From 3d1b14b94acaa437a5187c0df2ffd21c656d75c3 Mon Sep 17 00:00:00 2001
From: Sven Rajala <sven.rajala@keyfactor.com>
Date: Thu, 18 Dec 2025 11:00:08 -0500
Subject: [PATCH] feat: Add volume and volume mount for service token

---
 .../templates/deployment.yaml                    | 16 ++++++++++++++++
 .../templates/serviceaccount.yaml                |  1 +
 .../command-cert-manager-issuer/values.yaml      |  9 +++++++++
 3 files changed, 26 insertions(+)

diff --git a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
index 856ace0..fbc4786 100644
--- a/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
+++ b/deploy/charts/command-cert-manager-issuer/templates/deployment.yaml
@@ -28,6 +28,16 @@ spec:
       serviceAccountName: {{ include "command-cert-manager-issuer.serviceAccountName" . }}
       securityContext:
         {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      {{- if not .Values.serviceAccount.automountServiceAccountToken }}
+      volumes:
+        - name: serviceaccount-token
+          projected:
+            defaultMode: {{ .Values.serviceAccount.projectedTokenVolume.defaultMode }}
+            sources:
+              - serviceAccountToken:
+                  expirationSeconds: {{ .Values.serviceAccount.projectedTokenVolume.expirationSeconds }}
+                  path: token
+      {{- end }}
       containers:
         - args:
             - --health-probe-bind-address=:8081
@@ -57,6 +67,12 @@ spec:
             {{- toYaml .Values.resources | nindent 12 }}
           securityContext:
             {{- toYaml .Values.securityContext | nindent 12 }}
+          {{- if not .Values.serviceAccount.automountServiceAccountToken }}
+          volumeMounts:
+            - mountPath: /var/run/secrets/kubernetes.io/serviceaccount
+              name: serviceaccount-token
+              readOnly: true
+          {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
diff --git a/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml b/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml
index ccefb2e..e047c80 100644
--- a/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml
+++ b/deploy/charts/command-cert-manager-issuer/templates/serviceaccount.yaml
@@ -12,4 +12,5 @@ metadata:
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 {{- end }}
diff --git a/deploy/charts/command-cert-manager-issuer/values.yaml b/deploy/charts/command-cert-manager-issuer/values.yaml
index 6fd5bcb..00159c5 100644
--- a/deploy/charts/command-cert-manager-issuer/values.yaml
+++ b/deploy/charts/command-cert-manager-issuer/values.yaml
@@ -39,6 +39,15 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  # Specifies whether to automount the service account token
+  # If false, a projected volume will be used to mount the token
+  automountServiceAccountToken: false
+  # Configuration for projected service account token volume (used when automountServiceAccountToken is false)
+  projectedTokenVolume:
+    # Token expiration time in seconds
+    expirationSeconds: 3607
+    # File permissions for the token
+    defaultMode: 0444
 
 podLabels: {}