From 42acf0e7e574809f6791b490c026839d1b0d8ded Mon Sep 17 00:00:00 2001 From: Tennix Date: Tue, 21 Apr 2026 13:59:20 +0800 Subject: [PATCH] fix: disable SA token automount for tidbinitializer --- pkg/manager/member/tidb_init_manager.go | 5 +++-- pkg/manager/member/tidb_init_manager_test.go | 15 +++++++++++++++ 2 files changed, 18 insertions(+), 2 deletions(-) diff --git a/pkg/manager/member/tidb_init_manager.go b/pkg/manager/member/tidb_init_manager.go index c1c2f4749b8..4b6ec4fdae9 100644 --- a/pkg/manager/member/tidb_init_manager.go +++ b/pkg/manager/member/tidb_init_manager.go @@ -352,8 +352,9 @@ func (m *tidbInitManager) makeTiDBInitJob(ti *v1alpha1.TidbInitializer) (*batchv Annotations: util.CopyStringMap(ti.Annotations), }, Spec: corev1.PodSpec{ - ImagePullSecrets: ti.Spec.ImagePullSecrets, - SecurityContext: ti.Spec.PodSecurityContext, + ImagePullSecrets: ti.Spec.ImagePullSecrets, + SecurityContext: ti.Spec.PodSecurityContext, + AutomountServiceAccountToken: pointer.BoolPtr(false), InitContainers: []corev1.Container{ { Name: initContainerName, diff --git a/pkg/manager/member/tidb_init_manager_test.go b/pkg/manager/member/tidb_init_manager_test.go index 6b70bcd1e42..48c524f0d3a 100644 --- a/pkg/manager/member/tidb_init_manager_test.go +++ b/pkg/manager/member/tidb_init_manager_test.go @@ -128,6 +128,21 @@ func TestTiDBInitManagerSync(t *testing.T) { } } +func TestMakeTiDBInitJobDisablesServiceAccountTokenAutomount(t *testing.T) { + g := NewGomegaWithT(t) + tim, _, indexers := newFakeTiDBInitManager() + ti := newTidbInitializerForTiDB() + tc := newTidbClusterForTiDB() + + err := indexers.tc.Add(tc) + g.Expect(err).NotTo(HaveOccurred()) + + job, err := tim.makeTiDBInitJob(ti) + g.Expect(err).NotTo(HaveOccurred()) + g.Expect(job.Spec.Template.Spec.AutomountServiceAccountToken).NotTo(BeNil()) + g.Expect(*job.Spec.Template.Spec.AutomountServiceAccountToken).To(BeFalse()) +} + func newFakeTiDBInitManager() (*tidbInitManager, *tidbMemberManager, *fakeIndexers) { tmm, _, _, indexers := newFakeTiDBMemberManager() indexers.job = tmm.deps.KubeInformerFactory.Batch().V1().Jobs().Informer().GetIndexer()