Move certs job service account token

[sjberman]

Problem: For security reasons, it's best practice to not have automountServiceToken on the ServiceAccount, and instead set in directly on the workloads that need the token.

Solution: Set this field on the Pods instead of the ServiceAccounts.

This was missed as part of the original PR.

Related: #3540

Checklist

Before creating a PR, run through this checklist and mark each as complete.

• I have read the CONTRIBUTING doc
• I have added tests that prove my fix is effective or that my feature works
• I have checked that all unit tests pass after adding my changes
• I have updated necessary documentation
• I have rebased my branch onto main
• I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.81%. Comparing base (76184a9) to head (aeb9181).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3951      +/-   ##
==========================================
- Coverage   86.82%   86.81%   -0.02%     
==========================================
  Files         128      128              
  Lines       16602    16602              
  Branches       62       62              
==========================================
- Hits        14415    14413       -2     
- Misses       2005     2007       +2     
  Partials      182      182              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.