From 809caecd824b1a6cf16ff8ffdf4fb7b9faf35847 Mon Sep 17 00:00:00 2001
From: okozachenko <okozachenko@vexxhost.com>
Date: Fri, 24 Jul 2020 16:50:20 +0300
Subject: [PATCH] Remove default service token from all pod spec

Change-Id: I3c182806245056bfc87c8737a7ffbf611614b2af
---
 .../templates/ceilometer/deployment-agent-notification.yml.j2    | 1 +
 openstack_operator/templates/chronyd/daemonset.yml.j2            | 1 +
 openstack_operator/templates/glance/daemonset.yml.j2             | 1 +
 openstack_operator/templates/heat/cronjob-service-clean.yml.j2   | 1 +
 openstack_operator/templates/heat/daemonset.yml.j2               | 1 +
 openstack_operator/templates/horizon/daemonset.yml.j2            | 1 +
 openstack_operator/templates/keystone/daemonset.yml.j2           | 1 +
 openstack_operator/templates/libvirtd_exporter/daemonset.yml.j2  | 1 +
 openstack_operator/templates/magnum/daemonset.yml.j2             | 1 +
 openstack_operator/templates/mcrouter/deployment.yml.j2          | 1 +
 openstack_operator/templates/memcached/deployment.yml.j2         | 1 +
 openstack_operator/templates/memcached/statefulset.yml.j2        | 1 +
 openstack_operator/templates/rabbitmq/deployment.yml.j2          | 1 +
 13 files changed, 13 insertions(+)

diff --git a/openstack_operator/templates/ceilometer/deployment-agent-notification.yml.j2 b/openstack_operator/templates/ceilometer/deployment-agent-notification.yml.j2
index a1476a68..35d2491b 100644
--- a/openstack_operator/templates/ceilometer/deployment-agent-notification.yml.j2
+++ b/openstack_operator/templates/ceilometer/deployment-agent-notification.yml.j2
@@ -32,6 +32,7 @@ spec:
       labels:
         {{ labels("ceilometer", "ceilometer") | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: agent
         image: vexxhost/ceilometer-agent-notification:latest
diff --git a/openstack_operator/templates/chronyd/daemonset.yml.j2 b/openstack_operator/templates/chronyd/daemonset.yml.j2
index bffe51a8..501dd290 100644
--- a/openstack_operator/templates/chronyd/daemonset.yml.j2
+++ b/openstack_operator/templates/chronyd/daemonset.yml.j2
@@ -33,6 +33,7 @@ spec:
       labels:
         {{ labels("chronyd", "chronyd") | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: main
         image: vexxhost/chronyd:latest
diff --git a/openstack_operator/templates/glance/daemonset.yml.j2 b/openstack_operator/templates/glance/daemonset.yml.j2
index cb856b66..d8b23035 100644
--- a/openstack_operator/templates/glance/daemonset.yml.j2
+++ b/openstack_operator/templates/glance/daemonset.yml.j2
@@ -35,6 +35,7 @@ spec:
       annotations:
         checksum/config: "{{ config_hash }}"
     spec:
+      automountServiceAccountToken: false
       initContainers:
       - name: db-sync
         image: vexxhost/glance-api:latest
diff --git a/openstack_operator/templates/heat/cronjob-service-clean.yml.j2 b/openstack_operator/templates/heat/cronjob-service-clean.yml.j2
index e2496045..54da2246 100644
--- a/openstack_operator/templates/heat/cronjob-service-clean.yml.j2
+++ b/openstack_operator/templates/heat/cronjob-service-clean.yml.j2
@@ -26,6 +26,7 @@ spec:
     spec:
       template:
         spec:
+          automountServiceAccountToken: false
           containers:
           - name: service-clean
             image: vexxhost/heat-engine:latest
diff --git a/openstack_operator/templates/heat/daemonset.yml.j2 b/openstack_operator/templates/heat/daemonset.yml.j2
index be24de94..85a69ae6 100644
--- a/openstack_operator/templates/heat/daemonset.yml.j2
+++ b/openstack_operator/templates/heat/daemonset.yml.j2
@@ -41,6 +41,7 @@ spec:
       annotations:
         checksum/config: "{{ config_hash }}"
     spec:
+      automountServiceAccountToken: false
       {% if 'engine' in component %}
       terminationGracePeriodSeconds: 300
       initContainers:
