Skip to content

feat: add spec.serviceAccountName for Workload Identity support#240

Merged
alexeykazakov merged 2 commits into
codeready-toolchain:masterfrom
pavelanni:feature/service-account-name
Jul 9, 2026
Merged

feat: add spec.serviceAccountName for Workload Identity support#240
alexeykazakov merged 2 commits into
codeready-toolchain:masterfrom
pavelanni:feature/service-account-name

Conversation

@pavelanni

@pavelanni pavelanni commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add optional spec.serviceAccountName field to the Claw CRD, enabling
    cloud Workload Identity (AWS IRSA, GCP WI, Azure WI) on the gateway pod
  • When set, the operator sets serviceAccountName and enables
    automountServiceAccountToken on the gateway Deployment only
  • When omitted, existing behavior is preserved (default SA, no token mounted)

Why: Cloud storage APIs (S3, GCS, Azure Blob) use request-level
signing (AWS SigV4, GCP signed requests) — the proxy's header injection
model cannot support these. Workload Identity provides short-lived,
auto-rotating credentials via a projected SA token, which is strictly
better than static access keys configured inside the agent container.

Changes

File Change
api/v1alpha1/claw_types.go ServiceAccountName field on ClawSpec (after Network)
internal/controller/claw_deployment.go configureClawDeploymentServiceAccount() mutation function
internal/controller/claw_resource_controller.go Wire into Phase 3 reconciliation
internal/controller/claw_deployment_test.go Unit + integration tests
config/crd/bases/claw.sandbox.redhat.com_claws.yaml Regenerated CRD manifest
docs/adr/0022-service-account-name.md ADR documenting the decision
docs/user-guide.md User guide section with AWS/GCP/Azure examples
CLAUDE.md Updated CRD field summary

Proposal: claw-project/docs/dev/proposal-service-account-name.md

Test plan

Automated tests (all passing)

  • Unit: SA set → serviceAccountName and automountServiceAccountToken: true on gateway
  • Unit: SA omitted → no-op, automountServiceAccountToken remains false
  • Unit: proxy Deployment is not affected when SA is set on Claw CR
  • Unit: error returned when gateway Deployment is missing from manifests
  • Integration: full reconcile with SA → typed Deployment has correct SA and token mount
  • Integration: full reconcile without SA → gateway pod uses default SA, token not mounted
  • Integration: full reconcile with SA → proxy pod is unaffected

Manual tests (completed on a fresh cluster)

  • oc create sa test-sa -n $NS + Claw CR with serviceAccountName: test-sa
  • oc get deploy <instance> -o jsonpath='{.spec.template.spec.serviceAccountName}'test-sa
  • oc get deploy <instance> -o jsonpath='{.spec.template.spec.automountServiceAccountToken}'true
  • oc exec deploy/<instance> -c gateway -- ls /var/run/secrets/kubernetes.io/serviceaccount/ca.crt namespace token
  • Negative: Claw without serviceAccountName → SA token directory not mounted
  • oc get deploy <instance>-proxy -o jsonpath='{.spec.template.spec.serviceAccountName}' → not test-sa

Summary by CodeRabbit

  • New Features

    • Added optional Service Account support for the gateway, enabling Workload Identity setups and custom token mounting when configured.
    • Updated user-facing documentation with setup guidance, security notes, and platform-specific examples.
  • Bug Fixes

    • Gateway settings now apply consistently when the Service Account value is changed or removed.
    • The proxy component remains unaffected by these gateway-only settings.
  • Tests

    • Added coverage for Service Account configuration behavior and end-to-end reconciliation scenarios.

Enable cloud Workload Identity (AWS IRSA, GCP WI, Azure WI) by allowing
a custom ServiceAccount on the gateway pod. When set, the operator also
enables automountServiceAccountToken so the projected SA token is
available inside the pod for request-level signing APIs (S3, GCS, Azure
Blob) that the proxy's header injection model cannot support.

The SA is set only on the gateway Deployment; the proxy is unaffected.
When the field is omitted, existing behavior is preserved.

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Pavel Anni <panni@redhat.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 66a74cb3-af26-4bea-8549-98beb2a80fcc

📥 Commits

Reviewing files that changed from the base of the PR and between ce43e30 and 93b31df.

