fix(datastore): tokens were not mounted

padok-team · Apr 24, 2024 · def4927 · def4927
1 parent 6cef16c
commit def4927
Show file tree

Hide file tree

Showing 3 changed files with 40 additions and 0 deletions.
diff --git a/deploy/charts/burrito/templates/controllers.yaml b/deploy/charts/burrito/templates/controllers.yaml
@@ -60,6 +60,9 @@ spec:
             - name: burrito-config
               mountPath: /etc/burrito
               readOnly: true
+            - name: burrito-token
+              mountPath: /var/run/secrets/token
+              readOnly: true
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -76,6 +79,13 @@ spec:
         - name: burrito-config
           configMap:
             name: burrito-config
+        - name: token-vol
+          projected:
+            sources:
+            - serviceAccountToken:
+                audience: burrito
+                expirationSeconds: 3600
+                path: burrito
 {{- if .service.enabled }}
 ---
 apiVersion: v1

diff --git a/deploy/charts/burrito/templates/server.yaml b/deploy/charts/burrito/templates/server.yaml
@@ -59,6 +59,9 @@ spec:
             - name: burrito-config
               mountPath: /etc/burrito
               readOnly: true
+            - name: burrito-token
+              mountPath: /var/run/secrets/token
+              readOnly: true
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -75,6 +78,13 @@ spec:
         - name: burrito-config
           configMap:
             name: burrito-config
+        - name: token-vol
+          projected:
+            sources:
+            - serviceAccountToken:
+                audience: burrito
+                expirationSeconds: 3600
+                path: burrito
 {{- if .service.enabled }}
 ---
 apiVersion: v1

diff --git a/internal/controllers/terraformrun/pod.go b/internal/controllers/terraformrun/pod.go
@@ -240,6 +240,22 @@ func defaultPodSpec(config *config.Config, layer *configv1alpha1.TerraformLayer,
 					},
 				},
 			},
+			{
+				Name: "burrito-token",
+				VolumeSource: corev1.VolumeSource{
+					Projected: &corev1.ProjectedVolumeSource{
+						Sources: []corev1.VolumeProjection{
+							{
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience:          "burrito",
+									ExpirationSeconds: &[]int64{3600}[0],
+									Path:              "burrito",
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 		RestartPolicy:      corev1.RestartPolicyNever,
 		ServiceAccountName: "burrito-runner",
@@ -254,6 +270,10 @@ func defaultPodSpec(config *config.Config, layer *configv1alpha1.TerraformLayer,
 						Name:      "ssh-known-hosts",
 						SubPath:   "known_hosts",
 					},
+					{
+						MountPath: "/var/run/secrets/token",
+						Name:      "burrito-token",
+					},
 				},
 				Env: []corev1.EnvVar{
 					{