diff --git a/openstack_operator/templates/horizon/daemonset.yml.j2 b/openstack_operator/templates/horizon/daemonset.yml.j2
index ce6697ef..fc07be8e 100644
--- a/openstack_operator/templates/horizon/daemonset.yml.j2
+++ b/openstack_operator/templates/horizon/daemonset.yml.j2
@@ -35,6 +35,7 @@ spec:
       annotations:
         checksum/config: "{{ config_hash }}"
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: horizon
         image: vexxhost/horizon:latest
diff --git a/openstack_operator/templates/keystone/daemonset.yml.j2 b/openstack_operator/templates/keystone/daemonset.yml.j2
index 74f203d9..c99c25f9 100644
--- a/openstack_operator/templates/keystone/daemonset.yml.j2
+++ b/openstack_operator/templates/keystone/daemonset.yml.j2
@@ -35,6 +35,7 @@ spec:
       annotations:
         checksum/config: "{{ config_hash }}"
     spec:
+      automountServiceAccountToken: false
       initContainers:
       - name: db-sync
         image: vexxhost/keystone:latest
diff --git a/openstack_operator/templates/libvirtd_exporter/daemonset.yml.j2 b/openstack_operator/templates/libvirtd_exporter/daemonset.yml.j2
index 697746ed..2c2097f5 100644
--- a/openstack_operator/templates/libvirtd_exporter/daemonset.yml.j2
+++ b/openstack_operator/templates/libvirtd_exporter/daemonset.yml.j2
@@ -29,6 +29,7 @@ spec:
       labels:
         {{ labels("libvirtd-exporter", "libvirtd-exporter") | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: main
         image: vexxhost/libvirtd-exporter:latest
diff --git a/openstack_operator/templates/magnum/daemonset.yml.j2 b/openstack_operator/templates/magnum/daemonset.yml.j2
index 551fe78c..31416f88 100644
--- a/openstack_operator/templates/magnum/daemonset.yml.j2
+++ b/openstack_operator/templates/magnum/daemonset.yml.j2
@@ -35,6 +35,7 @@ spec:
       annotations:
         checksum/config: "{{ config_hash }}"
     spec:
+      automountServiceAccountToken: false
       {% if 'conductor' in component %}
       initContainers:
       - name: db-sync
diff --git a/openstack_operator/templates/mcrouter/deployment.yml.j2 b/openstack_operator/templates/mcrouter/deployment.yml.j2
index 44e4435f..4d0a7a63 100644
--- a/openstack_operator/templates/mcrouter/deployment.yml.j2
+++ b/openstack_operator/templates/mcrouter/deployment.yml.j2
@@ -29,6 +29,7 @@ spec:
       labels:
         {{ labels("mcrouter", name) | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: mcrouter
         image: vexxhost/mcrouter:latest
diff --git a/openstack_operator/templates/memcached/deployment.yml.j2 b/openstack_operator/templates/memcached/deployment.yml.j2
index 656aac14..6010b5d8 100644
--- a/openstack_operator/templates/memcached/deployment.yml.j2
+++ b/openstack_operator/templates/memcached/deployment.yml.j2
@@ -29,6 +29,7 @@ spec:
       labels:
         {{ labels("memcached", name) | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: memcached
         image: vexxhost/memcached:latest
diff --git a/openstack_operator/templates/memcached/statefulset.yml.j2 b/openstack_operator/templates/memcached/statefulset.yml.j2
index 32c0a431..71177b8e 100644
--- a/openstack_operator/templates/memcached/statefulset.yml.j2
+++ b/openstack_operator/templates/memcached/statefulset.yml.j2
@@ -30,6 +30,7 @@ spec:
       labels:
         {{ labels("memcached", name) | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: memcached
         image: vexxhost/memcached:latest
diff --git a/openstack_operator/templates/rabbitmq/deployment.yml.j2 b/openstack_operator/templates/rabbitmq/deployment.yml.j2
index 08cdedf7..acb3bdcc 100644
--- a/openstack_operator/templates/rabbitmq/deployment.yml.j2
+++ b/openstack_operator/templates/rabbitmq/deployment.yml.j2
@@ -29,6 +29,7 @@ spec:
       labels:
         {{ labels("rabbitmq", name) | indent(8) }}
     spec:
+      automountServiceAccountToken: false
       containers:
       - name: rabbitmq
         env: