From 3dfea6d5a9572c312b4479bd321c05fdad3d21a6 Mon Sep 17 00:00:00 2001
From: MinyiZ <36426344+MinyiZ@users.noreply.github.com>
Date: Sun, 27 Oct 2024 18:10:37 +1100
Subject: [PATCH] fix: don't mount SA token when `automountServiceAccountToken:
 false`. Fixes #12848 (#13820)

Signed-off-by: Minyi Zhong <mzhong@atlassian.com>
Co-authored-by: Minyi Zhong <mzhong@atlassian.com>
---
 test/e2e/resource_template_test.go | 42 +++++++++++++++++++
 test/e2e/workflow_test.go          | 66 ------------------------------
 workflow/controller/workflowpod.go | 16 --------
 3 files changed, 42 insertions(+), 82 deletions(-)

diff --git a/test/e2e/resource_template_test.go b/test/e2e/resource_template_test.go
index 4582bde44d63..95cb785376e3 100644
--- a/test/e2e/resource_template_test.go
+++ b/test/e2e/resource_template_test.go
@@ -157,6 +157,48 @@ func (s *ResourceTemplateSuite) TestResourceTemplateWithOutputs() {
 		})
 }
 
+func (s *ResourceTemplateSuite) TestResourceTemplateAutomountServiceAccountTokenDisabled() {
+	s.Given().
+		Workflow(`
+apiVersion: argoproj.io/v1alpha1
+kind: Workflow
+metadata:
+  generateName: k8s-resource-tmpl-with-automountservicetoken-disabled-
+spec:
+  serviceAccountName: argo
+  automountServiceAccountToken: false
+  executor:
+    serviceAccountName: argo
+  entrypoint: main
+  templates:
+    - name: main
+      resource:
+        action: create
+        setOwnerReference: true
+        successCondition: status.phase == Succeeded
+        failureCondition: status.phase == Failed
+        manifest: |
+          apiVersion: argoproj.io/v1alpha1
+          kind: Workflow
+          metadata:
+            generateName: k8s-wf-resource-
+          spec:
+            entrypoint: main
+            templates:
+              - name: main
+                container:
+                  image: argoproj/argosay:v2
+                  command: ["/argosay"]
+`).
+		When().
+		SubmitWorkflow().
+		WaitForWorkflow().
+		Then().
+		ExpectWorkflow(func(t *testing.T, _ *metav1.ObjectMeta, status *wfv1.WorkflowStatus) {
+			assert.Equal(t, wfv1.WorkflowSucceeded, status.Phase)
+		})
+}
+
 func (s *ResourceTemplateSuite) TestResourceTemplateFailed() {
 	s.Given().
 		Workflow("@testdata/resource-templates/failed.yaml").
diff --git a/test/e2e/workflow_test.go b/test/e2e/workflow_test.go
index 76a0b6dc6a2b..51c194614d5b 100644
--- a/test/e2e/workflow_test.go
+++ b/test/e2e/workflow_test.go
@@ -22,72 +22,6 @@ type WorkflowSuite struct {
 	fixtures.E2ESuite
 }
 
-func (s *WorkflowSuite) TestContainerTemplateAutomountServiceAccountTokenDisabled() {
-	s.Given().Workflow(`
-apiVersion: argoproj.io/v1alpha1
-kind: Workflow
-metadata:
-  generateName: get-resources-via-container-template-
-  namespace: argo
-spec:
-  serviceAccountName: argo
-  automountServiceAccountToken: false
-  executor:
-    serviceAccountName: get-cm
-  entrypoint: main
-  templates:
-    - name: main
-      container:
-        name: main
-        image: bitnami/kubectl
-        command:
-          - sh
-        args:
-          - -c
-          - |
-           kubectl get cm 
-`).
-		When().
-		SubmitWorkflow().
-		WaitForWorkflow(fixtures.ToBeSucceeded, time.Minute*11).
-		Then().
-		ExpectWorkflow(func(t *testing.T, metadata *metav1.ObjectMeta, status *wfv1.WorkflowStatus) {
-			assert.Equal(t, wfv1.WorkflowSucceeded, status.Phase)
-		})
-}
-
-func (s *WorkflowSuite) TestScriptTemplateAutomountServiceAccountTokenDisabled() {
-	s.Given().Workflow(`
-apiVersion: argoproj.io/v1alpha1
-kind: Workflow
-metadata:
-  generateName: get-resources-via-script-template-
-  namespace: argo
-spec:
-  serviceAccountName: argo
-  automountServiceAccountToken: false
-  executor:
-    serviceAccountName: get-cm
-  entrypoint: main
-  templates:
-    - name: main
-      script:
-        name: main
-        image: bitnami/kubectl
-        command:
-          - sh
-        source:
-          kubectl get cm 
-`).
-		When().
-		SubmitWorkflow().
-		WaitForWorkflow(fixtures.ToBeSucceeded, time.Minute*11).
-		Then().
-		ExpectWorkflow(func(t *testing.T, metadata *metav1.ObjectMeta, status *wfv1.WorkflowStatus) {
-			assert.Equal(t, wfv1.WorkflowSucceeded, status.Phase)
-		})
-}
-
 func (s *WorkflowSuite) TestWorkflowFailedWhenAllPodSetFailedFromPending() {
 	(s.Given().Workflow(`
 apiVersion: argoproj.io/v1alpha1
diff --git a/workflow/controller/workflowpod.go b/workflow/controller/workflowpod.go
index 9a7a32c0c2fb..f793060d1fcf 100644
--- a/workflow/controller/workflowpod.go
+++ b/workflow/controller/workflowpod.go
@@ -224,22 +224,6 @@ func (woc *wfOperationCtx) createWorkflowPod(ctx context.Context, nodeName strin
 	// container's PID and root filesystem.
 	pod.Spec.Containers = append(pod.Spec.Containers, mainCtrs...)
 
-	// Configure service account token volume for the main container when AutomountServiceAccountToken is disabled
-	if (woc.execWf.Spec.AutomountServiceAccountToken != nil && !*woc.execWf.Spec.AutomountServiceAccountToken) ||
-		(tmpl.AutomountServiceAccountToken != nil && !*tmpl.AutomountServiceAccountToken) {
-		for i, c := range pod.Spec.Containers {
-			if c.Name == common.WaitContainerName {
-				continue
-			}
-			c.VolumeMounts = append(c.VolumeMounts, apiv1.VolumeMount{
-				Name:      common.ServiceAccountTokenVolumeName,
-				MountPath: common.ServiceAccountTokenMountPath,
-				ReadOnly:  true,
-			})
-			pod.Spec.Containers[i] = c
-		}
-	}
-
 	// Configuring default container to be used with commands like "kubectl exec/logs".
 	// Select "main" container if it's available. In other case use the last container (can happen when pod created from ContainerSet).
 	defaultContainer := pod.Spec.Containers[len(pod.Spec.Containers)-1].Name