feat: add serviceAccountName to CRD & fix bundled skill preservation with agentFiles

[IsaiahStapleton]

Summary

• Add spec.serviceAccountName field to the Claw CRD so users can mount a custom ServiceAccount on the gateway pod. When set, automountServiceAccountToken is automatically enabled so the SA token is mounted. When omitted, existing behavior is preserved (default SA, no token).
• Fix bundled skill preservation when deploying with agentFiles. Previously, the agentFiles openclaw.json completely replaced the operator seed, discarding all 57 disabled bundled skill entries. Users relying on the broken upstream allowBundled mechanism (OpenClaw bugs #21709, #10236) got all bundled skills enabled despite their whitelist. merge.js now deep-merges agentFiles config on top of the operator seed so disabled-by-default skills stay disabled.
• Fix two plugin tests broken by ec8176f (init-plugins mount changed from per-subPath to whole-home).

Motivation

The operator hardcodes automountServiceAccountToken: false and defaults serviceAccountName to "default". There was no way for users to mount a read-only SA token for in-cluster API access (e.g., listing pods, reading events). Direct deployment patches were reverted by the operator's CreateOrUpdate reconciliation.

Summary by CodeRabbit

• New Features
  • Introduced support for specifying a custom Kubernetes ServiceAccount for the gateway pod, with automatic token mounting when configured. The default ServiceAccount is used when omitted.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds an optional serviceAccountName field to ClawSpec with a corresponding CRD schema update. A new controller function configureClawDeploymentServiceAccount applies the configured service account and enables token automounting on the gateway Deployment; this is wired into configureDeployments. Also fixes openclaw.json config seeding to deep-merge agent-files into the operator seed, and updates plugin volume-mount test expectations.

Changes

ServiceAccountName Feature

Layer / File(s)	Summary
API type and CRD schema api/v1alpha1/claw_types.go, config/crd/bases/claw.sandbox.redhat.com_claws.yaml	Adds optional ServiceAccountName field to ClawSpec and the matching spec.serviceAccountName property to the CRD OpenAPI schema.
Controller implementation, wiring, and tests internal/controller/claw_deployment.go, internal/controller/claw_resource_controller.go, internal/controller/claw_deployment_test.go	Implements configureClawDeploymentServiceAccount to set serviceAccountName and automountServiceAccountToken=true on the gateway Deployment pod template; calls it from configureDeployments with error wrapping; unit tests verify no-op and active-set paths.

Config Seeding and Plugin Mount Fixups

Layer / File(s)	Summary
openclaw.json deep-merge and claw-home mount path test updates internal/assets/manifests/claw/configmap.yaml, internal/controller/claw_plugins_test.go	Changes agent-files openclaw.json handling from full replacement to deep-merge into operator seed; updates plugin init-container test expectations from multiple claw-home subpath mounts to a single /home/node mount.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• redhat-et/claw-operator#19: Introduced the claw-home volume mount at /home/node for the init-plugins container; this PR updates the corresponding test expectations to match that mount path.

Suggested reviewers

• cooktheryan
• sallyom
• pavelanni

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 40.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately captures both main features: serviceAccountName field addition and the bundled skill preservation fix with agentFiles deep-merge.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/claw_deployment_test.go (1)

2602-2661: ⚡ Quick win

Consider adding test coverage for the error path.

The tests cover the happy paths well, but don't verify the error case when the gateway Deployment is not found in the manifests. Consider adding a subtest that verifies the function returns an error when called with an empty objects slice or objects that don't contain the expected Deployment.

📝 Suggested test case

+
+	t.Run("returns error when deployment not found", func(t *testing.T) {
+		instance := &clawv1alpha1.Claw{}
+		instance.Name = testInstanceName
+		instance.Spec.ServiceAccountName = "my-reader"
+
+		err := configureClawDeploymentServiceAccount([]*unstructured.Unstructured{}, instance)
+		assert.Error(t, err)
+		assert.Contains(t, err.Error(), "claw deployment not found in manifests")
+	})

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/claw_deployment_test.go` around lines 2602 - 2661, The
TestConfigureClawDeploymentServiceAccount function currently only tests
successful execution paths but lacks coverage for error scenarios. Add a new
t.Run subtest (e.g., "returns error when Deployment not found") that verifies
configureClawDeploymentServiceAccount returns an error when called with an empty
objects slice or with objects that don't contain the expected Deployment
(identified by the ClawGatewayContainerName or deployment kind). Test both the
empty slice case and the case where objects exist but don't match the expected
structure to ensure the function properly validates its input and fails
gracefully when the required Deployment is missing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/controller/claw_deployment_test.go`:
- Around line 2602-2661: The TestConfigureClawDeploymentServiceAccount function
currently only tests successful execution paths but lacks coverage for error
scenarios. Add a new t.Run subtest (e.g., "returns error when Deployment not
found") that verifies configureClawDeploymentServiceAccount returns an error
when called with an empty objects slice or with objects that don't contain the
expected Deployment (identified by the ClawGatewayContainerName or deployment
kind). Test both the empty slice case and the case where objects exist but don't
match the expected structure to ensure the function properly validates its input
and fails gracefully when the required Deployment is missing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: c3bb7743-f1d0-44b6-99fd-012488a9f8aa

📥 Commits

Reviewing files that changed from the base of the PR and between f13825d and 9ef4e22.

📒 Files selected for processing (7)

• api/v1alpha1/claw_types.go
• config/crd/bases/claw.sandbox.redhat.com_claws.yaml
• internal/assets/manifests/claw/configmap.yaml
• internal/controller/claw_deployment.go
• internal/controller/claw_deployment_test.go
• internal/controller/claw_plugins_test.go
• internal/controller/claw_resource_controller.go