feat(deployment): enable AutomountServiceAccountToken for the log-collector image

[ygrishajev]

No description provided.

[coderabbitai]

Walkthrough

Set PodSpec.AutomountServiceAccountToken based on container image name by adding image-name parsing helpers and using their result in the Deployment builder's Create and Update flows; add unit tests and SDL testdata for the log-collector image.

Changes

Cohort / File(s)	Summary
Deployment builder logic cluster/kube/builder/deployment.go	Reuse local container in Create/Update, add extractImageName(image string) and determineAutomountServiceAccountToken(image string) bool, compute automountServiceAccountToken from the container image (matches ghcr.io/akash-network/log-collector case-insensitively), set Spec.Template.Spec.AutomountServiceAccountToken, and import strings.
Unit tests cluster/kube/builder/deployment_test.go	Add TestDeploymentAutomountServiceAccountToken (table-driven) to assert AutomountServiceAccountToken true for log-collector image and false for a regular image; add TestExtractImageName covering various image formats.
Test data testdata/deployment/deployment-log-collector.yaml	Add Akash v2.0 deployment manifest for log-collector using ghcr.io/akash-network/log-collector:1.7.0 with ports, env vars, resources, pricing, and a deployment entry for tests.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Test
  participant Builder as DeploymentBuilder
  participant Helper as ImageHelpers
  participant K8s as Kubernetes API

  Test->>Builder: Create()/Update(ctx)
  Builder->>Builder: build container spec (once)
  Builder->>Helper: extractImageName(image)
  Helper-->>Builder: baseImageName
  Builder->>Helper: determineAutomountServiceAccountToken(baseImageName)
  Helper-->>Builder: true/false
  Builder->>Builder: set PodSpec.Containers and PodSpec.AutomountServiceAccountToken
  Builder->>K8s: submit Deployment
  K8s-->>Test: Deployment with AutomountServiceAccountToken set

  rect rgba(200,230,255,0.15)
  note over Helper,Builder: New helpers parse image names and decide automount flag
  end

  alt image matches log-collector
    note right of Builder: Automount = true
  else other images
    note right of Builder: Automount = false
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

I sniff each image name at dawn's first light,
If log-collector's present, I set the right.
Other bins I skip with a twitch and a hop,
Tests nod approving as deployments drop. 🥕

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 golangci-lint (2.2.2)

Error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions
The command is terminated due to an error: can't load config: unsupported version of the configuration: "" See https://golangci-lint.run/product/migration-guide for migration instructions

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 7bb5715 and 9a25a82.

📒 Files selected for processing (1)

• cluster/kube/builder/deployment_test.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• cluster/kube/builder/deployment_test.go

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: integration-tests / crd-e2e
• GitHub Check: build-bins
• GitHub Check: lint
• GitHub Check: tests
• GitHub Check: release-dry-run

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/log-collector

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore or @coderabbit ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (5)

cluster/kube/builder/deployment.go (1)

106-120: Small maintainability tweak: normalize once and avoid per-iteration case-fold.

Lowercase the extracted name once and compare against a lowercase allowlist. Optional, but clearer and slightly cheaper.

-func (b *deployment) determineAutomountServiceAccountToken(image string) bool {
-	automountImages := []string{
-		"ghcr.io/akash-network/log-collector",
-	}
-
-	imageName := extractImageName(image)
-
-	for _, automountImage := range automountImages {
-		if strings.EqualFold(imageName, automountImage) {
-			return true
-		}
-	}
-	return false
-}
+func (b *deployment) determineAutomountServiceAccountToken(image string) bool {
+	allow := map[string]struct{}{
+		"ghcr.io/akash-network/log-collector": {},
+	}
+	imageName := strings.ToLower(extractImageName(image))
+	_, ok := allow[imageName]
+	return ok
+}

cluster/kube/builder/deployment_test.go (3)

133-141: Avoid concrete type assertion; use the Deployment interface.

Keeps the test decoupled from internal struct types.

-			deploymentBuilder := NewDeployment(workload)
-
-			require.NotNil(t, deploymentBuilder)
-
-			deploymentInstance := deploymentBuilder.(*deployment)
-
-			deployment, err := deploymentInstance.Create()
+			deploymentBuilder := NewDeployment(workload)
+			require.NotNil(t, deploymentBuilder)
+			deployment, err := deploymentBuilder.Create()

---

143-146: Allow nil when automount is not enabled (if preserving default is desired).

If we don’t want to force false, assert nil for the “regular image” case; keep true and non-nil for log-collector.

