From def492725e8ef955651c5783e907b6305653ae04 Mon Sep 17 00:00:00 2001
From: Alan <alanl@padok.fr>
Date: Wed, 24 Apr 2024 10:13:34 +0200
Subject: [PATCH] fix(datastore): tokens were not mounted

---
 .../charts/burrito/templates/controllers.yaml | 10 ++++++++++
 deploy/charts/burrito/templates/server.yaml   | 10 ++++++++++
 internal/controllers/terraformrun/pod.go      | 20 +++++++++++++++++++
 3 files changed, 40 insertions(+)

diff --git a/deploy/charts/burrito/templates/controllers.yaml b/deploy/charts/burrito/templates/controllers.yaml
index afa80af0..248fd06b 100644
--- a/deploy/charts/burrito/templates/controllers.yaml
+++ b/deploy/charts/burrito/templates/controllers.yaml
@@ -60,6 +60,9 @@ spec:
             - name: burrito-config
               mountPath: /etc/burrito
               readOnly: true
+            - name: burrito-token
+              mountPath: /var/run/secrets/token
+              readOnly: true
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -76,6 +79,13 @@ spec:
         - name: burrito-config
           configMap:
             name: burrito-config
+        - name: token-vol
+          projected:
+            sources:
+            - serviceAccountToken:
+                audience: burrito
+                expirationSeconds: 3600
+                path: burrito
 {{- if .service.enabled }}
 ---
 apiVersion: v1
diff --git a/deploy/charts/burrito/templates/server.yaml b/deploy/charts/burrito/templates/server.yaml
index 7bddeec6..eebab9fb 100644
--- a/deploy/charts/burrito/templates/server.yaml
+++ b/deploy/charts/burrito/templates/server.yaml
@@ -59,6 +59,9 @@ spec:
             - name: burrito-config
               mountPath: /etc/burrito
               readOnly: true
+            - name: burrito-token
+              mountPath: /var/run/secrets/token
+              readOnly: true
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -75,6 +78,13 @@ spec:
         - name: burrito-config
           configMap:
             name: burrito-config
+        - name: token-vol
+          projected:
+            sources:
+            - serviceAccountToken:
+                audience: burrito
+                expirationSeconds: 3600
+                path: burrito
 {{- if .service.enabled }}
 ---
 apiVersion: v1
diff --git a/internal/controllers/terraformrun/pod.go b/internal/controllers/terraformrun/pod.go
index e02d5815..55131645 100644
--- a/internal/controllers/terraformrun/pod.go
+++ b/internal/controllers/terraformrun/pod.go
@@ -240,6 +240,22 @@ func defaultPodSpec(config *config.Config, layer *configv1alpha1.TerraformLayer,
 					},
 				},
 			},
+			{
+				Name: "burrito-token",
+				VolumeSource: corev1.VolumeSource{
+					Projected: &corev1.ProjectedVolumeSource{
+						Sources: []corev1.VolumeProjection{
+							{
+								ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+									Audience:          "burrito",
+									ExpirationSeconds: &[]int64{3600}[0],
+									Path:              "burrito",
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 		RestartPolicy:      corev1.RestartPolicyNever,
 		ServiceAccountName: "burrito-runner",
@@ -254,6 +270,10 @@ func defaultPodSpec(config *config.Config, layer *configv1alpha1.TerraformLayer,
 						Name:      "ssh-known-hosts",
 						SubPath:   "known_hosts",
 					},
+					{
+						MountPath: "/var/run/secrets/token",
+						Name:      "burrito-token",
+					},
 				},
 				Env: []corev1.EnvVar{
 					{