Git commit e07f0f6890b79c0eb9dc7f541b4ce05a868b4c74 is missing from the latest Helm Release 4.12.0

[crouth-redge]

What happened:

The following commit, which fixes the missing automountServiceAccountToken in deployments and podsets is missing from the latest Helm chart release. The commit is 3 months old, and the chart is two weeks old, so I'm not sure how it was missed in the release.

e07f0f6

The result is that the the deployments and daemonsets are not compliant with certain Gatekeepeer enforced security policies.

What you expected to happen:

Expected this fix to be in the latest helm chart, so that it would fix the needed missing keys from these manifests.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):
NA - this issue purely affects the Helm Chart and it's manifests.

Kubernetes version (use kubectl version):
NA - this issue purely affects the Helm Chart and it's manifests.

Environment:

NA

How to reproduce this issue:

Simply compare main branch to tag 4.12.0 to see the missing key

https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/templates/controller-deployment.yaml#L211
https://github.com/kubernetes/ingress-nginx/blob/helm-chart-4.12.0/charts/ingress-nginx/templates/controller-deployment.yaml#L210

Anything else we need to know:
Affects both deployment and daemonset templates. This key is required to be set to false to pass several security policy enforcements:

• https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/mitre-v2024/restrict-automountserviceaccounttoken.yaml
• https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/cis-gke-v1.5.0/restrict-automountserviceaccounttoken.yaml
• https://github.com/GoogleCloudPlatform/gke-policy-library/blob/main/anthos-bundles/cis-k8s-v1.7.1/restrict-automountserviceaccounttoken.yaml

[k8s-ci-robot]

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[Gacko]

This is a feature which has been introduced while we already had the v1.12.0-beta.0 released, so the v1.12 release cycle was probably already started.

Here's the PR for this feature: #12247. See the creation date: 29 October 2024.

And here's the v4.12.0-beta.0 chart release: https://github.com/kubernetes/ingress-nginx/releases/tag/helm-chart-4.12.0-beta.0. Released 15 October 2024.

[Gacko]

Also the recommendations you can read from different cloud providers are targeted for workload that does not need any service account tokens. Ingress NGINX needs API access, so it needs service account tokens and therefore it's absolutely not an issue to have them auto-mounted. Manually configuring the mount just increases your maintenance effort...