diff --git a/Documentation/api.md b/Documentation/api.md
index 0489f793b..55babc17d 100644
--- a/Documentation/api.md
+++ b/Documentation/api.md
@@ -2021,6 +2021,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
+<code>automountServiceAccountToken</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+If the field isn’t set, the operator mounts the service account token by default.</p>
+<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>secrets</code><br/>
<em>
[]string
@@ -6544,6 +6559,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
+<code>automountServiceAccountToken</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+If the field isn’t set, the operator mounts the service account token by default.</p>
+<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>secrets</code><br/>
<em>
[]string
@@ -10654,6 +10684,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
+<code>automountServiceAccountToken</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+If the field isn’t set, the operator mounts the service account token by default.</p>
+<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>secrets</code><br/>
<em>
[]string
@@ -16581,6 +16626,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
+<code>automountServiceAccountToken</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+If the field isn’t set, the operator mounts the service account token by default.</p>
+<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>secrets</code><br/>
<em>
[]string
@@ -22639,6 +22699,21 @@ Prometheus Pods.</p>
</tr>
<tr>
<td>
+<code>automountServiceAccountToken</code><br/>
+<em>
+bool
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+If the field isn’t set, the operator mounts the service account token by default.</p>
+<p><strong>Warning:</strong> be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+It is possible to use strategic merge patch to project the service account token into the ‘prometheus’ container.</p>
+</td>
+</tr>
+<tr>
+<td>
<code>secrets</code><br/>
<em>
[]string
diff --git a/bundle.yaml b/bundle.yaml
index 1c8ca532a..8a3199d4d 100644
--- a/bundle.yaml
+++ b/bundle.yaml
@@ -16803,6 +16803,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.
@@ -26743,6 +26752,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string
diff --git a/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml b/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml
index 2bf552974..4698c8b2a 100644
--- a/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml
+++ b/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheusagents.yaml
@@ -1305,6 +1305,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.
diff --git a/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml b/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml
index df1d52cc2..ce550cf7f 100644
--- a/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml
+++ b/example/prometheus-operator-crd-full/monitoring.coreos.com_prometheuses.yaml
@@ -1752,6 +1752,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string
diff --git a/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml b/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
index 99356209f..852d6eaba 100644
--- a/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
+++ b/example/prometheus-operator-crd/monitoring.coreos.com_prometheusagents.yaml
@@ -1306,6 +1306,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
bodySizeLimit:
description: |-
BodySizeLimit defines per-scrape on response body size.
diff --git a/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml b/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
index c660e7fc4..228a16983 100644
--- a/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
+++ b/example/prometheus-operator-crd/monitoring.coreos.com_prometheuses.yaml
@@ -1753,6 +1753,15 @@ spec:
deny:
type: boolean
type: object
+ automountServiceAccountToken:
+ description: |-
+ AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ If the field isn't set, the operator mounts the service account token by default.
+
+
+ **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ type: boolean
baseImage:
description: 'Deprecated: use ''spec.image'' instead.'
type: string
diff --git a/jsonnet/prometheus-operator/prometheusagents-crd.json b/jsonnet/prometheus-operator/prometheusagents-crd.json
index d068c5175..9e2208b55 100644
--- a/jsonnet/prometheus-operator/prometheusagents-crd.json
+++ b/jsonnet/prometheus-operator/prometheusagents-crd.json
@@ -1115,6 +1115,10 @@
},
"type": "object"
},
+ "automountServiceAccountToken": {
+ "description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.",
+ "type": "boolean"
+ },
"bodySizeLimit": {
"description": "BodySizeLimit defines per-scrape on response body size.\nOnly valid in Prometheus versions 2.45.0 and newer.",
"pattern": "(^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$",
diff --git a/jsonnet/prometheus-operator/prometheuses-crd.json b/jsonnet/prometheus-operator/prometheuses-crd.json
index 1044a848f..6e09dbccd 100644
--- a/jsonnet/prometheus-operator/prometheuses-crd.json
+++ b/jsonnet/prometheus-operator/prometheuses-crd.json
@@ -1524,6 +1524,10 @@
},
"type": "object"
},
+ "automountServiceAccountToken": {
+ "description": "AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.\nIf the field isn't set, the operator mounts the service account token by default.\n\n\n**Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.\nIt is possible to use strategic merge patch to project the service account token into the 'prometheus' container.",
+ "type": "boolean"
+ },
"baseImage": {
"description": "Deprecated: use 'spec.image' instead.",
"type": "string"
diff --git a/pkg/apis/monitoring/v1/prometheus_types.go b/pkg/apis/monitoring/v1/prometheus_types.go
index 4a6e4a21e..18bfd34b7 100644
--- a/pkg/apis/monitoring/v1/prometheus_types.go
+++ b/pkg/apis/monitoring/v1/prometheus_types.go
@@ -356,6 +356,14 @@ type CommonPrometheusFields struct {
// Prometheus Pods.
ServiceAccountName string `json:"serviceAccountName,omitempty"`
+ // AutomountServiceAccountToken indicates whether a service account token should be automatically mounted in the pod.
