Add configurable automountServiceAccountToken to operator Deployment

[dgwhited]

Summary

• Add explicit automountServiceAccountToken to the operator Deployment pod spec, configurable via mattermostOperator.serviceAccount.automountToken (defaults to true)
• Bump chart version to 1.0.5

Problem

On platforms with security policies that disable automatic mounting of service account tokens at the secret level, the operator pod fails to start with:

level=error msg="[opr.controller-runtime.client.config] unable to load in-cluster config" error="open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory"

The current Deployment template relies on the Kubernetes default for automountServiceAccountToken, which is overridden to false in hardened environments.

Solution

Explicitly set automountServiceAccountToken in the Deployment pod spec, driven by a new Helm value:

mattermostOperator:
  serviceAccount:
    automountToken: true  # default

This causes the kubelet to mount a projected service account token volume, which works on hardened clusters that only disable the legacy secret-based token approach.

Changes

File	Change
values.yaml	Added automountToken: true under serviceAccount
deployment.yaml	Added automountServiceAccountToken to pod spec
Chart.yaml	Version bump 1.0.4 → 1.0.5

Validation

# Default renders true
$ helm template test charts/mattermost-operator/ | grep automountServiceAccountToken
      automountServiceAccountToken: true

# Override renders false
$ helm template test charts/mattermost-operator/ --set mattermostOperator.serviceAccount.automountToken=false | grep automountServiceAccountToken
      automountServiceAccountToken: false

This is a non-breaking change — existing deployments that rely on the Kubernetes default (true) continue to work identically.

Summary by CodeRabbit

• Chores

  • Bumped Mattermost Operator chart to version 1.0.5.

• New Features

  • Added configurable service account token mounting for the operator. Token mounting is enabled by default and can be changed via configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0e662148-4b7f-418b-9fe1-6b83245c0e46

📥 Commits

Reviewing files that changed from the base of the PR and between c68a630 and c9b2a54.

📒 Files selected for processing (3)

• charts/mattermost-operator/Chart.yaml
• charts/mattermost-operator/templates/mattermost-operator/deployment.yaml
• charts/mattermost-operator/values.yaml

🚧 Files skipped from review as they are similar to previous changes (2)

• charts/mattermost-operator/values.yaml
• charts/mattermost-operator/templates/mattermost-operator/deployment.yaml

---

📝 Walkthrough

Walkthrough

Bumps the mattermost-operator Helm chart version and adds a configurable automountServiceAccountToken setting (default true) to the operator Deployment via values.

Changes

Cohort / File(s)	Summary
Version Update charts/mattermost-operator/Chart.yaml	Chart version incremented from 1.0.4 to 1.0.5.
Service Account Token Configuration charts/mattermost-operator/templates/mattermost-operator/deployment.yaml, charts/mattermost-operator/values.yaml	Added automountServiceAccountToken to the Deployment pod spec, wired to mattermostOperator.serviceAccount.automountToken with default true in values.yaml.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and concisely summarizes the main change: adding a configurable automountServiceAccountToken field to the operator Deployment, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can disable sequence diagrams in the walkthrough.

Disable the reviews.sequence_diagrams setting to disable sequence diagrams in the walkthrough.

[coderabbitai]

🧹 Nitpick comments (1)

charts/mattermost-operator/templates/mattermost-operator/deployment.yaml (1)

30-30: Consider adding a default for robustness.

The template directly accesses .Values.mattermostOperator.serviceAccount.automountToken. If a user provides a custom values file that defines mattermostOperator.serviceAccount without the automountToken key, Helm will render an empty value, producing invalid YAML.

♻️ Proposed fix using Helm's default function

-      automountServiceAccountToken: {{ .Values.mattermostOperator.serviceAccount.automountToken }}
+      automountServiceAccountToken: {{ .Values.mattermostOperator.serviceAccount.automountToken | default true }}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@charts/mattermost-operator/templates/mattermost-operator/deployment.yaml` at
line 30, The template directly renders automountServiceAccountToken from
.Values.mattermostOperator.serviceAccount.automountToken which can be undefined
and produce invalid YAML; update the deployment template (the
automountServiceAccountToken field) to use Helm's default function to supply a
safe boolean (e.g., default false) when
.Values.mattermostOperator.serviceAccount.automountToken is missing so the
rendered YAML is always valid.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@charts/mattermost-operator/templates/mattermost-operator/deployment.yaml`:
- Line 30: The template directly renders automountServiceAccountToken from
.Values.mattermostOperator.serviceAccount.automountToken which can be undefined
and produce invalid YAML; update the deployment template (the
automountServiceAccountToken field) to use Helm's default function to supply a
safe boolean (e.g., default false) when
.Values.mattermostOperator.serviceAccount.automountToken is missing so the
rendered YAML is always valid.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 18865d11-d1c5-4f89-9196-2d19189087e3

📥 Commits

Reviewing files that changed from the base of the PR and between 70992f7 and c68a630.

📒 Files selected for processing (3)

• charts/mattermost-operator/Chart.yaml
• charts/mattermost-operator/templates/mattermost-operator/deployment.yaml
• charts/mattermost-operator/values.yaml

[dgwhited]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.