watcher" # -- Number of revisions kept in history revisionHistoryLimit: 5 + automountServiceAccountToken: true + resources: {} ## -- PodDistributionBudget configuration pdb: diff --git a/helm/charts/kratos/README.md b/helm/charts/kratos/README.md index 068fccacbe..ea38e885b3 100644 --- a/helm/charts/kratos/README.md +++ b/helm/charts/kratos/README.md @@ -38,7 +38,7 @@ A ORY Kratos Helm chart for Kubernetes | deployment.annotations | object | `{}` | | | deployment.automigration | object | `{"extraEnv":[]}` | Parameters for the automigration initContainer | | deployment.automigration.extraEnv | list | `[]` | Array of extra envs to be passed to the initContainer. Kubernetes format is expected - name: FOO value: BAR | -| deployment.automountServiceAccountToken | bool | `true` | | +| deployment.automountServiceAccountToken | bool | `false` | | | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object | | deployment.customReadinessProbe | object | `{}` | Configure a custom readinessProbe. This overwrites the default object | | deployment.customStartupProbe | object | `{}` | Configure a custom startupProbe. This overwrites the default object | @@ -94,7 +94,7 @@ A ORY Kratos Helm chart for Kubernetes | ingress.public.hosts[0].paths[0].pathType | string | `"ImplementationSpecific"` | | | ingress.public.tls | list | `[]` | | | job.annotations | object | `{"helm.sh/hook":"pre-install, pre-upgrade","helm.sh/hook-delete-policy":"before-hook-creation,hook-succeeded","helm.sh/hook-weight":"1"}` | If you do want to specify annotations, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'annotations:'. | -| job.automountServiceAccountToken | bool | `true` | Set automounting of the SA token | +| job.automountServiceAccountToken | bool | `false` | Set automounting of the SA token | | job.extraContainers | string | `""` | If you want to add extra sidecar containers. | | job.extraEnv | list | `[]` | Array of extra envs to be passed to the job. This takes precedence over deployment variables. Kubernetes format is expected - name: FOO value: BAR | | job.extraInitContainers | string | `""` | If you want to add extra init containers. | @@ -203,12 +203,14 @@ A ORY Kratos Helm chart for Kubernetes | strategy.rollingUpdate.maxUnavailable | string | `"25%"` | | | strategy.type | string | `"RollingUpdate"` | | | test.busybox | object | `{"repository":"busybox","tag":1}` | use a busybox image from another repository | +| watcher.automountServiceAccountToken | bool | `true` | | | watcher.enabled | bool | `false` | | | watcher.image | string | `"oryd/k8s-toolbox:0.0.5"` | | | watcher.mountFile | string | `""` | Path to mounted file, which wil be monitored for changes. eg: /etc/secrets/my-secret/foo | | watcher.podMetadata | object | `{"annotations":{},"labels":{}}` | Specify pod metadata, this metadata is added directly to the pod, and not higher objects | | watcher.podMetadata.annotations | object | `{}` | Extra pod level annotations | | watcher.podMetadata.labels | object | `{}` | Extra pod level labels | +| watcher.resources | object | `{}` | | | watcher.revisionHistoryLimit | int | `5` | Number of revisions kept in history | | watcher.watchLabelKey | string | `"ory.sh/watcher"` | Label key used for managing applications | diff --git a/helm/charts/kratos/templates/deployment-watcher.yaml b/helm/charts/kratos/templates/deployment-watcher.yaml index 39ba0a4361..1569a02d03 100644 --- a/helm/charts/kratos/templates/deployment-watcher.yaml +++ b/helm/charts/kratos/templates/deployment-watcher.yaml @@ -38,7 +38,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: - automountServiceAccountToken: {{ .Values.deployment.automountServiceAccountToken }} + automountServiceAccountToken: {{ .Values.watcher.automountServiceAccountToken }} serviceAccountName: {{ include "kratos.serviceAccountName" . }}-watcher {{- with .Values.podSecurityContext }} securityContext: @@ -64,6 +64,8 @@ spec: value: {{ .Values.watcher.mountFile | quote }} - name: LABEL_SELECTOR value: '{{ $.Values.watcher.watchLabelKey }}={{ include "kratos.name" . }}' + resources: + {{- toYaml .Values.watcher.resources | nindent 12 }} volumeMounts: {{- with .Values.deployment.extraVolumeMounts }} {{- toYaml . | nindent 12 }} diff --git a/helm/charts/kratos/templates/job-rbac.yaml b/helm/charts/kratos/templates/job-rbac.yaml index 1b78415b45..869915a3de 100644 --- a/helm/charts/kratos/templates/job-rbac.yaml +++ b/helm/charts/kratos/templates/job-rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end -}} diff --git a/helm/charts/kratos/templates/rbac.yaml b/helm/charts/kratos/templates/rbac.yaml index 76c4f26068..87e48e84d2 100644 --- a/helm/charts/kratos/templates/rbac.yaml +++ b/helm/charts/kratos/templates/rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/helm/charts/kratos/values.yaml b/helm/charts/kratos/values.yaml index 8ae576fc3b..bb258081d4 100644 --- a/helm/charts/kratos/values.yaml +++ b/helm/charts/kratos/values.yaml @@ -351,8 +351,7 @@ deployment: # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" - # https://github.com/kubernetes/kubernetes/issues/57601 - automountServiceAccountToken: true + automountServiceAccountToken: false terminationGracePeriodSeconds: 60 @@ -579,7 +578,7 @@ job: # command: [...] # -- Set automounting of the SA token - automountServiceAccountToken: true + automountServiceAccountToken: false # -- Set sharing process namespace shareProcessNamespace: false @@ -630,6 +629,8 @@ watcher: watchLabelKey: "ory.sh/watcher" # -- Number of revisions kept in history revisionHistoryLimit: 5 + automountServiceAccountToken: true + resources: {} # -- SQL cleanup cron job configuration cleanup: diff --git a/helm/charts/oathkeeper/README.md b/helm/charts/oathkeeper/README.md index 570a6a8604..8bda0beacb 100644 --- a/helm/charts/oathkeeper/README.md +++ b/helm/charts/oathkeeper/README.md @@ -31,7 +31,7 @@ A Helm chart for deploying ORY Oathkeeper in Kubernetes | configmap.hashSumEnabled | bool | `true` | switch to false to prevent checksum annotations being maintained and propogated to the pods | | demo | bool | `false` | If enabled, a demo deployment with exemplary access rules and JSON Web Key Secrets will be generated. | | deployment.annotations | object | `{}` | | -| deployment.automountServiceAccountToken | bool | `false` | | +| deployment.automountServiceAccountToken | bool | `true` | | | deployment.autoscaling | object | `{"behavior":{},"enabled":false,"maxReplicas":5,"minReplicas":1,"targetCPU":{},"targetMemory":{}}` | Configure horizontal pod autoscaler for deployment | | deployment.autoscaling.behavior | object | `{}` | Set custom behavior https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/#configurable-scaling-behavior | | deployment.customLivenessProbe | object | `{}` | Configure a custom livenessProbe. This overwrites the default object | diff --git a/helm/charts/oathkeeper/templates/rbac.yaml b/helm/charts/oathkeeper/templates/rbac.yaml index 694c8b2761..4008df83ce 100644 --- a/helm/charts/oathkeeper/templates/rbac.yaml +++ b/helm/charts/oathkeeper/templates/rbac.yaml @@ -13,4 +13,5 @@ metadata: annotations: {{- toYaml . | nindent 4 }} {{- end }} +automountServiceAccountToken: false {{- end }} diff --git a/helm/charts/oathkeeper/values.yaml b/helm/charts/oathkeeper/values.yaml index 8f9f2ff96d..e99fe8266d 100644 --- a/helm/charts/oathkeeper/values.yaml +++ b/helm/charts/oathkeeper/values.yaml @@ -283,8 +283,7 @@ deployment: # -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template name: "" - # https://github.com/kubernetes/kubernetes/issues/57601 - automountServiceAccountToken: false + automountServiceAccountToken: true terminationGracePeriodSeconds: 60