feat: Disable automatic service account mounting

Service accounts aren't needed for most of the services
since they don't talk to the Kubernetes API.

For increased security, we disable the automatic mounting of secrets.

helm/templates/backend/postgres.deployment.yaml

@@ -20,6 +20,7 @@ spec:
       labels:
         id: {{ .Release.Name }}-deployment-backend-postgres
     spec:
+      automountServiceAccountToken: false
       {{ if not .Values.development }}
       volumes:
         - name: {{ .Release.Name }}-data

helm/templates/docs/docs.deployment.yaml

@@ -17,6 +17,7 @@ spec:
       labels:
         id: {{ .Release.Name }}-deployment-docs
     spec:
+      automountServiceAccountToken: false
       {{- include "capellacollab.pod.spec" . | indent 6 -}}
       containers:
         - name: {{ .Release.Name }}-docs

helm/templates/frontend/frontend.deployment.yaml

@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         {{ if .Values.loki.enabled }}
         - name: logs

helm/templates/grafana/nginx.deployment.yaml

@@ -22,6 +22,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/grafana/nginx.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         - name: {{ .Release.Name }}-grafana-nginx
           configMap:

helm/templates/guacamole/guacamole.deployment.yaml

@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         {{ if .Values.loki.enabled }}
         - name: unused

helm/templates/guacamole/guacd.deployment.yaml

@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/config-promtail: {{ include (print $.Template.BasePath "/promtail" "/promtail.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         {{ if .Values.loki.enabled }}
         - name: logs

helm/templates/guacamole/postgres.deployment.yaml

@@ -24,6 +24,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/guacamole" "/postgres.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         - name: {{ .Release.Name }}-data
           persistentVolumeClaim:

helm/templates/mock/oauth.deployment.yaml

@@ -22,6 +22,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/mock/oauth.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         - name: {{ .Release.Name }}-oauth-mock
           configMap:

helm/templates/prometheus/nginx.deployment.yaml

@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/prometheus/nginx.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       volumes:
         - name: {{ .Release.Name }}-prometheus-nginx
           configMap:

helm/templates/prometheus/prometheus.deployment.yaml

@@ -22,6 +22,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/prometheus/prometheus.configmap.yaml") . | sha256sum }}
     spec:
+      automountServiceAccountToken: false
       serviceAccountName: {{ .Release.Name }}-prometheus
       {{- include "capellacollab.pod.spec" . | indent 6 -}}
       containers: