search

cloudfoundry / eirini

Pluggable container orchestration for Cloud Foundry, and a Kubernetes backend
Apache License 2.0
115 stars 30 forks source link

Making automountServiceAccountToken property configurable #99

Closed ndhanushkodi closed 4 years ago

ndhanushkodi commented 4 years ago

Description

While upgrading Istio to 1.6, we discovered that the istio sidecars depend on service account tokens being mounted in environments where third party jwt tokens aren't supported (like kind). Currently this value is hard coded to false. We were hoping this could be configurable, so that in environments like kind, cf-for-k8s has the option to set that to true.

Suggested fix (optional)

There were some ideas discussed in this thread

Another suggestion made was to separate the service account used by the apps, from the service account used by the "statefulset desirer" here. If there are two service accounts, both would need the automountServiceAccountToken property to be configurable.

cc my pair @jenspinney

cf-gitbot commented 4 years ago

We have created an issue in Pivotal Tracker to manage this:

https://www.pivotaltracker.com/story/show/173403187

The labels on this github issue will be updated when the story is started.

mnitchev commented 4 years ago

It looks like this is already done and accepted for App Pods (and we forgot to close this issue), but it isn't applied to Task Pods. We created a follow up issue here. Closing this issue in favour of the new one.