Make 'automountServiceAccountToken' configurable
Summary
As part of #2292 (closed), we set automountServiceAccountToken: false
on the objects where the tokens were not needed.
However, as noted in !2143 (closed), Istio seems to need the token for authentication in its sidecars.
To make this configuration more flexible, let's make it available as a Helm value.
References
- Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account
- Related to #5067 (specifically for ServiceAccounts)
- Related to #2292 (closed) (where
automountServiceAccountToken: false
was added, hard-coded, for most workloads) - !2143 (closed) was a community contribution, but development halted. A simlar approach should work, but we can likely simplify the logic a bit.
Acceptance criteria
-
automountServiceAccountToken
is configurable in all objects where it's used (ServiceAccounts, Deployments, StatefulSets, Jobs)