Skip to content

Add projected SA token support to controller-manager chart (#6873)#6889

Open
ti-chi-bot wants to merge 1 commit into
pingcap:release-1.6from
ti-chi-bot:cherry-pick-6873-to-release-1.6
Open

Add projected SA token support to controller-manager chart (#6873)#6889
ti-chi-bot wants to merge 1 commit into
pingcap:release-1.6from
ti-chi-bot:cherry-pick-6873-to-release-1.6

Conversation

@ti-chi-bot
Copy link
Copy Markdown
Member

@ti-chi-bot ti-chi-bot commented May 12, 2026

This is an automated cherry-pick of #6873

What problem does this PR solve?

FedRAMP Gatekeeper can enforce block-automount-serviceaccount-token-pod, requiring controller-manager pods to run with automountServiceAccountToken: false.

When automatic service account token mounting is disabled, controller-manager still needs the standard in-cluster credential files under /var/run/secrets/kubernetes.io/serviceaccount so client-go can authenticate to the Kubernetes API.

What is changed and how does it work?

This adds controllerManager.automountServiceAccountToken to the tidb-operator chart, defaulting to true to preserve current behavior.

When set to false, the chart renders:

  • automountServiceAccountToken: false in the controller-manager pod spec
  • a read-only sa-token volumeMount at /var/run/secrets/kubernetes.io/serviceaccount
  • a projected volume containing:
    • service account token at token
    • kube-root-ca.crt configmap item at ca.crt
    • pod namespace via downwardAPI at namespace

Example:

controllerManager:
  automountServiceAccountToken: false

Check List

Tests

  • Manual test (helm template/lint)

Side effects

  • No side effects

Release note

Add projected service account token volume support for controller-manager when automountServiceAccountToken is disabled.

Verification

  • helm lint charts/tidb-operator
  • helm template test charts/tidb-operator --namespace tidb-admin
  • helm template test charts/tidb-operator --namespace tidb-admin --set controllerManager.automountServiceAccountToken=false
  • git diff --check

@tennix @ti-chi-bot
Allow controller-manager to run without automounted tokens
a6e34ce 
FedRAMP Gatekeeper can require controller-manager pods to disable automatic service account token mounting. The controller still uses in-cluster Kubernetes authentication, so when automatic mounting is disabled the chart needs to provide the same token, CA, and namespace files through an explicit projected volume.

The tidb-operator chart now exposes controllerManager.automountServiceAccountToken, defaults it to true to preserve existing behavior, and mounts a projected service account token volume when it is set to false.

Constraint: FedRAMP block-automount-serviceaccount-token-pod policy rejects automatic service account token mounting
Rejected: Require users to patch controller-manager-deployment.yaml locally | keeps FedRAMP deployments on an unreviewed chart fork
Confidence: high
Scope-risk: narrow
Directive: Keep the projected volume path aligned with Kubernetes' default service account token path because client-go in-cluster config reads from there
Tested: helm lint charts/tidb-operator
Tested: helm template test charts/tidb-operator --namespace tidb-admin
Tested: helm template test charts/tidb-operator --namespace tidb-admin --set controllerManager.automountServiceAccountToken=false
Tested: git diff --check
@ti-chi-bot ti-chi-bot mentioned this pull request May 12, 2026
Merged
@ti-chi-bot ti-chi-bot Bot requested a review from howardlau1999 May 12, 2026 03:01
@ti-chi-bot
Copy link
Copy Markdown
Contributor

ti-chi-bot Bot commented May 12, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign grovecai for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 12, 2026

/retest

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 12, 2026

retest

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 12, 2026

/retest

@liubog2008
Copy link
Copy Markdown
Member

liubog2008 commented May 12, 2026

/test pull-e2e-kind-br

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@howardlau1999 howardlau1999 Awaiting requested review from howardlau1999

Assignees

@liubog2008 liubog2008

Labels

size/S type/cherry-pick-for-release-1.6

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ti-chi-bot @liubog2008 @tennix