Make 'automountServiceAccountToken' configurable

Summary

As part of #2292 (closed), we set automountServiceAccountToken: false on the objects where the tokens were not needed.

However, as noted in !2143 (closed), Istio seems to need the token for authentication in its sidecars.

To make this configuration more flexible, let's make it available as a Helm value.

References

• Docs: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account
• Related to #5067 (closed) (specifically for ServiceAccounts)
• Related to #2292 (closed) (where automountServiceAccountToken: false was added, hard-coded, for most workloads)
• !2143 (closed) was a community contribution, but development halted. A simlar approach should work, but we can likely simplify the logic a bit.

Acceptance criteria

• automountServiceAccountToken is configurable in all objects where it's used (ServiceAccounts, Deployments, StatefulSets, Jobs)