fix(eck-operator): make automountServiceAccountToken configurable

Keeps the default behaviour of having automountServiceAccountToken
set to true for ServiceAccount/Statefulset

Signed-off-by: Stefan Caraiman <stefanc.caraiman@gmail.com>

deploy/eck-operator/profile-disable-automounting-api.yaml

@@ -0,0 +1,29 @@
+automountServiceAccountToken: false
+
+serviceAccount:
+  automountServiceAccountToken: false
+
+volumeMounts:
+- mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+  name: serviceaccount-token
+  readOnly: true
+
+volumes:
+- name: serviceaccount-token
+  projected:
+    defaultMode: 0444
+    sources:
+    - serviceAccountToken:
+        expirationSeconds: 3607
+        path: token
+    - configMap:
+        name: kube-root-ca.crt
+        items:
+        - key: ca.crt
+          path: ca.crt
+    - downwardAPI:
+        items:
+        - path: namespace
+          fieldRef:
+            apiVersion: v1
+            fieldPath: metadata.namespace

deploy/eck-operator/templates/service-account.yaml

@@ -2,6 +2,7 @@
 ---
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
   name: {{ include "eck-operator.serviceAccountName" . }}
   namespace: {{ .Release.Namespace }}

deploy/eck-operator/templates/statefulset.yaml

@@ -31,6 +31,7 @@ spec:
     spec:
       terminationGracePeriodSeconds: 10
       serviceAccountName: {{ include "eck-operator.serviceAccountName" . }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       {{- with .Values.priorityClassName }}
       priorityClassName: {{ . }}
       {{- end }}
@@ -121,11 +122,16 @@ spec:
           - "--tls-cert-file=/tls/tls.crt"
           - "--tls-private-key-file=/tls/tls.key"
           {{- end }}
-          {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+          {{- if or .Values.config.metrics.secureMode.tls.certificateSecret .Values.config.metrics.secureMode.volumeMounts }}
           volumeMounts:
-          - mountPath: "/tls"
-            name: tls-certificate
-            readOnly: true
+            {{- with .Values.config.metrics.secureMode.volumeMounts }}
+              {{- toYaml . | nindent 12 }}
+            {{- end }}
+            {{- if .Values.config.metrics.secureMode.tls.certificateSecret }}
+            - mountPath: "/tls"
+              name: tls-certificate
+              readOnly: true
+            {{- end }}
           {{- end }}
           ports:
           - containerPort: {{ $metricsPort }}

deploy/eck-operator/values.yaml

@@ -87,9 +87,14 @@ volumes: []
 # createClusterScopedResources determines whether cluster-scoped resources (ClusterRoles, ClusterRoleBindings) should be created.
 createClusterScopedResources: true
 
+# Automount API credentials for the Service Account into the pod.
+automountServiceAccountToken: true
+
 serviceAccount:
   # create specifies whether a service account should be created for the operator.
   create: true
+  # Specifies whether a service account should automount API-Credentials
+  automountServiceAccountToken: true
   # annotations to add to the service account
   annotations: {}
   # name of the service account to use. If not set and create is true, a name is generated using the fullname template.
@@ -188,6 +193,8 @@ config:
       #       serviceMonitorNamespaceSelector: {}
       #       serviceMonitorSelectorNilUsesHelmValues: false
       enabled: false
+      # additional volume mounts for the kube-rbac-proxy container.
+      volumeMounts: []
       tls:
         # certificateSecret is the name of the tls secret containing the custom TLS certificate and key for the secure metrics endpoint.
         #