feat: support mount sa token explicitly if automount is false (#6815)

Author: liubog2008

pkg/backup/backup/backup_cleaner.go

@@ -279,6 +279,11 @@ func (bc *backupCleaner) makeCleanJob(backup *v1alpha1.Backup) (*batchv1.Job, st
 		},
 	}
 
+	if backup.Spec.AutomountServiceAccountToken != nil && !*backup.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        backup.GetCleanJobName(),
@@ -479,6 +484,11 @@ func (bc *backupCleaner) makeStopLogBackupJob(backup *v1alpha1.Backup) (*batchv1
 		},
 	}
 
+	if backup.Spec.AutomountServiceAccountToken != nil && !*backup.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        jobName,

pkg/backup/backup/backup_manager.go

@@ -651,6 +651,11 @@ func (bm *backupManager) makeExportJob(backup *v1alpha1.Backup) (*batchv1.Job, s
 		},
 	}
 
+	if backup.Spec.AutomountServiceAccountToken != nil && !*backup.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        backup.GetBackupJobName(),
@@ -880,6 +885,11 @@ func (bm *backupManager) makeBRBackupJob(backup *v1alpha1.Backup) (*batchv1.Job,
 		},
 	}
 
+	if backup.Spec.AutomountServiceAccountToken != nil && !*backup.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        jobName,

pkg/backup/restore/restore_manager.go

@@ -858,6 +858,11 @@ func (rm *restoreManager) makeImportJob(restore *v1alpha1.Restore) (*batchv1.Job
 		},
 	}
 
+	if restore.Spec.AutomountServiceAccountToken != nil && !*restore.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        restore.GetRestoreJobName(),
@@ -1097,6 +1102,11 @@ func (rm *restoreManager) makeRestoreJobWithMode(restore *v1alpha1.Restore, isPr
 		},
 	}
 
+	if restore.Spec.AutomountServiceAccountToken != nil && !*restore.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	// Job name differs between restore and prune jobs
 	jobName := restore.GetRestoreJobName()
 	if isPruneJob {

pkg/controller/compactbackup/compact_backup_controller.go

@@ -469,6 +469,11 @@ func (c *Controller) makeCompactJob(compact *v1alpha1.CompactBackup) (*batchv1.J
 		},
 	}
 
+	if compact.Spec.AutomountServiceAccountToken != nil && !*compact.Spec.AutomountServiceAccountToken {
+		podSpec.Spec.Volumes = append(podSpec.Spec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Spec.Containers[0].VolumeMounts = append(podSpec.Spec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	job := &batchv1.Job{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        jobName,

pkg/manager/member/tidb_discovery_manager.go

@@ -311,6 +311,11 @@ func (m *realTidbDiscoveryManager) getTidbDiscoveryDeployment(obj metav1.Object)
 		})
 	}
 
+	if baseSpec.AutomountServiceAccountToken() != nil && !*baseSpec.AutomountServiceAccountToken() {
+		podSpec.Volumes = append(podSpec.Volumes, util.SATokenProjectionVolume())
+		podSpec.Containers[0].VolumeMounts = append(podSpec.Containers[0].VolumeMounts, util.SATokenProjectionVolumeMount())
+	}
+
 	podLabels := util.CombineStringMap(l.Labels(), baseSpec.Labels())
 	podAnnotations := baseSpec.Annotations()
 	d := &appsv1.Deployment{

pkg/util/util.go

@@ -59,8 +59,66 @@ var (
 const (
 	// LastAppliedConfigAnnotation is annotation key of last applied configuration
 	LastAppliedConfigAnnotation = "pingcap.com/last-applied-configuration"
+
+	// SATokenProjectionVolumeName is the name of the projected service account token volume.
+	SATokenProjectionVolumeName = "kube-api-access"
+	// SATokenProjectionMountPath is the standard Kubernetes service account token mount path.
+	SATokenProjectionMountPath = "/var/run/secrets/kubernetes.io/serviceaccount" // nolint:gosec
 )
 
+// SATokenProjectionVolume returns a projected volume that replicates the three files
+// that rest.InClusterConfig() reads from /var/run/secrets/kubernetes.io/serviceaccount:
+// token, ca.crt, and namespace. Use this when automountServiceAccountToken is false
+// but the container still needs to call the Kubernetes API.
+func SATokenProjectionVolume() corev1.Volume {
+	expirationSeconds := int64(3607)
+	return corev1.Volume{
+		Name: SATokenProjectionVolumeName,
+		VolumeSource: corev1.VolumeSource{
+			Projected: &corev1.ProjectedVolumeSource{
+				Sources: []corev1.VolumeProjection{
+					{
+						ServiceAccountToken: &corev1.ServiceAccountTokenProjection{
+							Path:              "token",
+							ExpirationSeconds: &expirationSeconds,
+						},
+					},
+					{
+						ConfigMap: &corev1.ConfigMapProjection{
+							LocalObjectReference: corev1.LocalObjectReference{Name: "kube-root-ca.crt"},
+							Items: []corev1.KeyToPath{
+								{Key: "ca.crt", Path: "ca.crt"},
+							},
+						},
+					},
+					{
+						DownwardAPI: &corev1.DownwardAPIProjection{
+							Items: []corev1.DownwardAPIVolumeFile{
+								{
+									Path: "namespace",
+									FieldRef: &corev1.ObjectFieldSelector{
+										APIVersion: "v1",
+										FieldPath:  "metadata.namespace",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+}
+
+// SATokenProjectionVolumeMount returns the VolumeMount for SATokenProjectionVolume.
+func SATokenProjectionVolumeMount() corev1.VolumeMount {
+	return corev1.VolumeMount{
+		Name:      SATokenProjectionVolumeName,
+		MountPath: SATokenProjectionMountPath,
+		ReadOnly:  true,
+	}
+}
+
 func GetOrdinalFromPodName(podName string) (int32, error) {
 	ordinalStr := podName[strings.LastIndex(podName, "-")+1:]
 	ordinalInt, err := strconv.ParseInt(ordinalStr, 10, 32)

tests/config.go

@@ -41,6 +41,7 @@ type Config struct {
 
 	TidbVersions         string          `yaml:"tidb_versions" json:"tidb_versions"`
 	InstallOperator      bool            `yaml:"install_opeartor" json:"install_opeartor"`
+	InstallCertManager   bool            `yaml:"install_cert_manager" json:"install_cert_manager"`
 	InstallDMMysql       bool            `yaml:"install_dm_mysql" json:"install_dm_mysql"`
 	OperatorTag          string          `yaml:"operator_tag" json:"operator_tag"`
 	OperatorImage        string          `yaml:"operator_image" json:"operator_image"`
@@ -96,6 +97,7 @@ type Node struct {
 func NewDefaultConfig() *Config {
 	return &Config{
 		AdditionalDrainerVersion: "v3.0.8",
+		InstallCertManager:       true,
 
 		PDMaxReplicas:       5,
 		TiDBTokenLimit:      1024,