fix: disable service account token automount for activation job pods

[TheRealHaoLiu]

Summary

• Activation job pods do not need Kubernetes API access — they run user-supplied rulebooks and decision environment images. This sets automount_service_account_token to False on the pod spec so the default service account token is not projected into these pods.

Test plan

• Verify existing integration tests pass
• Deploy and confirm activation job pods no longer have /var/run/secrets/kubernetes.io/serviceaccount/token mounted

Summary by CodeRabbit

• Bug Fixes

  • Kubernetes pods created for jobs now explicitly disable automatic service account token mounting in pod templates, improving security and reducing unnecessary token exposure.

• Tests

  • Updated integration tests to verify the service account token auto-mounting is disabled in pod templates across job configuration scenarios.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: b8f09aca-0e20-43cd-b7f8-a36bd11efa9b

📥 Commits

Reviewing files that changed from the base of the PR and between d2f0c95 and e10de88.

📒 Files selected for processing (2)

• src/aap_eda/services/activation/engine/kubernetes.py
• tests/integration/services/activation/engine/test_kubernetes.py

---

📝 Walkthrough

Walkthrough

In Engine._create_pod_template_spec, automount_service_account_token=False is added to spec_kwargs to prevent Kubernetes from automatically mounting the service account token into job pods. Two integration tests are updated to assert this value is set.

Changes

Disable service account token automounting in Kubernetes pod spec

Layer / File(s)	Summary
Pod spec change and test assertions src/aap_eda/services/activation/engine/kubernetes.py, tests/integration/services/activation/engine/test_kubernetes.py	_create_pod_template_spec sets automount_service_account_token=False in spec_kwargs; assertions added to the pod metadata and no-tolerations integration tests to verify this field.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: disabling service account token automounting for activation job pods, which is exactly what the changeset implements.
Description check	✅ Passed	The description covers the key aspects: what is being changed (automount_service_account_token set to False), why it's needed (security - pods don't need Kubernetes API access), and how it can be tested (integration tests and deployment verification).
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.35%. Comparing base (d2f0c95) to head (e10de88).

@@           Coverage Diff           @@
##             main    #1598   +/-   ##
=======================================
  Coverage   92.35%   92.35%           
=======================================
  Files         244      244           
  Lines       11214    11214           
=======================================
  Hits        10357    10357           
  Misses        857      857           

Flag	Coverage Δ
unit-int-tests-3.11	92.35% <ø> (ø)
unit-int-tests-3.12	92.35% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
...c/aap_eda/services/activation/engine/kubernetes.py	83.49% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud