feat: configurable service account and SA token mount for runner pods #22

Merged

rcsheets merged 1 commit from feat/sa-token-mount into master 2026-03-28 04:43:28 +00:00

Conversation 1 Commits 1 Files changed 4 +83 -6

rcsheets commented 2026-03-28 04:41:53 +00:00

Owner

Copy link

Add serviceAccountName and automountServiceAccountToken fields to
KubernetesBackendSpec. Automount defaults to true so runner pods get
a service account token, enabling workflow steps to authenticate to
cluster services like OpenBao.

When privileged (DinD) mode is enabled, the generated runner config
now bind-mounts the SA token into workflow containers so they can
also access it.

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

Add serviceAccountName and automountServiceAccountToken fields to KubernetesBackendSpec. Automount defaults to true so runner pods get a service account token, enabling workflow steps to authenticate to cluster services like OpenBao. When privileged (DinD) mode is enabled, the generated runner config now bind-mounts the SA token into workflow containers so they can also access it. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

rcsheets added 1 commit 2026-03-28 04:41:53 +00:00

feat: configurable service account and SA token mount for runner pods ... b574973fc3

Add serviceAccountName and automountServiceAccountToken fields to
KubernetesBackendSpec. Automount defaults to true so runner pods get
a service account token, enabling workflow steps to authenticate to
cluster services like OpenBao.

When privileged (DinD) mode is enabled, the generated runner config
now bind-mounts the SA token into workflow containers so they can
also access it.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

pr-reviewer-bot commented 2026-03-28 04:41:57 +00:00

Collaborator

Copy link

Automated review by pr-reviewer v0.15.0 | Safety Check | anthropic | tracking id r-c75c13-e9c556
This is an AI-generated review and may contain mistakes.

Status: ✅ Completed

---

✅ Verdict: LGTM — No obvious security vulnerabilities or bugs found; the automated credential detections are false positives related to legitimate Kubernetes service account token handling.
Complexity: moderate

Safety Check Review

Automated Alerts Review

The automated observations flagged "possible secret or credential detected" in multiple files. Upon examination, these are all legitimate references to Kubernetes service account tokens:

• Standard Kubernetes service account token mount path /var/run/secrets/kubernetes.io/serviceaccount
• Field names like ServiceAccountName and AutomountServiceAccountToken
• These are not hardcoded secrets but proper Kubernetes API constructs

Code Analysis

• Logic: The changes properly handle service account configuration with sensible defaults
• Security: No exposed secrets or credentials - just standard Kubernetes RBAC patterns
• Breaking Changes: All new fields are optional with backwards-compatible defaults
• Implementation: Clean implementation with proper nil-checking for the boolean pointer field

No alarming issues found.

*Automated review by [pr-reviewer](https://git.brooktrails.org/brooktrails/pr-reviewer) v0.15.0 | Safety Check | anthropic | tracking id `r-c75c13-e9c556`* *This is an AI-generated review and may contain mistakes.* **Status:** ✅ Completed --- **✅ Verdict: LGTM** — No obvious security vulnerabilities or bugs found; the automated credential detections are false positives related to legitimate Kubernetes service account token handling. **Complexity:** moderate # Safety Check Review ## Automated Alerts Review The automated observations flagged "possible secret or credential detected" in multiple files. Upon examination, these are all legitimate references to Kubernetes service account tokens: - Standard Kubernetes service account token mount path `/var/run/secrets/kubernetes.io/serviceaccount` - Field names like `ServiceAccountName` and `AutomountServiceAccountToken` - These are not hardcoded secrets but proper Kubernetes API constructs ## Code Analysis - **Logic**: The changes properly handle service account configuration with sensible defaults - **Security**: No exposed secrets or credentials - just standard Kubernetes RBAC patterns - **Breaking Changes**: All new fields are optional with backwards-compatible defaults - **Implementation**: Clean implementation with proper nil-checking for the boolean pointer field No alarming issues found.

rcsheets merged commit f26ac7b95f into master 2026-03-28 04:43:28 +00:00

rcsheets deleted branch feat/sa-token-mount 2026-03-28 04:43:28 +00:00

rcsheets referenced this pull request from a commit 2026-03-28 04:43:29 +00:00

Merge pull request 'feat: configurable service account and SA token mount for runner pods' (#22) from feat/sa-token-mount into master

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels

No items

No labels

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

brooktrails/forgejo-runner-operator!22

No description provided.