Skip to content

Allow configuring AutomountServiceAccountToken for DevicePlugin #1749

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ybettan merged 1 commit into from
Feb 16, 2026
Merged

Allow configuring AutomountServiceAccountToken for DevicePlugin #1749

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions api/v1beta1/module_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -313,6 +313,12 @@ type DevicePluginSpec struct {
ServiceAccountName string `json:"serviceAccountName,omitempty"`

Volumes []v1.Volume `json:"volumes,omitempty"`

// AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
// into device plugin pod. This volume includes as files: SA token, CAs' file etc'
// setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
// whatever configmaps and tokens he deems necessary for the device plugin application
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
Comment on lines +317 to +321
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Fix typos and tighten wording in the CRD description.

This text is surfaced in CRD docs; it currently contains typos and awkward phrasing. Consider updating it here (source of truth) and regenerating CRDs.

✏️ Suggested wording 
-	// AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
-	// into device plugin pod. This volume includes as files: SA token, CAs' file etc'
-	// setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
-	// whatever configmaps and tokens he deems necessary for the device plugin application
+	// AutomountServiceAccountToken disables auto-mounting of the projected service account volume
+	// in the device plugin pod. This volume includes the SA token, CA bundle, etc.
+	// Setting it to false disables auto-mounting and lets users mount custom ConfigMaps or tokens
+	// required by the device plugin.
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
// AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
// into device plugin pod. This volume includes as files: SA token, CAs' file etc'
// setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
// whatever configmaps and tokens he deems necessary for the device plugin application
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
// AutomountServiceAccountToken disables auto-mounting of the projected service account volume
// in the device plugin pod. This volume includes the SA token, CA bundle, etc.
// Setting it to false disables auto-mounting and lets users mount custom ConfigMaps or tokens
// required by the device plugin.
AutomountServiceAccountToken *bool `json:"automountServiceAccountToken,omitempty"`
🤖 Prompt for AI Agents 
In `@api/v1beta1/module_types.go` around lines 317 - 321, Update the comment above
the AutomountServiceAccountToken field to fix typos and tighten wording: replace
the current paragraph with a clear single-sentence description stating that
AutomountServiceAccountToken disables automatic mounting of the service account
token projected volume into the device plugin pod (this volume contains the SA
token and CA bundle), and that setting it to false prevents auto-mounting so the
user can mount any required ConfigMaps or tokens manually; ensure the field name
AutomountServiceAccountToken remains unchanged.

}

// ModuleSpec describes how the KMM operator should deploy a Module on those nodes that need it.
Expand Down
5 changes: 5 additions & 0 deletions api/v1beta1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

7 changes: 7 additions & 0 deletions bundle-hub/manifests/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,13 @@ spec:
DevicePlugin allows overriding some properties of the container that deploys the device plugin on the node.
Name is ignored and is set automatically by the KMM Operator.
properties:
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
Comment on lines +56 to +62
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Search for the typo "disale" in the codebase
rg -n 'disale' --type yaml --type go

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 1160

🏁 Script executed:

#!/bin/bash
# Read the specific file and show lines 56-62
cat -n bundle-hub/manifests/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml | sed -n '50,65p'

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 1231

Fix typo and non-inclusive language in field description.

This issue exists in the Go source definition (api/v1beta1/module_types.go:319) and is propagated to multiple generated YAML manifests. Fix it at the source:

  • Line 60: "disale""disable"
  • Line 61: "he deems""they deem"
Affected files
  • api/v1beta1/module_types.go:319 (source)
  • config/crd/bases/kmm.sigs.x-k8s.io_modules.yaml:52
  • config/crd-hub/bases/kmm.sigs.x-k8s.io_modules.yaml:52
  • config/crd-hub/bases/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml:56
  • bundle/manifests/kmm.sigs.x-k8s.io_modules.yaml:56
  • bundle-hub/manifests/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml:60 (under review)
🤖 Prompt for AI Agents 
In `@bundle-hub/manifests/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml` around
lines 56 - 62, Update the AutomountServiceAccountToken field description in the
Module type source (module_types.go) to correct typos and use inclusive
language: change "disale" to "disable" and "he deems" to "they deem" in the
description string for automountServiceAccountToken, then regenerate the
CRD/manifest YAMLs so the corrected text propagates to the generated files
(references: AutomountServiceAccountToken field in Module type definition).

container:
properties:
args:
Expand Down
2 changes: 1 addition & 1 deletion bundle-hub/manifests/kernel-module-management-hub.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,7 +37,7 @@ metadata:
}
]
capabilities: Seamless Upgrades
createdAt: "2026-02-10T11:50:11Z"
createdAt: "2026-02-15T12:41:06Z"
operatorframework.io/suggested-namespace: openshift-kmm-hub
operators.operatorframework.io/builder: operator-sdk-v1.41.1
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down
2 changes: 1 addition & 1 deletion bundle/manifests/kernel-module-management.clusterserviceversion.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,7 @@ metadata:
}
]
capabilities: Seamless Upgrades
createdAt: "2026-02-10T11:50:10Z"
createdAt: "2026-02-15T12:40:55Z"
operatorframework.io/suggested-namespace: openshift-kmm
operators.operatorframework.io/builder: operator-sdk-v1.41.1
operators.operatorframework.io/project_layout: go.kubebuilder.io/v4
Expand Down
7 changes: 7 additions & 0 deletions bundle/manifests/kmm.sigs.x-k8s.io_modules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ spec:
DevicePlugin allows overriding some properties of the container that deploys the device plugin on the node.
Name is ignored and is set automatically by the KMM Operator.
properties:
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
Comment on lines +52 to +58
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

fd -t f 'module_types.go' --exec cat -n {} \; | head -200

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 8683

🏁 Script executed:

rg -n 'AutomountServiceAccountToken' --type go -A 5 -B 2

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 23731

🏁 Script executed:

head -30 bundle/manifests/kmm.sigs.x-k8s.io_modules.yaml

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 997

🏁 Script executed:

head -30 api/v1beta1/module_types.go | grep -E "(kubebuilder|controller-gen)"

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 68

🏁 Script executed:

grep -n "kubebuilder\|controller-gen" api/v1beta1/module_types.go | head -5

Repository: rh-ecosystem-edge/kernel-module-management

Length of output: 284

Fix typos in the source Go doc comment for AutomountServiceAccountToken field.

The YAML manifest is auto-generated by controller-gen. Update the description in api/v1beta1/module_types.go (lines 317–320):

  • Line 319: "disale""disable"
  • Line 318: "etc'""etc."
  • Line 320: "he deems""they deem" (or "the user deems")

Then regenerate the CRD manifests.

🤖 Prompt for AI Agents 
In `@bundle/manifests/kmm.sigs.x-k8s.io_modules.yaml` around lines 52 - 58, Update
the Go doc string for the AutomountServiceAccountToken field in the module API
type (the struct containing AutomountServiceAccountToken in api/v1beta1 module
types) to fix typos: change "etc'" to "etc.", "disale" to "disable", and "he
deems" to "they deem" (or "the user deems"); then run controller-gen to
regenerate the CRD/YAML manifests so the corrected description propagates to
bundle/manifests/kmm.sigs.x-k8s.io_modules.yaml.

container:
properties:
args:
Expand Down
7 changes: 7 additions & 0 deletions config/crd-hub/bases/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,13 @@ spec:
DevicePlugin allows overriding some properties of the container that deploys the device plugin on the node.
Name is ignored and is set automatically by the KMM Operator.
properties:
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
Comment on lines +52 to +58
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Typos in the field description.

Line 56: "disale""disable". Line 57: "he deems" → consider gender-neutral phrasing like "they deem" or "the user deems". Line 55: "CAs' file etc'" has awkward punctuation.

Proposed description fix 
                      automountServiceAccountToken:
                        description: |-
-                          AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
-                          into device plugin pod. This volume includes as files: SA token, CAs' file etc'
-                          setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
-                          whatever configmaps and tokens he deems necessary for the device plugin application
+                          AutomountServiceAccountToken is used to control the auto-mounting of the projected volume
+                          into the device plugin pod. This volume includes as files: SA token, CA certificates, etc.
+                          Setting AutomountServiceAccountToken to false will disable auto-mounting, and will allow the user to mount
+                          whatever ConfigMaps and tokens they deem necessary for the device plugin application.
                        type: boolean
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to control the auto-mounting of the projected volume
into the device plugin pod. This volume includes as files: SA token, CA certificates, etc.
Setting AutomountServiceAccountToken to false will disable auto-mounting, and will allow the user to mount
whatever ConfigMaps and tokens they deem necessary for the device plugin application.
type: boolean
🤖 Prompt for AI Agents 
In `@config/crd-hub/bases/hub.kmm.sigs.x-k8s.io_managedclustermodules.yaml` around
lines 52 - 58, The description for automountServiceAccountToken contains typos
and awkward punctuation; update the automountServiceAccountToken description
text to fix "disale" → "disable", clean up "CAs' file etc'" to something like
"CA files, etc.", and replace "he deems" with a gender-neutral phrase such as
"they deem" or "the user deems"; ensure the corrected text remains a clear YAML
block string under the automountServiceAccountToken field.

container:
properties:
args:
Expand Down
7 changes: 7 additions & 0 deletions config/crd-hub/bases/kmm.sigs.x-k8s.io_modules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@ spec:
DevicePlugin allows overriding some properties of the container that deploys the device plugin on the node.
Name is ignored and is set automatically by the KMM Operator.
properties:
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
Comment on lines +48 to +54
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Feb 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

Typos and language issues in the field description.

