feat: add ability to set automount to false (#1859)

Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>

Signed-off-by: Moritz Johner <Moritz.Johner@form3.tech>

deploy/charts/external-secrets/README.md

@@ -65,6 +65,7 @@ The command removes all the Kubernetes components associated with the chart and
 | certController.resources | object | `{}` |  |
 | certController.securityContext | object | `{}` |  |
 | certController.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| certController.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
 | certController.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | certController.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
 | certController.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
@@ -113,6 +114,7 @@ The command removes all the Kubernetes components associated with the chart and
 | scopedRBAC | bool | `false` | Must be used with scopedNamespace. If true, create scoped RBAC roles under the scoped namespace and implicitly disable cluster stores and cluster external secrets |
 | securityContext | object | `{}` |  |
 | serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
 | serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
 | serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |
@@ -159,6 +161,7 @@ The command removes all the Kubernetes components associated with the chart and
 | webhook.secretAnnotations | object | `{}` | Annotations to add to Secret |
 | webhook.securityContext | object | `{}` |  |
 | webhook.serviceAccount.annotations | object | `{}` | Annotations to add to the service account. |
+| webhook.serviceAccount.automount | bool | `true` | Automounts the service account token in all containers of the pod |
 | webhook.serviceAccount.create | bool | `true` | Specifies whether a service account should be created. |
 | webhook.serviceAccount.extraLabels | object | `{}` | Extra Labels to add to the service account. |
 | webhook.serviceAccount.name | string | `""` | The name of the service account to use. If not set and create is true, a name is generated using the fullname template. |

deploy/charts/external-secrets/templates/cert-controller-deployment.yaml

@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "external-secrets-cert-controller.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.certController.serviceAccount.automount }}
       {{- with .Values.certController.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

deploy/charts/external-secrets/templates/deployment.yaml

@@ -32,6 +32,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "external-secrets.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
       {{- with .Values.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

deploy/charts/external-secrets/templates/webhook-deployment.yaml

@@ -33,6 +33,7 @@ spec:
       {{- end }}
       hostNetwork: {{ .Values.webhook.hostNetwork}}
       serviceAccountName: {{ include "external-secrets-webhook.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automount }}
       {{- with .Values.webhook.podSecurityContext }}
       securityContext:
         {{- toYaml . | nindent 8 }}

deploy/charts/external-secrets/values.yaml

@@ -56,6 +56,8 @@ concurrent: 1
 serviceAccount:
   # -- Specifies whether a service account should be created.
   create: true
+  # -- Automounts the service account token in all containers of the pod
+  automount: true
   # -- Annotations to add to the service account.
   annotations: {}
   # -- Extra Labels to add to the service account.
@@ -179,6 +181,8 @@ webhook:
   serviceAccount:
     # -- Specifies whether a service account should be created.
     create: true
+    # -- Automounts the service account token in all containers of the pod
+    automount: true
     # -- Annotations to add to the service account.
     annotations: {}
     # -- Extra Labels to add to the service account.
@@ -296,6 +300,8 @@ certController:
   serviceAccount:
     # -- Specifies whether a service account should be created.
     create: true
+    # -- Automounts the service account token in all containers of the pod
+    automount: true
     # -- Annotations to add to the service account.
     annotations: {}
     # -- Extra Labels to add to the service account.