Merge pull request #38 from uswitch/vault-webhook-121-changes

removed manual service account token mounting for kube 1.21 and onwards

examples/example-v2.yaml

@@ -15,7 +15,7 @@ spec:
       labels:
         app: test-dep
     spec:
-      serviceAccountName: binding-acc 
+      serviceAccountName: test
       containers:
       - image: nginx
         name: nginx
@@ -39,5 +39,5 @@ data:
 apiVersion: v1
 kind: ServiceAccount
 metadata: 
-  name: binding-acc
+  name: test
 

vault.go

@@ -9,18 +9,18 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 )
 
-func createPatch(pod *corev1.Pod, namespace, serviceAccountToken string, databases []database) ([]byte, error) {
+func createPatch(pod *corev1.Pod, namespace string, databases []database) ([]byte, error) {
 	patch := []patchOperation{}
 	patch = append(patch, addVolume(pod)...)
 	pod.Spec.Containers = addVolumeMount(pod.Spec.Containers, databases)
 	if len(pod.Spec.InitContainers) != 0 {
 		pod.Spec.InitContainers = addVolumeMount(pod.Spec.InitContainers, databases)
 	}
-	patch = append(patch, addVault(pod, namespace, serviceAccountToken, databases)...)
+	patch = append(patch, addVault(pod, namespace, databases)...)
 	return json.Marshal(patch)
 }
 
-func addVault(pod *corev1.Pod, namespace, serviceAccountToken string, databases []database) (patch []patchOperation) {
+func addVault(pod *corev1.Pod, namespace string, databases []database) (patch []patchOperation) {
 	initContainers := []corev1.Container{}
 	for _, databaseInfo := range databases {
 
@@ -99,10 +99,6 @@ func addVault(pod *corev1.Pod, namespace, serviceAccountToken string, databases
 					Name:      "vault-creds",
 					MountPath: "/creds/output",
 				},
-				corev1.VolumeMount{
-					Name:      serviceAccountToken,
-					MountPath: "/var/run/secrets/kubernetes.io/serviceaccount",
-				},
 			},
 		}
 

vault_test.go

@@ -92,7 +92,7 @@ func TestAddVaultPatch(t *testing.T) {
 		},
 	}
 
-	patch := addVault(&pod, "foo", "bah", databases)
+	patch := addVault(&pod, "bah", databases)
 
 	if len(patch) != 2 {
 		t.Errorf("patch should have two items, got: %v", len(patch))

webhook.go

@@ -1,11 +1,12 @@
 package main
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
-	"context"
+
 	log "github.com/sirupsen/logrus"
 	"github.com/uswitch/vault-webhook/pkg/apis/vaultwebhook.uswitch.com/v1alpha1"
 	"k8s.io/api/admission/v1beta1"
@@ -145,16 +146,7 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR
 		}
 	}
 
-	serviceAccountToken, err := srv.getServiceAccountToken(pod.Spec.ServiceAccountName, req.Namespace)
-	if err != nil {
-		return &v1beta1.AdmissionResponse{
-			Result: &metav1.Status{
-				Message: err.Error(),
-			},
-		}
-	}
-
-	patchBytes, err := createPatch(&pod, req.Namespace, serviceAccountToken, databases)
+	patchBytes, err := createPatch(&pod, req.Namespace, databases)
 	if err != nil {
 		return &v1beta1.AdmissionResponse{
 			Result: &metav1.Status{
@@ -174,17 +166,6 @@ func (srv webHookServer) mutate(ar *v1beta1.AdmissionReview) *v1beta1.AdmissionR
 	}
 }
 
-func (srv webHookServer) getServiceAccountToken(serviceAccount, namespace string) (string, error) {
-	serviceAccountObj, err := srv.client.CoreV1().ServiceAccounts(namespace).Get(srv.ctx, serviceAccount, metav1.GetOptions{})
-	if err != nil {
-		return "", err
-	}
-	if len(serviceAccountObj.Secrets) == 0 {
-		return "", fmt.Errorf("no service account token found for service account: %s", serviceAccount)
-	}
-	return serviceAccountObj.Secrets[0].Name, nil
-}
-
 func filterBindings(bindings []v1alpha1.DatabaseCredentialBinding, namespace string) []v1alpha1.DatabaseCredentialBinding {
 	filteredBindings := []v1alpha1.DatabaseCredentialBinding{}
 	for _, binding := range bindings {