feat: Add volume and volume mount for service token

[svenska-primekey]

Changes Made

1. values.yaml:42-50

Added configuration options:

• serviceAccount.automountServiceAccountToken: false (default)
• serviceAccount.projectedTokenVolume.expirationSeconds: 3607
• serviceAccount.projectedTokenVolume.defaultMode: 0444

2. serviceaccount.yaml:15

Added automountServiceAccountToken field that respects the values.yaml setting

3. deployment.yaml:31-40

Added conditional projected volume for service account token when automountServiceAccountToken is false

4. deployment.yaml:70-75

Added conditional volumeMount to mount the projected token at the standard location

How It Works

When serviceAccount.automountServiceAccountToken is set to false:

• The ServiceAccount explicitly disables automatic token mounting
• A projected volume is created with a time-bound service account token
• The token is mounted at /var/run/secrets/kubernetes.io/serviceaccount (standard location)
• The token expires after 3607 seconds and is automatically rotated by Kubernetes

This approach provides better security by:

• Using short-lived tokens instead of permanent ones
• Maintaining compatibility with applications expecting tokens at the standard path
• Supporting the automountServiceAccountToken: false security requirement

[irby]

Hey @svenska-primekey thank you for your contribution here. I'm working on a 2.5 release that will include additional features to the issuer. I'll review this and will likely include it in the 2.5 release.

[irby]

Hey @svenska-primekey I'm incorporating this change into our 2.6.0 release. I've added the commit from this PR into a separate branch:

#70

[irby]

@svenska-primekey This has been merged into production. #71

Closing out this PR.

Thanks again for your contribution!