turn off automountServiceAccountToken for prometheus service accounts

raptorsun · raptorsun · commit cc59f4e8da1e · 2022-07-22T14:46:31.000+02:00
diff --git a/assets/prometheus-k8s/service-account.yaml b/assets/prometheus-k8s/service-account.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   annotations:
diff --git a/assets/prometheus-user-workload/service-account.yaml b/assets/prometheus-user-workload/service-account.yaml
@@ -1,5 +1,5 @@
 apiVersion: v1
-automountServiceAccountToken: true
+automountServiceAccountToken: false
 kind: ServiceAccount
 metadata:
   labels:
diff --git a/jsonnet/components/prometheus-user-workload.libsonnet b/jsonnet/components/prometheus-user-workload.libsonnet
@@ -508,4 +508,10 @@ function(params)
     podDisruptionBudget+: {
       apiVersion: 'policy/v1',
     },
+
+    serviceAccount+: {
+      // service account token is managed by the operator.
+      automountServiceAccountToken: false,
+    },
+
   }
diff --git a/jsonnet/components/prometheus.libsonnet b/jsonnet/components/prometheus.libsonnet
@@ -81,6 +81,8 @@ function(params)
           'serviceaccounts.openshift.io/oauth-redirectreference.prometheus-k8s': '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"prometheus-k8s"}}',
         },
       },
+      // service account token is managed by the operator.
+      automountServiceAccountToken: false,
     },
 
     // Adding the serving certs annotation causes the serving certs controller