-			automountValue := deployment.Spec.Template.Spec.AutomountServiceAccountToken
-			require.NotNil(t, automountValue)
-			require.Equal(t, testCase.expectedResult, *automountValue)
+			automountValue := deployment.Spec.Template.Spec.AutomountServiceAccountToken
+			if testCase.expectedResult {
+				require.NotNil(t, automountValue)
+				require.True(t, *automountValue)
+			} else {
+				require.Nil(t, automountValue)
+			}

---

108-147: Optional: also cover Update() path.

Create once, then call Update and re-assert the field to prevent regressions.

 			deployment, err := deploymentBuilder.Create()
 			require.NoError(t, err)
 			require.NotNil(t, deployment)
 
+			updated, err := deploymentBuilder.Update(deployment)
+			require.NoError(t, err)
+			require.NotNil(t, updated)
+			require.Equal(t, deployment.Spec.Template.Spec.AutomountServiceAccountToken, updated.Spec.Template.Spec.AutomountServiceAccountToken)

testdata/deployment/deployment-log-collector.yaml (1)

15-17: Use clearly dummy values and avoid embedded quotes in env examples.

To avoid accidental leakage and quote-propagation, prefer unquoted selector and an obviously dummy secret.

-      - POD_LABEL_SELECTOR="akash.network/manifest-service=target"
-      - DD_API_KEY=some-secret-value
+      - POD_LABEL_SELECTOR=akash.network/manifest-service=target
+      - DD_API_KEY=dummy-key-for-tests

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between bf47737 and 57c4f44.

📒 Files selected for processing (3)

• cluster/kube/builder/deployment.go (4 hunks)
• cluster/kube/builder/deployment_test.go (1 hunks)
• testdata/deployment/deployment-log-collector.yaml (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (1)

cluster/kube/builder/deployment_test.go (7)

cluster/kube/builder/settings.go (1)

• Settings (15-46)

pkg/apis/akash.network/v2beta2/types.go (1)

• LeaseID (49-55)

pkg/apis/akash.network/v2beta2/manifest.go (4)

• Manifest (19-24)
• SchedulerParams (103-106)
• NewManifest (137-165)
• ClusterSettings (108-110)

cluster/types/v1beta2/types.go (1)

• Group (65-68)

cluster/kube/builder/builder.go (1)

• ClusterDeployment (83-89)

cluster/kube/builder/workload.go (1)

• NewWorkloadBuilder (42-71)

cluster/kube/builder/deployment.go (1)

• NewDeployment (23-31)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: integration-tests / crd-e2e
• GitHub Check: lint
• GitHub Check: tests
• GitHub Check: release-dry-run
• GitHub Check: build-bins

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Don’t force AutomountServiceAccountToken=false for non-allowlisted images — preserve k8s default.

Setting this field to false flips Kubernetes’ default (nil → SA/pod default, commonly true) and may break workloads that expect a token. Recommend setting it only when you need to enable it (log-collector), and leaving it nil otherwise.

Apply:

@@
-	container := b.container()
-	image := container.Image
-	automountServiceAccountToken := b.determineAutomountServiceAccountToken(image)
+	container := b.container()
+	image := container.Image
+	automount := b.determineAutomountServiceAccountToken(image)
+	var automountPtr *bool
+	if automount {
+		v := true
+		automountPtr = &v
+	}
@@
-					AutomountServiceAccountToken: &automountServiceAccountToken,
+					AutomountServiceAccountToken: automountPtr,
 					Containers:                   []corev1.Container{container},
@@
-	image := container.Image
-	automountServiceAccountToken := b.determineAutomountServiceAccountToken(image)
-	uobj.Spec.Template.Spec.AutomountServiceAccountToken = &automountServiceAccountToken
+	image := container.Image
+	automount := b.determineAutomountServiceAccountToken(image)
+	var automountPtr *bool
+	if automount {
+		v := true
+		automountPtr = &v
+	}
+	uobj.Spec.Template.Spec.AutomountServiceAccountToken = automountPtr

Also applies to: 73-75, 99-102

---

🏁 Script executed:

#!/bin/bash
set -e

# Locate the determineAutomountServiceAccountToken definition
rg -nP --type=go '\bfunc\s+\(b \*Builder\)\s+determineAutomountServiceAccountToken' -C3 .

# Confirm its return type and usage sites in deployment.go
rg -nP --type=go 'determineAutomountServiceAccountToken' -C3 cluster/kube/builder/deployment.go

Length of output: 100

---

🏁 Script executed:

#!/bin/bash
set -e

# Search for the method across the entire repository without type filters
rg -n 'determineAutomountServiceAccountToken' -C3 .

# Search for any references to AutomountServiceAccountToken to find context
rg -n 'AutomountServiceAccountToken' -C3 .

# List all Go files in cluster/kube/builder to locate definitions
find cluster/kube/builder -maxdepth 1 -type f -name '*.go'

Length of output: 5822

---

Preserve k8s default AutomountServiceAccountToken

• In cluster/kube/builder/deployment.go (lines 41–44, 73–75 & 99–102), only set .AutomountServiceAccountToken when determineAutomountServiceAccountToken(image) returns true (i.e. point to true); leave it nil otherwise so Kubernetes uses its default.
• Update cluster/kube/builder/deployment_test.go (lines 143–145) to expect a nil pointer when automount should be disabled instead of always requiring a non-nil pointer and boolean comparison.
• No change needed in statefulset.go – it intentionally disables automount for all StatefulSets.

🤖 Prompt for AI Agents

In cluster/kube/builder/deployment.go around lines 41–44, 73–75 and 99–102, the
code unconditionally sets PodSpec.AutomountServiceAccountToken to a pointer
value derived from determineAutomountServiceAccountToken(image); change this so
you only set the AutomountServiceAccountToken field when
determineAutomountServiceAccountToken(image) returns true (i.e., set to pointer
to true), and leave the field nil when it would be false so Kubernetes uses its
default. Also update cluster/kube/builder/deployment_test.go around lines
143–145 to expect a nil pointer when automount should be disabled instead of
asserting a non-nil boolean value.

[coderabbitai]

Actionable comments posted: 0

♻️ Duplicate comments (1)

cluster/kube/builder/deployment.go (1)

41-44: Only set AutomountServiceAccountToken when true; keep nil otherwise to preserve k8s default.

Currently you always set a non-nil pointer (false flips default and may break workloads that expect tokens). Set pointer only for the log-collector; leave nil otherwise.

Apply:

@@
-	container := b.container()
-	image := container.Image
-	automountServiceAccountToken := b.determineAutomountServiceAccountToken(image)
+	container := b.container()
+	image := container.Image
+	automount := b.determineAutomountServiceAccountToken(image)
+	var automountPtr *bool
+	if automount {
+		v := true
+		automountPtr = &v
+	}
@@
-					AutomountServiceAccountToken: &automountServiceAccountToken,
-					Containers:                   []corev1.Container{container},
+					AutomountServiceAccountToken: automountPtr,
+					Containers:                   []corev1.Container{container},
@@
-	image := container.Image
-	automountServiceAccountToken := b.determineAutomountServiceAccountToken(image)
-	uobj.Spec.Template.Spec.AutomountServiceAccountToken = &automountServiceAccountToken
+	image := container.Image
+	automount := b.determineAutomountServiceAccountToken(image)
+	var automountPtr *bool
+	if automount {
+		v := true
+		automountPtr = &v
+	}
+	uobj.Spec.Template.Spec.AutomountServiceAccountToken = automountPtr

Run to spot any other places forcing false:

#!/bin/bash
rg -nP --type=go 'AutomountServiceAccountToken\s*:\s*&?\s*false' -C2
rg -nP --type=go '\.\s*AutomountServiceAccountToken\s*=' -C2

Also applies to: 73-75, 99-102

🧹 Nitpick comments (2)

cluster/kube/builder/deployment.go (2)

106-120: Minor: centralize allowlist for maintainability.

Consider promoting the allowlist to a package-level var/const (or map for O(1) lookups) to simplify future additions and reuse.

Example:

+var automountImages = map[string]struct{}{
+	"ghcr.io/akash-network/log-collector": {},
+}
@@
-	for _, automountImage := range automountImages {
-		if strings.EqualFold(imageName, automountImage) {
-			return true
-		}
-	}
+	_, ok := automountImages[strings.ToLower(imageName)]
+	return ok
-	return false

---

122-134: Trim whitespace in extractImageName.

Adds resilience for inputs with accidental spaces.

 func extractImageName(image string) string {
-	if idxAt := strings.LastIndex(image, "@"); idxAt != -1 {
+	image = strings.TrimSpace(image)
+	if idxAt := strings.LastIndex(image, "@"); idxAt != -1 {
 		return image[:idxAt]
 	}

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 57c4f44 and 7bb5715.

📒 Files selected for processing (3)

• cluster/kube/builder/deployment.go (4 hunks)
• cluster/kube/builder/deployment_test.go (1 hunks)
• testdata/deployment/deployment-log-collector.yaml (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (2)

• cluster/kube/builder/deployment_test.go
• testdata/deployment/deployment-log-collector.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (5)

• GitHub Check: integration-tests / crd-e2e
• GitHub Check: build-bins
• GitHub Check: release-dry-run
• GitHub Check: tests
• GitHub Check: lint

🔇 Additional comments (1)

cluster/kube/builder/deployment.go (1)

87-87: Good reuse of container construction.

Pulling container := b.container() once and reusing improves clarity and avoids duplication.

Also applies to: 95-95

[cloud-j-luna]

This should be configurable as any change to the image location would require recompilation.