feat: add spec.serviceAccountName for Workload Identity support#240
Conversation
Enable cloud Workload Identity (AWS IRSA, GCP WI, Azure WI) by allowing a custom ServiceAccount on the gateway pod. When set, the operator also enables automountServiceAccountToken so the projected SA token is available inside the pod for request-level signing APIs (S3, GCS, Azure Blob) that the proxy's header injection model cannot support. The SA is set only on the gateway Deployment; the proxy is unaffected. When the field is omitted, existing behavior is preserved. Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Pavel Anni <panni@redhat.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Enterprise Run ID: 📒 Files selected for processing (8)
🔗 Linked repositories identifiedCodeRabbit considers these linked repositories for cross-repo context during reviews:
📜 Recent review details🧰 Additional context used📓 Path-based instructions (6)**⚙️ CodeRabbit configuration file
Files:
config/**/*📄 CodeRabbit inference engine (CLAUDE.md)
Files:
api/v1alpha1/*.go📄 CodeRabbit inference engine (CLAUDE.md)
Files:
**/*.{go,mod,sum}📄 CodeRabbit inference engine (CLAUDE.md)
Files:
internal/controller/*.go📄 CodeRabbit inference engine (CLAUDE.md)
Files:
internal/controller/*_test.go📄 CodeRabbit inference engine (CLAUDE.md)
Files:
🧠 Learnings (1)📓 Common learnings🔀 Multi-repo context codeready-toolchain/toolchain-e2eLinked repositories findingscodeready-toolchain/toolchain-e2e
🔇 Additional comments (10)
WalkthroughThis PR introduces an optional ChangesGateway ServiceAccount / Workload Identity support
Estimated code review effort: 3 (Moderate) | ~25 minutes Sequence Diagram(s)sequenceDiagram
participant Reconciler as claw_resource_controller
participant ConfigureDeployments as configureDeployments
participant ConfigureSA as configureClawDeploymentServiceAccount
participant GatewayDeployment as Gateway Deployment
Reconciler->>ConfigureDeployments: reconcile Claw instance
ConfigureDeployments->>ConfigureSA: configureClawDeploymentServiceAccount(objects, instance)
ConfigureSA->>GatewayDeployment: locate gateway Deployment manifest
alt ServiceAccountName set
ConfigureSA->>GatewayDeployment: set serviceAccountName, automountServiceAccountToken=true
else empty
ConfigureSA->>ConfigureSA: no-op
end
ConfigureSA-->>ConfigureDeployments: return error if gateway Deployment missing
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
- Remove Azure WI from supported platforms — its mutating webhook requires a pod-level label the operator doesn't inject yet - Add gateway assertions to proxy-isolation unit test - Add automountServiceAccountToken assertion on proxy integration test - Add update/removal scenario test (change SA, then clear it) - Include deployment name in error message for consistency - Remove shadowed ctx in integration tests - Add comment explaining why assert.Empty fails for SA name - Change ADR status from Implemented to Accepted - Simplify AWS IRSA example (remove unrelated LLM credential) Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com> Signed-off-by: Pavel Anni <panni@redhat.com>
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #240 +/- ##
==========================================
- Coverage 79.66% 79.63% -0.04%
==========================================
Files 34 34
Lines 4878 4900 +22
==========================================
+ Hits 3886 3902 +16
- Misses 631 634 +3
- Partials 361 364 +3
🚀 New features to boost your workflow:
|
Summary
spec.serviceAccountNamefield to the Claw CRD, enablingcloud Workload Identity (AWS IRSA, GCP WI, Azure WI) on the gateway pod
serviceAccountNameand enablesautomountServiceAccountTokenon the gateway Deployment onlyWhy: Cloud storage APIs (S3, GCS, Azure Blob) use request-level
signing (AWS SigV4, GCP signed requests) — the proxy's header injection
model cannot support these. Workload Identity provides short-lived,
auto-rotating credentials via a projected SA token, which is strictly
better than static access keys configured inside the agent container.
Changes
api/v1alpha1/claw_types.goServiceAccountNamefield onClawSpec(afterNetwork)internal/controller/claw_deployment.goconfigureClawDeploymentServiceAccount()mutation functioninternal/controller/claw_resource_controller.gointernal/controller/claw_deployment_test.goconfig/crd/bases/claw.sandbox.redhat.com_claws.yamldocs/adr/0022-service-account-name.mddocs/user-guide.mdCLAUDE.mdProposal:
claw-project/docs/dev/proposal-service-account-name.mdTest plan
Automated tests (all passing)
serviceAccountNameandautomountServiceAccountToken: trueon gatewayautomountServiceAccountTokenremainsfalseDeploymenthas correct SA and token mountManual tests (completed on a fresh cluster)
oc create sa test-sa -n $NS+ Claw CR withserviceAccountName: test-saoc get deploy <instance> -o jsonpath='{.spec.template.spec.serviceAccountName}'→test-saoc get deploy <instance> -o jsonpath='{.spec.template.spec.automountServiceAccountToken}'→trueoc exec deploy/<instance> -c gateway -- ls /var/run/secrets/kubernetes.io/serviceaccount/→ca.crt namespace tokenserviceAccountName→ SA token directory not mountedoc get deploy <instance>-proxy -o jsonpath='{.spec.template.spec.serviceAccountName}'→ nottest-saSummary by CodeRabbit
New Features
Bug Fixes
Tests