The description contains several issues that will surface in kubectl explain output and generated API docs:

  • Line 52: disaledisable
  • Line 52: etc'etc. (stray apostrophe)
  • Line 53: he deemsthey deem or the user deems (use gender-neutral language)

Since this file is generated by controller-gen, the fix should be applied in the source Go doc comment (likely in api/v1beta1/module_types.go on the AutomountServiceAccountToken field).

#!/bin/bash
# Verify the source of the typos in the Go type definition
rg -n 'AutomountServiceAccountToken' --type=go -C 5
🤖 Prompt for AI Agents 
In `@config/crd-hub/bases/kmm.sigs.x-k8s.io_modules.yaml` around lines 48 - 54,
Fix the doc comment on the AutomountServiceAccountToken Go field in the source
definition (likely api/v1beta1/module_types.go): correct typos ("disale" →
"disable", "etc'" → "etc.") and replace gendered phrasing ("he deems") with
neutral wording such as "they deem" or "the user deems"; save the updated
comment on the AutomountServiceAccountToken field and re-run controller-gen to
regenerate config/crd-hub/bases/kmm.sigs.x-k8s.io_modules.yaml so the corrected
description appears in kubectl explain and generated docs.

container:
properties:
args:
Expand Down
7 changes: 7 additions & 0 deletions config/crd/bases/kmm.sigs.x-k8s.io_modules.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,13 @@ spec:
DevicePlugin allows overriding some properties of the container that deploys the device plugin on the node.
Name is ignored and is set automatically by the KMM Operator.
properties:
automountServiceAccountToken:
description: |-
AutomountServiceAccountToken is used to disable the auto-mounting of the projected volume
into device plugin pod. This volume includes as files: SA token, CAs' file etc'
setting AutomountServiceAccountToken to false, will disale auto-mounting, and will allow user to mount
whatever configmaps and tokens he deems necessary for the device plugin application
type: boolean
container:
properties:
args:
Expand Down
17 changes: 9 additions & 8 deletions internal/controllers/device_plugin_reconciler.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -376,14 +376,15 @@ func (dsci *daemonSetCreatorImpl) setDevicePluginAsDesired(
Finalizers: []string{constants.NodeLabelerFinalizer},
},
Spec: v1.PodSpec{
InitContainers: generatePodContainerSpec(mod.Spec.DevicePlugin.InitContainer, "device-plugin-init", nil),
Containers: generatePodContainerSpec(&mod.Spec.DevicePlugin.Container, "device-plugin", containerVolumeMounts),
PriorityClassName: "system-node-critical",
ImagePullSecrets: getPodPullSecrets(mod.Spec.ImageRepoSecret),
NodeSelector: nodeSelector,
ServiceAccountName: serviceAccountName,
Volumes: append([]v1.Volume{devicePluginVolume}, mod.Spec.DevicePlugin.Volumes...),
Tolerations: mod.Spec.Tolerations,
InitContainers: generatePodContainerSpec(mod.Spec.DevicePlugin.InitContainer, "device-plugin-init", nil),
Containers: generatePodContainerSpec(&mod.Spec.DevicePlugin.Container, "device-plugin", containerVolumeMounts),
PriorityClassName: "system-node-critical",
ImagePullSecrets: getPodPullSecrets(mod.Spec.ImageRepoSecret),
NodeSelector: nodeSelector,
ServiceAccountName: serviceAccountName,
Volumes: append([]v1.Volume{devicePluginVolume}, mod.Spec.DevicePlugin.Volumes...),
Tolerations: mod.Spec.Tolerations,
AutomountServiceAccountToken: mod.Spec.DevicePlugin.AutomountServiceAccountToken,
},
},
}
Expand Down
8 changes: 5 additions & 3 deletions internal/controllers/device_plugin_reconciler_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -734,8 +734,9 @@ var _ = Describe("DevicePluginReconciler_setDevicePluginAsDesired", func() {
Resources: resources,
VolumeMounts: []v1.VolumeMount{dpVolMount},
},
ServiceAccountName: serviceAccountName,
Volumes: []v1.Volume{dpVol},
ServiceAccountName: serviceAccountName,
Volumes: []v1.Volume{dpVol},
AutomountServiceAccountToken: ptr.To(false),
},
ImageRepoSecret: &repoSecret,
Selector: map[string]string{"has-feature-x": "true"},
Expand Down Expand Up @@ -837,7 +838,8 @@ var _ = Describe("DevicePluginReconciler_setDevicePluginAsDesired", func() {
},
dpVol,
},
Tolerations: []v1.Toleration{testToleration},
Tolerations: []v1.Toleration{testToleration},
AutomountServiceAccountToken: ptr.To(false),
},
},
},
Expand Down
Loading