-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: mount SA token when automountServiceAccountToken: false
. Fixes #10937
#10945
Conversation
…isabled Signed-off-by: Max Xu <[email protected]>
@terrytangyuan PTAL, thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks. Could you add a test in https://github.com/argoproj/argo-workflows/tree/master/test/e2e?
Signed-off-by: Max Xu <[email protected]>
Signed-off-by: Max Xu <[email protected]>
@terrytangyuan Added two e2e tests, PTAL |
Test failure is related to your new test |
For K8s 1.24+, KSA won't create token secret automatically. Signed-off-by: Max Xu <[email protected]>
Fixed by adding Secret/argo.service-account-token. Now all CI passed. It's due to the KSA token secret issue of K8s 1.24+, the |
…isabled. Fixes argoproj#10937 (argoproj#10945) Signed-off-by: Dillen Padhiar <[email protected]>
automountServiceAccountToken: false
. Fixes #10937
Per #12848 (comment), this seems to have caused a regression: an SA token shouldn't be mounted to the |
}) | ||
pod.Spec.Containers[i] = c | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The setupServiceAccount
function would also be the proper place to make such changes
WaitForWorkflow(fixtures.ToBeSucceeded, time.Minute*10). | ||
Then(). | ||
ExpectWorkflow(func(t *testing.T, metadata *metav1.ObjectMeta, status *wfv1.WorkflowStatus) { | ||
assert.Equal(t, wfv1.WorkflowSucceeded, status.Phase) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This actually should fail; the main
container shouldn't have an accessible SA if you specified automountServiceAccountToken: false
-- you have literally instructed it not to have one
Fixes #10937