Use service account token volume projections

[fischerman]

Projections can be used to create dedicated tokens (for example for Vault). This way, access to the database credentials can be limited to the sidecar. This reduces the attack surface in case the main container is compromised. We need to make the token location configurable to enable this.

Reference: https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection

[fischerman]

#3 allows us to configure the token path. This issue just needs some documentation and testing.