feat: add optional automountServiceAccountToken to cleanup job

Signed-off-by: falcorocks <[email protected]>

charts/policy-controller/README.md

@@ -157,6 +157,7 @@ helm uninstall [RELEASE_NAME]
 | cosign.webhookTimeoutSeconds | object | `{}` |  |
 | imagePullSecrets | list | `[]` |  |
 | installCRDs | bool | `true` |  |
+| leasescleanup.automountServiceAccountToken | bool | `true` |  |
 | leasescleanup.image.pullPolicy | string | `"IfNotPresent"` |  |
 | leasescleanup.image.repository | string | `"cgr.dev/chainguard/kubectl"` |  |
 | leasescleanup.image.version | string | `"latest-dev"` |  |

charts/policy-controller/templates/webhook/cleanup-leases.yaml

@@ -16,6 +16,11 @@ spec:
       name: leases-cleanup
     spec:
       serviceAccountName: {{ template "webhook.serviceAccountName" . }}-cleanup
+      {{- if .Values.leasescleanup.automountServiceAccountToken }}
+      automountServiceAccountToken: true
+      {{- else }}
+      automountServiceAccountToken: false
+      {{- end }}
       containers:
         - name: kubectl
           image: "{{ template "leases-cleanup.image" .Values.leasescleanup.image }}"

charts/policy-controller/values.schema.json

@@ -69,6 +69,12 @@
     },
     "leasescleanup": {
       "properties": {
+        "automountServiceAccountToken": {
+          "default": true,
+          "required": [],
+          "title": "automountServiceAccountToken",
+          "type": "boolean"
+        },
         "image": {
           "properties": {
             "pullPolicy": {

charts/policy-controller/values.yaml

@@ -106,6 +106,7 @@ leasescleanup:
     # capabilities:
     #   drop:
     #     - ALL
+  automountServiceAccountToken: true
 
 ## common node selector for all the pods
 commonNodeSelector: {}