+ // If the field isn't set, the operator mounts the service account token by default.
+ //
+ // **Warning:** be aware that by default, Prometheus requires the service account token for Kubernetes service discovery.
+ // It is possible to use strategic merge patch to project the service account token into the 'prometheus' container.
+ // +optional
+ AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
+
// Secrets is a list of Secrets in the same namespace as the Prometheus
// object, which shall be mounted into the Prometheus Pods.
// Each Secret is added to the StatefulSet definition as a volume named `secret-<secret-name>`.
diff --git a/pkg/apis/monitoring/v1/zz_generated.deepcopy.go b/pkg/apis/monitoring/v1/zz_generated.deepcopy.go
index e921ee27f..8b797c13a 100644
--- a/pkg/apis/monitoring/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/monitoring/v1/zz_generated.deepcopy.go
@@ -740,6 +740,11 @@ func (in *CommonPrometheusFields) DeepCopyInto(out *CommonPrometheusFields) {
(*out)[key] = val
}
}
+ if in.AutomountServiceAccountToken != nil {
+ in, out := &in.AutomountServiceAccountToken, &out.AutomountServiceAccountToken
+ *out = new(bool)
+ **out = **in
+ }
if in.Secrets != nil {
in, out := &in.Secrets, &out.Secrets
*out = make([]string, len(*in))
diff --git a/pkg/client/applyconfiguration/monitoring/v1/commonprometheusfields.go b/pkg/client/applyconfiguration/monitoring/v1/commonprometheusfields.go
index 47132da99..f2029fe38 100644
--- a/pkg/client/applyconfiguration/monitoring/v1/commonprometheusfields.go
+++ b/pkg/client/applyconfiguration/monitoring/v1/commonprometheusfields.go
@@ -62,6 +62,7 @@ type CommonPrometheusFieldsApplyConfiguration struct {
Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
NodeSelector map[string]string `json:"nodeSelector,omitempty"`
ServiceAccountName *string `json:"serviceAccountName,omitempty"`
+ AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
Secrets []string `json:"secrets,omitempty"`
ConfigMaps []string `json:"configMaps,omitempty"`
Affinity *corev1.Affinity `json:"affinity,omitempty"`
@@ -424,6 +425,14 @@ func (b *CommonPrometheusFieldsApplyConfiguration) WithServiceAccountName(value
return b
}
+// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
+func (b *CommonPrometheusFieldsApplyConfiguration) WithAutomountServiceAccountToken(value bool) *CommonPrometheusFieldsApplyConfiguration {
+ b.AutomountServiceAccountToken = &value
+ return b
+}
+
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.
diff --git a/pkg/client/applyconfiguration/monitoring/v1/prometheusspec.go b/pkg/client/applyconfiguration/monitoring/v1/prometheusspec.go
index fedbab4cb..b05829ee3 100644
--- a/pkg/client/applyconfiguration/monitoring/v1/prometheusspec.go
+++ b/pkg/client/applyconfiguration/monitoring/v1/prometheusspec.go
@@ -367,6 +367,14 @@ func (b *PrometheusSpecApplyConfiguration) WithServiceAccountName(value string)
return b
}
+// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
+func (b *PrometheusSpecApplyConfiguration) WithAutomountServiceAccountToken(value bool) *PrometheusSpecApplyConfiguration {
+ b.AutomountServiceAccountToken = &value
+ return b
+}
+
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.
diff --git a/pkg/client/applyconfiguration/monitoring/v1alpha1/prometheusagentspec.go b/pkg/client/applyconfiguration/monitoring/v1alpha1/prometheusagentspec.go
index 894ed96bf..ae07efb80 100644
--- a/pkg/client/applyconfiguration/monitoring/v1alpha1/prometheusagentspec.go
+++ b/pkg/client/applyconfiguration/monitoring/v1alpha1/prometheusagentspec.go
@@ -346,6 +346,14 @@ func (b *PrometheusAgentSpecApplyConfiguration) WithServiceAccountName(value str
return b
}
+// WithAutomountServiceAccountToken sets the AutomountServiceAccountToken field in the declarative configuration to the given value
+// and returns the receiver, so that objects can be built by chaining "With" function invocations.
+// If called multiple times, the AutomountServiceAccountToken field is set to the value of the last call.
+func (b *PrometheusAgentSpecApplyConfiguration) WithAutomountServiceAccountToken(value bool) *PrometheusAgentSpecApplyConfiguration {
+ b.AutomountServiceAccountToken = &value
+ return b
+}
+
// WithSecrets adds the given value to the Secrets field in the declarative configuration
// and returns the receiver, so that objects can be build by chaining "With" function invocations.
// If called multiple times, values provided by each call will be appended to the Secrets field.
diff --git a/pkg/prometheus/agent/statefulset.go b/pkg/prometheus/agent/statefulset.go
index 36ce6858f..e90a26f96 100644
--- a/pkg/prometheus/agent/statefulset.go
+++ b/pkg/prometheus/agent/statefulset.go
@@ -370,7 +370,7 @@ func makeStatefulSetSpec(
InitContainers: initContainers,
SecurityContext: cpf.SecurityContext,
ServiceAccountName: cpf.ServiceAccountName,
- AutomountServiceAccountToken: ptr.To(true),
+ AutomountServiceAccountToken: ptr.To(ptr.Deref(cpf.AutomountServiceAccountToken, true)),
NodeSelector: cpf.NodeSelector,
PriorityClassName: cpf.PriorityClassName,
// Prometheus may take quite long to shut down to checkpoint existing data.
diff --git a/pkg/prometheus/agent/statefulset_test.go b/pkg/prometheus/agent/statefulset_test.go
index e77819377..a2356b55d 100644
--- a/pkg/prometheus/agent/statefulset_test.go
+++ b/pkg/prometheus/agent/statefulset_test.go
@@ -393,3 +393,47 @@ func TestPodTopologySpreadConstraintWithAdditionalLabels(t *testing.T) {
})
}
}
+
+func TestAutomountServiceAccountToken(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ automountServiceAccountToken *bool
+ expectedValue bool
+ }{
+ {
+ name: "automountServiceAccountToken not set",
+ automountServiceAccountToken: nil,
+ expectedValue: true,
+ },
+ {
+ name: "automountServiceAccountToken set to true",
+ automountServiceAccountToken: ptr.To(true),
+ expectedValue: true,
+ },
+ {
+ name: "automountServiceAccountToken set to false",
+ automountServiceAccountToken: ptr.To(false),
+ expectedValue: false,
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ sset, err := makeStatefulSetFromPrometheus(monitoringv1alpha1.PrometheusAgent{
+ ObjectMeta: metav1.ObjectMeta{},
+ Spec: monitoringv1alpha1.PrometheusAgentSpec{
+ CommonPrometheusFields: monitoringv1.CommonPrometheusFields{
+ AutomountServiceAccountToken: tc.automountServiceAccountToken,
+ },
+ },
+ })
+ require.NoError(t, err)
+
+ if sset.Spec.Template.Spec.AutomountServiceAccountToken == nil {
+ t.Fatalf("expected automountServiceAccountToken to be set")
+ }
+
+ if *sset.Spec.Template.Spec.AutomountServiceAccountToken != tc.expectedValue {
+ t.Fatalf("expected automountServiceAccountToken to be %v", tc.expectedValue)
+ }
+ })
+ }
+}
diff --git a/pkg/prometheus/server/statefulset.go b/pkg/prometheus/server/statefulset.go
index 122540afa..924b85887 100644
--- a/pkg/prometheus/server/statefulset.go
+++ b/pkg/prometheus/server/statefulset.go
@@ -473,7 +473,7 @@ func makeStatefulSetSpec(
InitContainers: initContainers,
SecurityContext: cpf.SecurityContext,
ServiceAccountName: cpf.ServiceAccountName,
- AutomountServiceAccountToken: ptr.To(true),
+ AutomountServiceAccountToken: ptr.To(ptr.Deref(cpf.AutomountServiceAccountToken, true)),
NodeSelector: cpf.NodeSelector,
PriorityClassName: cpf.PriorityClassName,
// Prometheus may take quite long to shut down to checkpoint existing data.
diff --git a/pkg/prometheus/server/statefulset_test.go b/pkg/prometheus/server/statefulset_test.go
index c77503e04..4458cb49a 100644
--- a/pkg/prometheus/server/statefulset_test.go
+++ b/pkg/prometheus/server/statefulset_test.go
@@ -3157,3 +3157,47 @@ func TestIfThanosVersionDontHaveHttpClientFlag(t *testing.T) {
})
}
}
+
+func TestAutomountServiceAccountToken(t *testing.T) {
+ for _, tc := range []struct {
+ name string
+ automountServiceAccountToken *bool
+ expectedValue bool
+ }{
+ {
+ name: "automountServiceAccountToken not set",
+ automountServiceAccountToken: nil,
+ expectedValue: true,
+ },
+ {
+ name: "automountServiceAccountToken set to true",
+ automountServiceAccountToken: ptr.To(true),
+ expectedValue: true,
+ },
+ {
+ name: "automountServiceAccountToken set to false",
+ automountServiceAccountToken: ptr.To(false),
+ expectedValue: false,
+ },
+ } {
+ t.Run(tc.name, func(t *testing.T) {
+ sset, err := makeStatefulSetFromPrometheus(monitoringv1.Prometheus{
+ ObjectMeta: metav1.ObjectMeta{},
+ Spec: monitoringv1.PrometheusSpec{
+ CommonPrometheusFields: monitoringv1.CommonPrometheusFields{
+ AutomountServiceAccountToken: tc.automountServiceAccountToken,
+ },
+ },
+ })
+ require.NoError(t, err)
+
+ if sset.Spec.Template.Spec.AutomountServiceAccountToken == nil {
+ t.Fatalf("expected automountServiceAccountToken to be set")
+ }
+
+ if *sset.Spec.Template.Spec.AutomountServiceAccountToken != tc.expectedValue {
+ t.Fatalf("expected automountServiceAccountToken to be %v", tc.expectedValue)
+ }
+ })
+ }
+}