From 51fc2892fd3de1892789aad30cbe56a89ea4413a Mon Sep 17 00:00:00 2001
From: wkbrd <30599409+wkbrd@users.noreply.github.com>
Date: Mon, 6 Oct 2025 08:56:06 -0400
Subject: [PATCH] Security improvement: Do not automount the service account
 via StatefulSet or ServiceAccount

---
 charts/questdb/templates/serviceaccount.yaml | 1 +
 charts/questdb/templates/statefulset.yaml    | 1 +
 charts/questdb/values.yaml                   | 2 ++
 3 files changed, 4 insertions(+)

diff --git a/charts/questdb/templates/serviceaccount.yaml b/charts/questdb/templates/serviceaccount.yaml
index 4b3b0c6..cffb1d7 100644
--- a/charts/questdb/templates/serviceaccount.yaml
+++ b/charts/questdb/templates/serviceaccount.yaml
@@ -1,6 +1,7 @@
 {{- if .Values.serviceAccount.create }}
 apiVersion: v1
 kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
 metadata:
     name: {{ include "questdb.serviceAccountName" . }}
     {{- if .Values.serviceAccount.labels }}
diff --git a/charts/questdb/templates/statefulset.yaml b/charts/questdb/templates/statefulset.yaml
index a3956c6..40e21b7 100644
--- a/charts/questdb/templates/statefulset.yaml
+++ b/charts/questdb/templates/statefulset.yaml
@@ -33,6 +33,7 @@ spec:
       {{- if or .Values.serviceAccount.create .Values.serviceAccount.name }}
       serviceAccountName: {{ include "questdb.serviceAccountName" . }}
       {{- end }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
       containers:
         - name: {{ .Chart.Name }}
           securityContext:
diff --git a/charts/questdb/values.yaml b/charts/questdb/values.yaml
index 7b7b1d1..4742a7a 100644
--- a/charts/questdb/values.yaml
+++ b/charts/questdb/values.yaml
@@ -94,6 +94,7 @@ livenessProbe: {}
   # successThreshold: 1
   # timeoutSeconds: 2
 
+automountServiceAccountToken: false
 
 metrics:
   enabled: true
@@ -106,6 +107,7 @@ serviceAccount:
   create: false
   labels: {}
   annotations: {}
+  automountServiceAccountToken: false
 
   # if create is set to "true", you can specify the name of that service account below
   # if create is set to "false", you can use this to reference an existing service account for the StatefulSet pod