feat: add automountServiceAccountToken support to TidbMonitor

[tennix]

What problem does this PR solve?

FedRAMP clusters enforce a Gatekeeper policy (block-automount-serviceaccount-token-pod) that blocks pods where automountServiceAccountToken is not explicitly false. The tidb-operator creates a {name}-monitor ServiceAccount and spawns prometheus/reloader/initializer pods using it — these pods are blocked by the policy since the SA-level field is unset and cannot be overridden externally.

What is changed and how it works

This PR adds automountServiceAccountToken to the TidbMonitorSpec and implements the same pattern already used for TidbCluster components (#6826 / #6815):

• When unset (default): no change to existing behavior.
• When false:
  • Sets automountServiceAccountToken: false on the {name}-monitor ServiceAccount.
  • Injects a projected SA token volume (kube-api-access) into the StatefulSet pod template, mounting it at /var/run/secrets/kubernetes.io/serviceaccount in all containers: monitor-initializer, dm-initializer (if DM enabled), prometheus, reloader, thanos-sidecar (if Thanos enabled), prometheus-reloader (if enabled), grafana (if enabled), and any additionalContainers.
• When true: sets automountServiceAccountToken: true on the SA; no projected volume injected.

The projected volume uses the same util.SATokenProjectionVolume() / util.SATokenProjectionVolumeMount() helpers from pkg/util/util.go as the rest of the operator.

Example

apiVersion: pingcap.com/v1alpha1
kind: TidbMonitor
metadata:
  name: basic
spec:
  automountServiceAccountToken: false
  # ... rest of spec

Checklist

• Unit tests added/updated (TestGetMonitorServiceAccount, TestGetMonitorStatefulSetSATokenProjection)
• CRD manifests regenerated (make generate)
• API docs regenerated
• Follows the same pattern as feat: support mount sa token explicitly if automount is false (#6815) #6826 for TidbCluster

Related issues / PRs

• feat: support mount sa token explicitly if automount is false (#6815) #6826 — same feature for TidbCluster components
• feat: support mount sa token explicitly if automount is false #6815 — SATokenProjectionVolume helper introduced

[ti-chi-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[tennix]

/test pull-e2e-kind-tidbcluster

[tennix]

/test pull-e2e-kind-br

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign wangle1321 for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tennix]

/test pull-e2e-kind-dmcluster

[tennix]

/test pull-e2e-kind-tidbcluster

[tennix]

/test pull-e2e-kind-tidbcluster

[tennix]

/test pull-e2e-kind-dmcluster

[tennix]

/test pull-e2e-kind-across-kubernetes

[tennix]

/test pull-e2e-kind-across-kubernetes