From 30036c802617e25084457592276576c547418f67 Mon Sep 17 00:00:00 2001
From: Ondra Kupka <okupka@redhat.com>
Date: Wed, 26 Nov 2025 12:19:06 +0100
Subject: [PATCH] lib/resourcemerge: Add support for
 automountServiceAccountToken

Take automountServiceAccountToken flag into account when reconciling a
pod spec.
---
 lib/resourcemerge/core.go      |  1 +
 lib/resourcemerge/core_test.go | 50 ++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)

diff --git a/lib/resourcemerge/core.go b/lib/resourcemerge/core.go
index 822038e5c..99f5a3216 100644
--- a/lib/resourcemerge/core.go
+++ b/lib/resourcemerge/core.go
@@ -45,6 +45,7 @@ func ensurePodSpec(modified *bool, existing *corev1.PodSpec, required corev1.Pod
 		}
 	}
 
+	setBoolPtr(modified, &existing.AutomountServiceAccountToken, required.AutomountServiceAccountToken)
 	setStringIfSet(modified, &existing.ServiceAccountName, required.ServiceAccountName)
 	setBool(modified, &existing.HostNetwork, required.HostNetwork)
 	setBoolPtr(modified, &existing.HostUsers, required.HostUsers)
diff --git a/lib/resourcemerge/core_test.go b/lib/resourcemerge/core_test.go
index 1ec88c09e..ef9989f3f 100644
--- a/lib/resourcemerge/core_test.go
+++ b/lib/resourcemerge/core_test.go
@@ -56,6 +56,56 @@ func TestEnsurePodSpec(t *testing.T) {
 				HostUsers: boolPtr(false),
 			},
 		},
+		{
+			name:     "automountServiceAccountToken is set",
+			existing: corev1.PodSpec{},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: true,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
+		{
+			name: "automountServiceAccountToken is unset",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+			input: corev1.PodSpec{},
+
+			expectedModified: true,
+			expected:         corev1.PodSpec{},
+		},
+		{
+			name: "automountServiceAccountToken is changed",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(true),
+			},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: true,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
+		{
+			name: "automountServiceAccountToken is unchanged",
+			existing: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+			input: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+
+			expectedModified: false,
+			expected: corev1.PodSpec{
+				AutomountServiceAccountToken: boolPtr(false),
+			},
+		},
 		{
 			name: "PodSecurityContext empty",
 			existing: corev1.PodSpec{