Add configuration to disable service token automount

Signed-off-by: Jeremy Alvis <jeremy.alvis@solo.io>

Author: iplay88keys

helm/kagent-tools/templates/deployment.yaml

@@ -52,6 +52,7 @@ spec:
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "kagent.fullname" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       containers:
         - name: tools
           command:

helm/kagent-tools/tests/deployment_test.yaml

@@ -140,3 +140,19 @@ tests:
           value:
             app.kubernetes.io/name: kagent-tools
             app.kubernetes.io/instance: RELEASE-NAME
+
+  - it: should enable automountServiceAccountToken by default
+    template: deployment.yaml
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: true
+
+  - it: should disable automountServiceAccountToken when configured
+    template: deployment.yaml
+    set:
+      automountServiceAccountToken: false
+    asserts:
+      - equal:
+          path: spec.template.spec.automountServiceAccountToken
+          value: false

helm/kagent-tools/values.yaml

@@ -44,6 +44,9 @@ podSecurityContext: {}
   # fsGroup: 2000
 
 securityContext: {}
+
+# Disable service account token mounting to force usage of Authorization header
+automountServiceAccountToken: true
   # capabilities:
   #   drop:
   #   - ALL