[bitnami/postgresql] disable automounting of service account token (#6967)

It disables the automounting of the service account token in the pod.
PostgreSQL does not need this. By disabling the automount, potential
attackers cannot access the Kubernetes API on behalf/through the pod.

This commit disables it by default, but leaves it configurable if anyone
needs to use it.

Signed-off-by: Jorik Jonker <jorik.jonker@eu.equinix.com>

bitnami/postgresql/Chart.yaml

@@ -26,4 +26,4 @@ name: postgresql
 sources:
   - https://github.com/bitnami/bitnami-docker-postgresql
   - https://www.postgresql.org/
-version: 10.5.3
+version: 10.6.0

bitnami/postgresql/README.md

@@ -101,6 +101,7 @@ $ kubectl delete pvc -l release=my-release
 | `securityContext.fsGroup`                     | Group ID for the pod                                                                                                                                      | `1001`                      |
 | `containerSecurityContext.enabled`            | Enable container security context                                                                                                                         | `true`                      |
 | `containerSecurityContext.runAsUser`          | User ID for the container                                                                                                                                 | `1001`                      |
+| `serviceAccount.autoMount`                    | Auto-mount the service account token in the pod                                                                                                           | `false`                     |
 | `serviceAccount.enabled`                      | Enable service account (Note: Service Account will only be automatically created if `serviceAccount.name` is not set)                                     | `false`                     |
 | `serviceAccount.name`                         | Name of an already existing service account. Setting this value disables the automatic service account creation                                           | `nil`                       |
 | `psp.create`                                  | Create Pod Security Policy                                                                                                                                | `false`                     |

bitnami/postgresql/templates/statefulset-readreplicas.yaml

@@ -63,6 +63,7 @@ spec:
       {{- if .Values.securityContext.enabled }}
       securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }}
       {{- if .Values.serviceAccount.enabled }}
       serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name}}
       {{- end }}

bitnami/postgresql/templates/statefulset.yaml

@@ -65,6 +65,7 @@ spec:
       {{- if .Values.securityContext.enabled }}
       securityContext: {{- omit .Values.securityContext "enabled" | toYaml | nindent 8 }}
       {{- end }}
+      automountServiceAccountToken: {{ .Values.serviceAccount.autoMount }}
       {{- if .Values.serviceAccount.enabled }}
       serviceAccountName: {{ default (include "common.names.fullname" . ) .Values.serviceAccount.name }}
       {{- end }}

bitnami/postgresql/values.yaml

@@ -149,6 +149,9 @@ serviceAccount:
   ## @param serviceAccount.name Name of an already existing service account. Setting this value disables the automatic service account creation
   ##
   name:
+  ## @param serviceAccount.autoMount Auto-mount the service account token in the pod
+  ##
+  autoMount: false
 ## Pod Security Policy
 ## ref: https://kubernetes.io/docs/concepts/policy/pod-security-policy/
 ## @param psp.create Create Pod Security Policy