fix: adjust service account managed fields

[drey]

If deployed resource previously had a service account reference, and it does not have serviceAccountName and serviceAccount params anymore, we must make both serviceAccount and serviceAccountName params managed to plan/converge work as expected. This is due to SSA operation.

To test the PR, deploy the following chart with NELM_FEAT_CLEAN_NULL_FIELDS environment variable set to true:

Signed-off-by: Ilya Drey <ilya.drey@flant.com>
---
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations: {}
  labels: {}
  name: service-account-removal
spec:
  replicas: 2
  selector:
    matchLabels:
      app: service-account-removal
  template:
    metadata:
      labels:
        app: service-account-removal
    spec:
      containers:
      - args:
        - |
          echo "Ready"
          touch /tmp/ready
          sleep 3600
        command:
        - sh
        - -c
        image: alpine:latest
        name: app
        readinessProbe:
          exec:
            command:
            - /bin/sh
            - -c
            - cat /tmp/ready && exit 0 || exit 1
          initialDelaySeconds: 5
      serviceAccountName: service-account-removal
---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations: {}
  labels: {}
  name: service-account-removal

Next, remove serviceAccountName from the deployment and run plan again. The serviceAccountName should be marked as deleted in the plan output:

<skipped>
┌ Update Deployment/service-account-removal
│         restartPolicy: Always
│         schedulerName: default-scheduler
│         securityContext: {}
│ -       serviceAccount: service-account-removal
│ -       serviceAccountName: service-account-removal
│         terminationGracePeriodSeconds: 30
└ Update Deployment/service-account-removal
<skipped>

Summary by Bito

• Fixes a critical bug in service account field processing during resource convergence by adjusting the handling of managed fields and ensuring SSA operations work after removal of serviceAccountName.
• Replaces outdated function parameters with a more robust resource structure for service account parameters.
• Adds several helper functions to check and fix service account managed fields.
• Overall summary: The changes refine internal resource management logic, improve error messages and logging, and enhance stability of service account field processing, fixing a critical bug without introducing new risks.

[ilya-lesikov]

/review

[bito-code-review]

Changelist by Bito

This pull request implements the following key changes.

Key Change	Files Impacted
Bug Fix - Service Account Managed Fields Adjustment	- resource_info.go - Updated functions and parameters to correctly handle managed fields for service account references; introduced new helper functions for subpath evaluation and error handling to support SSA operations.

[bito-code-review]

Interaction Diagram by Bito

sequenceDiagram
participant CLI as nelm CLI
participant RIA as ReleaseInstallAction<br/>pkg/action/release_install.go
participant BRI as BuildResourceInfos<br/>internal/plan/resource_info.go<br/>🔄 Updated | ●●○ Medium
participant BIR as buildInstallableResourceInfo<br/>internal/plan/resource_info.go<br/>🔄 Updated | ●●○ Medium
participant FMFC as fixManagedFieldsInCluster<br/>internal/plan/resource_info.go<br/>🔄 Updated | ●●○ Medium
participant FMF as fixManagedFields<br/>internal/plan/resource_info.go<br/>🔄 Updated | ●●○ Medium
participant ISAMFFR as isServiceAccountManagedFieldFixRequired<br/>internal/plan/resource_info.go<br/>🟩 Added | ●●● High
participant FSAMF as fixServiceAccountManagedFields<br/>internal/plan/resource_info.go<br/>🟩 Added | ●●● High
participant KC as KubeClient<br/>kube.ClientFactorier
CLI->>RIA: nelm release install
RIA->>BRI: BuildResourceInfos(ctx, deployType, ...)
BRI->>BIR: buildInstallableResourceInfo(ctx, localRes, ...)
BIR->>FMFC: fixManagedFieldsInCluster(ctx, releaseNamespace, getObj, localRes, ...)
FMFC->>FMF: fixManagedFields(getObj, localRes, noRemoveManualChanges)
FMF->>ISAMFFR: isServiceAccountManagedFieldFixRequired(localRes.Unstruct, &oursEntry)
ISAMFFR-->>FMF: return required (bool)
alt [service account fix required]
FMF->>FSAMF: fixServiceAccountManagedFields(&oursEntry, subPath)
FSAMF-->>FMF: return error
Note over FMF: Set changed = true
    end
FMF-->>FMFC: return changed, err
alt [changed]
FMFC->>KC: MergePatch(ctx, localRes.ResourceMeta, patch, ...)
KC-->>FMFC: return patchedObj, err
    end
FMFC-->>BIR: return patchedObj, err
BIR-->>BRI: return infos, err
BRI-->>RIA: return instResourceInfos, delResourceInfos, err
RIA-->>CLI: installation complete

Loading

---

Critical path: nelm CLI -> BuildResourceInfos -> fixManagedFieldsInCluster -> fixManagedFields -> KubeClient

Note: The merge request updates the resource installation logic in internal/plan/resource_info.go to include special handling for service account managed fields in Kubernetes resources. It adds validation and transformation layers to detect when service account references in pod specs or workload templates require managed field corrections, and applies fixes to prevent deployment conflicts. This integrates with the existing Kubernetes API client for patching resources in the cluster, ensuring proper persistence of corrected managed fields during release operations like install, upgrade, and rollback. Upstream callers include CLI commands (nelm release install/upgrade/rollback) and action handlers in pkg/action/. Downstream effects impact resource deployment success and managed field accuracy in the cluster.

If the interaction diagram doesn't appear, refresh the page to render it.

You can disable interaction diagrams by customizing agent settings. Refer to documentation.

[bito-code-review]

Code Review Agent Run #9ce86b

Actionable Suggestions - 1

• internal/plan/resource_info.go - 1

  • Error Handling Issue · Line 541-549

Review Details

• Files reviewed - 1 · Commit Range: 98258a0..98258a0

  • internal/plan/resource_info.go
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Golangci-lint (Linter) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at ilya.lesikov@flant.com.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by

[bito-code-review]

Code Review Agent Run #5a2d95

Actionable Suggestions - 1

• internal/plan/resource_info.go - 1

  • Incorrect FieldsV1 field removal · Line 699-704

Review Details

• Files reviewed - 1 · Commit Range: 98258a0..63ba307

  • internal/plan/resource_info.go
• Files skipped - 0
• Tools

  • Whispers (Secret Scanner) - ✔︎ Successful
  • Detect-secrets (Secret Scanner) - ✔︎ Successful
  • Golangci-lint (Linter) - ✔︎ Successful

---

Bito Usage Guide

Commands

Type the following command in the pull request comment and save the comment.

• /review - Manually triggers a full AI review.

• /pause - Pauses automatic reviews on this pull request.

• /resume - Resumes automatic reviews.

• /resolve - Marks all Bito-posted review comments as resolved.

• /abort - Cancels all in-progress reviews.

Refer to the documentation for additional commands.

Configuration

This repository uses Default Agent You can customize the agent settings here or contact your Bito workspace admin at ilya.lesikov@flant.com.

Documentation & Help

• Customize agent settings
• Review rules
• General documentation
• FAQ

AI Code Review powered by