Set automountServiceAccountToken to false on all ServiceAccount kinds and to true on all Deployment kinds

[nickdk]

I'm experimenting with nginx-gateway-fabric on a cluster not managed by myself. This cluster has quite stringent security requirements enforced by gatekeeper that denies certain configuration on certain resources.

One of them is requiring that all ServiceAccount objects have explicitly set:
automountServiceAccountToken: false

The deployment is still allowed to explicitly set auto mounting of the service account to true:

spec:
  automountServiceAccountToken: true

As far as I can tell this has the exact same functionality from the Pod's perspective.

Would it be feasible to do this on all service accounts in nginx-gateway-fabric? More specifically:

1. In the Helm chart template or allow it to be controlled through helm values
2. In the ServiceAccount of the data plane that is dynamically created by the control plane based on the Gateway spec

I can work around the first one by inlining the chart and changing the template but it's annoying when having to upgrade to newer chart versions so ideally it would be controllable by chart values or just be the default.

The second thing is more problematic since I don't seem to have a way to define this on the dynamically created data plan ServiceAccount and Deployment. I can only change annotations and labels through the Gateway infrastructure yaml section.

Thanks for you feedback.

[mpstefan]

Thanks @nickdk!

I've created an issue #3540 to track this. Does the acceptance criteria look correct to you (reply on the issue)? If you're interested, feel free to go ahead with the update and we'll just make sure that the automated tests pass on your PR.