From 05609d716518b1080e5702a894e3179b23c7d3fc Mon Sep 17 00:00:00 2001 From: Minyi Zhong Date: Sat, 26 Oct 2024 22:04:26 +1100 Subject: [PATCH] fix: resource template getting duplicate exec-sa-token volume mounts with automountServiceAccountToken: false. Fixes #12848 Signed-off-by: Minyi Zhong --- test/e2e/resource_template_test.go | 42 ++++++++++++++++++++++++++++++ test/e2e/workflow_test.go | 18 +++++++++++++ workflow/controller/workflowpod.go | 16 ------------ 3 files changed, 60 insertions(+), 16 deletions(-) diff --git a/test/e2e/resource_template_test.go b/test/e2e/resource_template_test.go index 4582bde44d63..95cb785376e3 100644 --- a/test/e2e/resource_template_test.go +++ b/test/e2e/resource_template_test.go @@ -157,6 +157,48 @@ func (s *ResourceTemplateSuite) TestResourceTemplateWithOutputs() { }) } +func (s *ResourceTemplateSuite) TestResourceTemplateAutomountServiceAccountTokenDisabled() { + s.Given(). + Workflow(` +apiVersion: argoproj.io/v1alpha1 +kind: Workflow +metadata: + generateName: k8s-resource-tmpl-with-automountservicetoken-disabled- +spec: + serviceAccountName: argo + automountServiceAccountToken: false + executor: + serviceAccountName: argo + entrypoint: main + templates: + - name: main + resource: + action: create + setOwnerReference: true + successCondition: status.phase == Succeeded + failureCondition: status.phase == Failed + manifest: | + apiVersion: argoproj.io/v1alpha1 + kind: Workflow + metadata: + generateName: k8s-wf-resource- + spec: + entrypoint: main + templates: + - name: main + container: + image: argoproj/argosay:v2 + command: ["/argosay"] +`). + When(). + SubmitWorkflow(). + WaitForWorkflow(). + Then(). + ExpectWorkflow(func(t *testing.T, _ *metav1.ObjectMeta, status *wfv1.WorkflowStatus) { + assert.Equal(t, wfv1.WorkflowSucceeded, status.Phase) + }) +} + func (s *ResourceTemplateSuite) TestResourceTemplateFailed() { s.Given(). Workflow("@testdata/resource-templates/failed.yaml"). diff --git a/test/e2e/workflow_test.go b/test/e2e/workflow_test.go index 76a0b6dc6a2b..87d462cd984d 100644 --- a/test/e2e/workflow_test.go +++ b/test/e2e/workflow_test.go @@ -46,6 +46,15 @@ spec: - -c - | kubectl get cm + volumeMounts: + - name: sa-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + volumes: + - name: sa-token + secret: + defaultMode: 420 + secretName: get-cm.service-account-token `). When(). SubmitWorkflow(). @@ -78,6 +87,15 @@ spec: - sh source: kubectl get cm + volumeMounts: + - name: sa-token + mountPath: /var/run/secrets/kubernetes.io/serviceaccount + readOnly: true + volumes: + - name: sa-token + secret: + defaultMode: 420 + secretName: get-cm.service-account-token `). When(). SubmitWorkflow(). diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go index 9a7a32c0c2fb..f793060d1fcf 100644 --- a/workflow/controller/workflowpod.go +++ b/workflow/controller/workflowpod.go @@ -224,22 +224,6 @@ func (woc *wfOperationCtx) createWorkflowPod(ctx context.Context, nodeName strin // container's PID and root filesystem. pod.Spec.Containers = append(pod.Spec.Containers, mainCtrs...) - // Configure service account token volume for the main container when AutomountServiceAccountToken is disabled - if (woc.execWf.Spec.AutomountServiceAccountToken != nil && !*woc.execWf.Spec.AutomountServiceAccountToken) || - (tmpl.AutomountServiceAccountToken != nil && !*tmpl.AutomountServiceAccountToken) { - for i, c := range pod.Spec.Containers { - if c.Name == common.WaitContainerName { - continue - } - c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{ - Name: common.ServiceAccountTokenVolumeName, - MountPath: common.ServiceAccountTokenMountPath, - ReadOnly: true, - }) - pod.Spec.Containers[i] = c - } - } - // Configuring default container to be used with commands like "kubectl exec/logs". // Select "main" container if it's available. In other case use the last container (can happen when pod created from ContainerSet). defaultContainer := pod.Spec.Containers[len(pod.Spec.Containers)-1].Name