📒 Files selected for processing (8)
  • CLAUDE.md
  • api/v1alpha1/claw_types.go
  • config/crd/bases/claw.sandbox.redhat.com_claws.yaml
  • docs/adr/0022-service-account-name.md
  • docs/user-guide.md
  • internal/controller/claw_deployment.go
  • internal/controller/claw_deployment_test.go
  • internal/controller/claw_resource_controller.go
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • codeready-toolchain/api (manual)
  • codeready-toolchain/toolchain-common (manual)
  • codeready-toolchain/host-operator (manual)
  • codeready-toolchain/toolchain-e2e (manual)
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (6)
**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

  • docs/adr/0022-service-account-name.md
  • config/crd/bases/claw.sandbox.redhat.com_claws.yaml
  • api/v1alpha1/claw_types.go
  • docs/user-guide.md
  • CLAUDE.md
  • internal/controller/claw_deployment.go
  • internal/controller/claw_resource_controller.go
  • internal/controller/claw_deployment_test.go
config/**/*

📄 CodeRabbit inference engine (CLAUDE.md)

Kustomize overlays for CRDs, RBAC, and the manager deployment belong under config/.

Files:

  • config/crd/bases/claw.sandbox.redhat.com_claws.yaml
api/v1alpha1/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

api/v1alpha1/*.go: After modifying API types in api/v1alpha1/, regenerate CRD YAML with make manifests.
After modifying API types in api/v1alpha1/, regenerate DeepCopy methods with make generate.

Files:

  • api/v1alpha1/claw_types.go
**/*.{go,mod,sum}

📄 CodeRabbit inference engine (CLAUDE.md)

License headers are required in source files, using the template from hack/boilerplate.go.txt.

Files:

  • api/v1alpha1/claw_types.go
  • internal/controller/claw_deployment.go
  • internal/controller/claw_resource_controller.go
  • internal/controller/claw_deployment_test.go
internal/controller/*.go

📄 CodeRabbit inference engine (CLAUDE.md)

internal/controller/*.go: Reconciler methods must include // +kubebuilder:rbac:... markers so RBAC can be generated from them.
Create owner references on all created resources using controllerutil.SetControllerReference.
Use the centralized knownProviders registry for provider defaults and routing logic.
Keep ClawOperatorConfig mergeMode gating logic in claw_operator_config.go so allowed config modes are enforced for Claw CRs.

Files:

  • internal/controller/claw_deployment.go
  • internal/controller/claw_resource_controller.go
  • internal/controller/claw_deployment_test.go
internal/controller/*_test.go

📄 CodeRabbit inference engine (CLAUDE.md)

internal/controller/*_test.go: Write controller tests with testify/require and testify/assert using envtest (real API server, no full cluster).
Use Test* naming with t.Run() subtests, t.Cleanup(), and table-driven tests.
Use the waitFor(t, timeout, interval, condition, message) helper for async assertions, with the standard 10s timeout and 250ms polling interval.

Files:

  • internal/controller/claw_deployment_test.go
🧠 Learnings (1)
📓 Common learnings
Learnt from: CR
Repo: codeready-toolchain/claw-operator

Timestamp: 2026-07-09T20:50:00.877Z
Learning: Run `make manifests` and `make generate` after changing API types.
🔀 Multi-repo context codeready-toolchain/toolchain-e2e

Linked repositories findings

codeready-toolchain/toolchain-e2e

  • deploy/crds/claw.sandbox.redhat.com_claws.yaml:1-40 — this repository carries a copied Claw CRD, but its spec only includes idle; it does not include the new spec.serviceAccountName field added in the PR. If this copy is used in e2e setup or assertions, it will be out of sync with the API/CRD and may reject manifests or miss coverage for the new behavior. [::codeready-toolchain/toolchain-e2e::]
🔇 Additional comments (10)
docs/adr/0022-service-account-name.md (1)

1-75: LGTM!

docs/user-guide.md (1)

1620-1671: LGTM!

api/v1alpha1/claw_types.go (2)

689-695: LGTM!


689-695: 📐 Maintainability & Code Quality

No DeepCopy regeneration needed for ServiceAccountName. ClawSpec’s generated deepcopy uses a struct copy, so this string field is handled automatically.

			> Likely an incorrect or invalid review comment.
config/crd/bases/claw.sandbox.redhat.com_claws.yaml (2)

770-777: LGTM!


770-777: 🗄️ Data Integrity & Integration

Sync the copied CRD in toolchain-e2e with the new serviceAccountName field.

The linked repository codeready-toolchain/toolchain-e2e carries a copy of the Claw CRD at deploy/crds/claw.sandbox.redhat.com_claws.yaml whose spec only includes idle — it does not include the new spec.serviceAccountName field. If this CRD copy is used in e2e test setup or assertions, it will be out of sync with the API and may reject manifests that set serviceAccountName or miss test coverage for the new Workload Identity behavior.

Source: Linked repositories

CLAUDE.md (1)

8-8: LGTM!

internal/controller/claw_deployment.go (1)

826-858: LGTM!

internal/controller/claw_resource_controller.go (1)

946-948: LGTM!

internal/controller/claw_deployment_test.go (1)

1968-2096: LGTM!

Also applies to: 2098-2247


Walkthrough

This PR introduces an optional serviceAccountName field on the Claw CRD/ClawSpec to configure the gateway pod's ServiceAccount for cloud Workload Identity (AWS IRSA, GCP WI). It adds gateway Deployment configuration logic, wires it into the reconcile loop, adds tests, and documents the feature via ADR and user guide updates.

Changes

Gateway ServiceAccount / Workload Identity support

Layer / File(s) Summary
API type and CRD schema
api/v1alpha1/claw_types.go, config/crd/bases/claw.sandbox.redhat.com_claws.yaml, CLAUDE.md
Adds optional ServiceAccountName/serviceAccountName field to ClawSpec and the CRD schema, with docs describing token automount behavior.
Gateway Deployment configuration and wiring
internal/controller/claw_deployment.go, internal/controller/claw_resource_controller.go
Adds configureClawDeploymentServiceAccount to set serviceAccountName/automountServiceAccountToken on the gateway Deployment, and wires the call into configureDeployments.
Tests
internal/controller/claw_deployment_test.go
Adds unit test TestConfigureClawDeploymentServiceAccount and integration test TestServiceAccountIntegration validating gateway pod behavior, proxy isolation, and update/clear scenarios.
ADR and user guide docs
docs/adr/0022-service-account-name.md, docs/user-guide.md
Adds ADR 0022 documenting the design and a new user guide section covering AWS/GCP setup, security notes, and scope, with Azure deferred.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Reconciler as claw_resource_controller
  participant ConfigureDeployments as configureDeployments
  participant ConfigureSA as configureClawDeploymentServiceAccount
  participant GatewayDeployment as Gateway Deployment

  Reconciler->>ConfigureDeployments: reconcile Claw instance
  ConfigureDeployments->>ConfigureSA: configureClawDeploymentServiceAccount(objects, instance)
  ConfigureSA->>GatewayDeployment: locate gateway Deployment manifest
  alt ServiceAccountName set
    ConfigureSA->>GatewayDeployment: set serviceAccountName, automountServiceAccountToken=true
  else empty
    ConfigureSA->>ConfigureSA: no-op
  end
  ConfigureSA-->>ConfigureDeployments: return error if gateway Deployment missing
Loading

Suggested labels: documentation, feature, test

Suggested reviewers: rajivnathan

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 71.43% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely describes the main change: adding spec.serviceAccountName for Workload Identity support.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

- Remove Azure WI from supported platforms — its mutating webhook
  requires a pod-level label the operator doesn't inject yet
- Add gateway assertions to proxy-isolation unit test
- Add automountServiceAccountToken assertion on proxy integration test
- Add update/removal scenario test (change SA, then clear it)
- Include deployment name in error message for consistency
- Remove shadowed ctx in integration tests
- Add comment explaining why assert.Empty fails for SA name
- Change ADR status from Implemented to Accepted
- Simplify AWS IRSA example (remove unrelated LLM credential)

Assisted-By: Claude (Anthropic AI) <noreply@anthropic.com>
Signed-off-by: Pavel Anni <panni@redhat.com>
@pavelanni
pavelanni marked this pull request as ready for review July 9, 2026 20:49
@coderabbitai coderabbitai Bot added documentation Improvements or additions to documentation feature New feature or request test Work that adds, fixes, or maintains automated tests or coverage (unit, integration, e2e, flakiness) labels Jul 9, 2026
@codecov-commenter

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 72.72727% with 6 lines in your changes missing coverage. Please review.
✅ Project coverage is 79.63%. Comparing base (ce43e30) to head (93b31df).

Files with missing lines Patch % Lines
internal/controller/claw_deployment.go 80.00% 2 Missing and 2 partials ⚠️
internal/controller/claw_resource_controller.go 0.00% 1 Missing and 1 partial ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##           master     #240      +/-   ##
==========================================
- Coverage   79.66%   79.63%   -0.04%     
==========================================
  Files          34       34              
  Lines        4878     4900      +22     
==========================================
+ Hits         3886     3902      +16     
- Misses        631      634       +3     
- Partials      361      364       +3     
Files with missing lines Coverage Δ
internal/controller/claw_resource_controller.go 63.82% <0.00%> (-0.14%) ⬇️
internal/controller/claw_deployment.go 77.24% <80.00%> (+0.10%) ⬆️
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@alexeykazakov
alexeykazakov merged commit 88f3b52 into codeready-toolchain:master Jul 9, 2026
5 checks passed
@pavelanni
pavelanni deleted the feature/service-account-name branch July 9, 2026 21:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

documentation Improvements or additions to documentation feature New feature or request test Work that adds, fixes, or maintains automated tests or coverage (unit, integration, e2e, flakiness)

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants