mirrors/prometheus-operator
mirrors/prometheus-operator
1
0
Fork 0
mirror of https://github.com/prometheus-operator/prometheus-operator.git synced 2025-04-15 16:56:24 +00:00
Code Activity

fix: make automountServiceAccountToken configurable

Browse source 
Fixes https://github.com/prometheus-operator/prometheus-operator/issues/6270

Signed-off-by: Stefan Caraiman <stefanc.caraiman@gmail.com>
This commit is contained in:
Stefan Caraiman 2024-04-10 11:49:03 +03:00
parent 885f137f9f
commit 733d2fe5f6
17 changed files with 265 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

75
Documentation/api.md generated
View file

@ -2021,6 +2021,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
<code>automountServiceAccountToken</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn&rsquo;t set, the operator mounts the service account token by default.</p>
<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the &lsquo;prometheus&rsquo; container.</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string
@ -6544,6 +6559,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
<code>automountServiceAccountToken</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn&rsquo;t set, the operator mounts the service account token by default.</p>
<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the &lsquo;prometheus&rsquo; container.</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string
@ -10654,6 +10684,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
<code>automountServiceAccountToken</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn&rsquo;t set, the operator mounts the service account token by default.</p>
<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the &lsquo;prometheus&rsquo; container.</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string
@ -16581,6 +16626,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
<code>automountServiceAccountToken</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn&rsquo;t set, the operator mounts the service account token by default.</p>
<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the &lsquo;prometheus&rsquo; container.</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string
@ -22639,6 +22699,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
<code>automountServiceAccountToken</code><br/>
<em>
bool
</em>
</td>
<td>
<em>(Optional)</em>
<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn&rsquo;t set, the operator mounts the service account token by default.</p>
<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the &lsquo;prometheus&rsquo; container.</p>
</td>
</tr>
<tr>
<td>
<code>secrets</code><br/>
<em>
[]string

18
bundle.yaml generated
View file

@ -16803,6 +16803,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.
@ -26743,6 +26752,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string

9
example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml generated
View file

@ -1305,6 +1305,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.

9
example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml generated
View file

@ -1752,6 +1752,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string

9
example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml generated
View file

@ -1306,6 +1306,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.

9
example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml generated
View file

@ -1753,6 +1753,15 @@ spec:
deny:
type: boolean
type: object
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
If the field isn't set, the operator mounts the service account token by default.
**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string

4
jsonnet/prometheus-operator/prometheusagents-crd.json
View file

@ -1115,6 +1115,10 @@
},
"type": "object"
},
"automountServiceAccountToken": {
"description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.",
"type": "boolean"
},
"bodySizeLimit": {
"description": "BodySizeLimit defines per-scrape on response body size.\nOnly valid in Prometheus versions 2.45.0 and newer.",
"pattern": "(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$",

4
jsonnet/prometheus-operator/prometheuses-crd.json
View file

@ -1524,6 +1524,10 @@
},
"type": "object"
},
"automountServiceAccountToken": {
"description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.",
"type": "boolean"
},
"baseImage": {
"description": "Deprecated: use 'spec.image' instead.",
"type": "string"

8
pkg/apis/monitoring/v1/prometheus_types.go
View file

@ -356,6 +356,14 @@ type CommonPrometheusFields struct {
// Prometheus Pods.
ServiceAccountName string `json:"serviceAccountName,omitempty"`
// AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
// If the field isn't set, the operator mounts the service account token by default.
//
// **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
// It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
// +optional
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
// Secrets is a list of Secrets in the same namespace as the Prometheus
// object, which shall be mounted into the Prometheus Pods.
// Each Secret is added to the StatefulSet definition as a volume named `secret-<secret-name>`.

5
pkg/apis/monitoring/v1/zz_generated.deepcopy.go generated
View file

@ -740,6 +740,11 @@ func (in *CommonPrometheusFields) DeepCopyInto(out *CommonPrometheusFields) {
(*out)[key] = val
}
}
if in.AutomountServiceAccountToken != nil {
in, out := &in.AutomountServiceAccountToken, &out.AutomountServiceAccountToken
*out = new(bool)
**out = **in
}
if in.Secrets != nil {
in, out := &in.Secrets, &out.Secrets
*out = make([]string, len(*in))

9
pkg/client/applyconfiguration/monitoring/v1/commonprometheusfields.go
View file

@ -62,6 +62,7 @@ type CommonPrometheusFieldsApplyConfiguration struct {
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
ServiceAccountName *string `json:"serviceAccountName,omitempty"`
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
Secrets []string `json:"secrets,omitempty"`
ConfigMaps []string `json:"configMaps,omitempty"`
Affinity *corev1.Affinity `json:"affinity,omitempty"`
@ -424,6 +425,14 @@ func (b *CommonPrometheusFieldsApplyConfiguration) WithServiceAccountName(value
return b
}
// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
func (b *CommonPrometheusFieldsApplyConfiguration) WithAutomountServiceAccountToken(value bool) *CommonPrometheusFieldsApplyConfiguration {
b.AutomountServiceAccountToken = &value
return b
}
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.

8
pkg/client/applyconfiguration/monitoring/v1/prometheusspec.go
View file

@ -367,6 +367,14 @@ func (b *PrometheusSpecApplyConfiguration) WithServiceAccountName(value string)
return b
}
// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
func (b *PrometheusSpecApplyConfiguration) WithAutomountServiceAccountToken(value bool) *PrometheusSpecApplyConfiguration {
b.AutomountServiceAccountToken = &value
return b
}
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.

8
pkg/client/applyconfiguration/monitoring/v1alpha1/prometheusagentspec.go
View file

@ -346,6 +346,14 @@ func (b *PrometheusAgentSpecApplyConfiguration) WithServiceAccountName(value str
return b
}
// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
// and returns the receiver, so that objects can be built by chaining "With" function invocations.
// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
func (b *PrometheusAgentSpecApplyConfiguration) WithAutomountServiceAccountToken(value bool) *PrometheusAgentSpecApplyConfiguration {
b.AutomountServiceAccountToken = &value
return b
}
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.

2
pkg/prometheus/agent/statefulset.go
View file

@ -370,7 +370,7 @@ func makeStatefulSetSpec(
InitContainers: initContainers,
SecurityContext: cpf.SecurityContext,
ServiceAccountName: cpf.ServiceAccountName,
AutomountServiceAccountToken: ptr.To(true),
AutomountServiceAccountToken: ptr.To(ptr.Deref(cpf.AutomountServiceAccountToken, true)),
NodeSelector: cpf.NodeSelector,
PriorityClassName: cpf.PriorityClassName,
// Prometheus may take quite long to shut down to checkpoint existing data.

44
pkg/prometheus/agent/statefulset_test.go
View file

@ -393,3 +393,47 @@ func TestPodTopologySpreadConstraintWithAdditionalLabels(t *testing.T) {
})
}
}
func TestAutomountServiceAccountToken(t *testing.T) {
for _, tc := range []struct {
name string
automountServiceAccountToken *bool
expectedValue bool
}{
{
name: "automountServiceAccountToken not set",
automountServiceAccountToken: nil,
expectedValue: true,
},
{
name: "automountServiceAccountToken set to true",
automountServiceAccountToken: ptr.To(true),
expectedValue: true,
},
{
name: "automountServiceAccountToken set to false",
automountServiceAccountToken: ptr.To(false),
expectedValue: false,
},
} {
t.Run(tc.name, func(t *testing.T) {
sset, err := makeStatefulSetFromPrometheus(monitoringv1alpha1.PrometheusAgent{
ObjectMeta: metav1.ObjectMeta{},
Spec: monitoringv1alpha1.PrometheusAgentSpec{
CommonPrometheusFields: monitoringv1.CommonPrometheusFields{
AutomountServiceAccountToken: tc.automountServiceAccountToken,
},
},
})
require.NoError(t, err)
if sset.Spec.Template.Spec.AutomountServiceAccountToken == nil {
t.Fatalf("expected automountServiceAccountToken to be set")
}
if *sset.Spec.Template.Spec.AutomountServiceAccountToken != tc.expectedValue {
t.Fatalf("expected automountServiceAccountToken to be %v", tc.expectedValue)
}
})
}
}

2
pkg/prometheus/server/statefulset.go
View file

@ -473,7 +473,7 @@ func makeStatefulSetSpec(
InitContainers: initContainers,
SecurityContext: cpf.SecurityContext,
ServiceAccountName: cpf.ServiceAccountName,
AutomountServiceAccountToken: ptr.To(true),
AutomountServiceAccountToken: ptr.To(ptr.Deref(cpf.AutomountServiceAccountToken, true)),
NodeSelector: cpf.NodeSelector,
PriorityClassName: cpf.PriorityClassName,
// Prometheus may take quite long to shut down to checkpoint existing data.

44
pkg/prometheus/server/statefulset_test.go
View file

@ -3157,3 +3157,47 @@ func TestIfThanosVersionDontHaveHttpClientFlag(t *testing.T) {
})
}
}
func TestAutomountServiceAccountToken(t *testing.T) {
for _, tc := range []struct {
name string
automountServiceAccountToken *bool
expectedValue bool
}{
{
name: "automountServiceAccountToken not set",
automountServiceAccountToken: nil,
expectedValue: true,
},
{
name: "automountServiceAccountToken set to true",
automountServiceAccountToken: ptr.To(true),
expectedValue: true,
},
{
name: "automountServiceAccountToken set to false",
automountServiceAccountToken: ptr.To(false),
expectedValue: false,
},
} {
t.Run(tc.name, func(t *testing.T) {
sset, err := makeStatefulSetFromPrometheus(monitoringv1.Prometheus{
ObjectMeta: metav1.ObjectMeta{},
Spec: monitoringv1.PrometheusSpec{
CommonPrometheusFields: monitoringv1.CommonPrometheusFields{
AutomountServiceAccountToken: tc.automountServiceAccountToken,
},
},
})
require.NoError(t, err)
if sset.Spec.Template.Spec.AutomountServiceAccountToken == nil {
t.Fatalf("expected automountServiceAccountToken to be set")
}
if *sset.Spec.Template.Spec.AutomountServiceAccountToken != tc.expectedValue {
t.Fatalf("expected automountServiceAccountToken to be %v", tc.expectedValue)
}
})
}
}