{{- $auth := mustMergeOverwrite (mustDeepCopy .Values) .Values.auth -}}
{{- $projectedServiceAccountToken := semverCompare ">=1.20.0-0" .Capabilities.KubeVersion.Version }}
{{- if $auth.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
  name: {{ template "teleport-cluster.auth.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "teleport-cluster.auth.labels" . | nindent 4 }}
    {{- if $auth.extraLabels.serviceAccount }}
    {{- toYaml $auth.extraLabels.serviceAccount | nindent 4 }}
    {{- end }}
  {{- if or $auth.annotations.serviceAccount $auth.azure.clientID }}
  annotations:
    {{- if $auth.annotations.serviceAccount }}
      {{- toYaml $auth.annotations.serviceAccount | nindent 4 }}
    {{- end }}
    {{- if $auth.azure.clientID }}
    azure.workload.identity/client-id: "{{ $auth.azure.clientID }}"
    {{- end }}
  {{- end -}}
{{- if $projectedServiceAccountToken }}
automountServiceAccountToken: false
{{- end }}
{{- end }}