feat: allow setting automountServiceAccountToken in pod spec

moritzjohner-form3 commented 1 year ago

What this PR does / why we need it:

This PR allows the user to set the automountServiceAccountToken in the pod spec. This is a well-known requirement for CIS, BSI and NSA security benchmarks.

The user is supposed to set serviceAccount.automount=false and must add the appropriate volumes/volumeMounts.

We probably shouldn't set the default to serviceAccount.automount=false and provide the necessary volumes/volumeMounts as this would be a breaking change. E.g. if a user supplied a custom initContainer this would now be launched without a service account mounted.

Which issue this PR fixes

Special notes for your reviewer:

Checklist

[x] DCO signed
[x] Chart Version bumped
[x] helm-docs are updated
[x] Helm chart is tested
[x] Update artifacthub.io/changes in Chart.yaml
[x] Run make reviewable

moritzjohner-form3 commented 1 year ago

need to bump kind Kubernetes version to 1.23+ due to: https://github.com/stefanprodan/podinfo/pull/237. Gonna do this in scope of this PR.

moritzjohner-form3 commented 1 year ago

bump; can i get a review please 😸 @dwerder maybe 🙏

dmccaffery commented 1 year ago

@stefanprodan: I am unable to merge due to actions workflow changes:

moritzjohner-form3 commented 1 year ago

Did you try it with the GitHub Web UI? This may be an issue within the mobile app 🤔

fluxcd-community / helm-charts