Add ability to disable service account token mount for gateway

The Loki gateway acts as a reverse proxy and doesn't require Kubernetes API access. This change allows users to disable service account token mounting for better security posture.
grafana · Jan 21, 2025 · ab4ac38 · ab4ac38
1 parent 6eecb00
commit ab4ac38
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 0 deletions.
diff --git a/charts/loki-distributed/templates/gateway/deployment-gateway.yaml b/charts/loki-distributed/templates/gateway/deployment-gateway.yaml
@@ -41,6 +41,7 @@ spec:
         {{- end }}
     spec:
       serviceAccountName: {{ include "loki.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.gateway.serviceAccount.automountServiceAccountToken }}
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/loki-distributed/values.yaml b/charts/loki-distributed/values.yaml
@@ -1020,6 +1020,7 @@ gateway:
   replicas: 1
   # -- Enable logging of 2xx and 3xx HTTP requests
   verboseLogging: true
+  automountServiceAccountToken: true  # default to true for backward compatibility
   autoscaling:
     # -- Enable autoscaling for the gateway
     enabled: false