Skip to content

Commit 5fae3b4

Browse files
javsalgarjavsalgar
authoredJan 15, 2024
[bitnami/redis] fix: 🔒 Do not use the default service account (#22028)
* [bitnami/redis] fix: 🔒 Do not use the default service account Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * test: ✅ Use correct service account path Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> * test: ✅ Use correct service account path Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com> --------- Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
·
zookeeper/13.7.4airflow/16.2.0
1 parent 8577e38 commit 5fae3b4

File tree

5 files changed

+16
-16
lines changed

5 files changed

+16
-16
lines changed
 

‎.vib/redis/goss/goss.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ command:
3838
# or the one randomly defined by openshift (larger values). Otherwise, the chart is still using the default value.
3939
exec: if [ $(id -u) -lt {{ $uid }} ] || [ $(id -G | awk '{print $2}') -lt {{ $gid }} ]; then exit 1; fi
4040
exit-status: 0
41-
{{ if .Vars.serviceAccount.automountServiceAccountToken }}
41+
{{ if .Vars.master.serviceAccount.automountServiceAccountToken }}
4242
check-sa:
4343
exec: cat /var/run/secrets/kubernetes.io/serviceaccount/token | cut -d '.' -f 2 | xargs -I '{}' echo '{}====' | fold -w 4 | sed '$ d' | tr -d '\n' | base64 -d
4444
exit-status: 0

‎.vib/redis/runtime-parameters.yaml

+4-4
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,9 @@ master:
2323
ports:
2424
redis: 80
2525
type: LoadBalancer
26+
serviceAccount:
27+
create: true
28+
automountServiceAccountToken: true
2629
replica:
2730
replicaCount: 3
2831
containerPorts:
@@ -41,7 +44,4 @@ replica:
4144
redis: 6378
4245
type: ClusterIP
4346
sentinel:
44-
enabled: false
45-
serviceAccount:
46-
create: true
47-
automountServiceAccountToken: true
47+
enabled: false

‎bitnami/redis/Chart.yaml

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,4 +34,4 @@ maintainers:
3434
name: redis
3535
sources:
3636
- https://github.com/bitnami/charts/tree/main/bitnami/redis
37-
version: 18.6.3
37+
version: 18.6.4

‎bitnami/redis/README.md

+5-5
Original file line numberDiff line numberDiff line change
@@ -228,9 +228,9 @@ The command removes all the Kubernetes components associated with the chart and
228228
| `master.service.sessionAffinity` | Session Affinity for Kubernetes service, can be "None" or "ClientIP" | `None` |
229229
| `master.service.sessionAffinityConfig` | Additional settings for the sessionAffinity | `{}` |
230230
| `master.terminationGracePeriodSeconds` | Integer setting the termination grace period for the redis-master pods | `30` |
231-
| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
231+
| `master.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
232232
| `master.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
233-
| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` |
233+
| `master.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` |
234234
| `master.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
235235

236236
### Redis&reg; replicas configuration parameters
@@ -346,9 +346,9 @@ The command removes all the Kubernetes components associated with the chart and
346346
| `replica.autoscaling.maxReplicas` | Maximum replicas for the pod autoscaling | `11` |
347347
| `replica.autoscaling.targetCPU` | Percentage of CPU to consider when autoscaling | `""` |
348348
| `replica.autoscaling.targetMemory` | Percentage of Memory to consider when autoscaling | `""` |
349-
| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `false` |
349+
| `replica.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
350350
| `replica.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
351-
| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` |
351+
| `replica.serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` |
352352
| `replica.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
353353

354354
### Redis&reg; Sentinel configuration parameters
@@ -466,7 +466,7 @@ The command removes all the Kubernetes components associated with the chart and
466466
| `rbac.rules` | Custom RBAC rules to set | `[]` |
467467
| `serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
468468
| `serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
469-
| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `true` |
469+
| `serviceAccount.automountServiceAccountToken` | Whether to auto mount the service account token | `false` |
470470
| `serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
471471
| `pdb.create` | Specifies whether a PodDisruptionBudget should be created | `false` |
472472
| `pdb.minAvailable` | Min number of pods that must still be available after the eviction | `1` |

‎bitnami/redis/values.yaml

+5-5
Original file line numberDiff line numberDiff line change
@@ -576,15 +576,15 @@ master:
576576
serviceAccount:
577577
## @param master.serviceAccount.create Specifies whether a ServiceAccount should be created
578578
##
579-
create: false
579+
create: true
580580
## @param master.serviceAccount.name The name of the ServiceAccount to use.
581581
## If not set and create is true, a name is generated using the common.names.fullname template
582582
##
583583
name: ""
584584
## @param master.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
585585
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
586586
##
587-
automountServiceAccountToken: true
587+
automountServiceAccountToken: false
588588
## @param master.serviceAccount.annotations Additional custom annotations for the ServiceAccount
589589
##
590590
annotations: {}
@@ -1037,15 +1037,15 @@ replica:
10371037
serviceAccount:
10381038
## @param replica.serviceAccount.create Specifies whether a ServiceAccount should be created
10391039
##
1040-
create: false
1040+
create: true
10411041
## @param replica.serviceAccount.name The name of the ServiceAccount to use.
10421042
## If not set and create is true, a name is generated using the common.names.fullname template
10431043
##
10441044
name: ""
10451045
## @param replica.serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
10461046
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
10471047
##
1048-
automountServiceAccountToken: true
1048+
automountServiceAccountToken: false
10491049
## @param replica.serviceAccount.annotations Additional custom annotations for the ServiceAccount
10501050
##
10511051
annotations: {}
@@ -1487,7 +1487,7 @@ serviceAccount:
14871487
## @param serviceAccount.automountServiceAccountToken Whether to auto mount the service account token
14881488
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#use-the-default-service-account-to-access-the-api-server
14891489
##
1490-
automountServiceAccountToken: true
1490+
automountServiceAccountToken: false
14911491
## @param serviceAccount.annotations Additional custom annotations for the ServiceAccount
14921492
##
14931493
annotations: {}

0 commit comments

Comments
 (0)
Please sign in to comment.