func()

in pkg/handler/handler.go [172:285]

• 105 lines of code
• 23 McCabe index (conditional complexity)

func (m *Modifier) addEnvToContainer(container *corev1.Container, tokenFilePath string, patchConfig *podPatchConfig) bool {
	var (
		webIdentityKeysDefined          bool
		containerCredentialsKeysDefined bool
		regionKeyDefined                bool
		regionalStsKeyDefined           bool
	)
	webIdentityKeys := map[string]string{
		"AWS_ROLE_ARN":                "",
		"AWS_WEB_IDENTITY_TOKEN_FILE": "",
	}
	containerCredentialsKeys := map[string]string{
		pkg.AwsEnvVarContainerCredentialsFullUri:     "",
		pkg.AwsEnvVarContainerAuthorizationTokenFile: "",
	}
	awsRegionKeys := map[string]string{
		"AWS_REGION":         "",
		"AWS_DEFAULT_REGION": "",
	}
	stsKey := "AWS_STS_REGIONAL_ENDPOINTS"
	for _, env := range container.Env {
		if _, ok := webIdentityKeys[env.Name]; ok {
			klog.V(4).Infof("Web identity env variable %s is already defined in the pod spec", env)
			webIdentityKeysDefined = true
		}
		if _, ok := containerCredentialsKeys[env.Name]; ok {
			klog.V(4).Infof("Container credential env variable %s is already defined in the pod spec", env)
			containerCredentialsKeysDefined = true
		}
		if _, ok := awsRegionKeys[env.Name]; ok {
			// Don't set both region keys if any region key is already set
			klog.V(4).Infof("AWS Region env variable %s is already defined in the pod spec", env)
			regionKeyDefined = true
		}
		if env.Name == stsKey {
			klog.V(4).Infof("AWS STS env variable %s is already defined in the pod spec", env)
			regionalStsKeyDefined = true
		}
	}

	if ((patchConfig.WebIdentityPatchConfig != nil && webIdentityKeysDefined) ||
		(patchConfig.ContainerCredentialsPatchConfig != nil && containerCredentialsKeysDefined)) &&
		regionKeyDefined && regionalStsKeyDefined {
		klog.V(4).Infof("Container %s has necessary env variables already present", container.Name)
		return false
	}

	changed := false
	env := container.Env

	if !regionalStsKeyDefined && patchConfig.UseRegionalSTS {
		env = append(env, corev1.EnvVar{
			Name:  stsKey,
			Value: "regional",
		})
		changed = true
	}

	if !regionKeyDefined && m.Region != "" {
		env = append(env, corev1.EnvVar{
			Name:  "AWS_DEFAULT_REGION",
			Value: m.Region,
		}, corev1.EnvVar{
			Name:  "AWS_REGION",
			Value: m.Region,
		})
		changed = true
	}

	if patchConfig.ContainerCredentialsPatchConfig != nil {
		if !containerCredentialsKeysDefined {
			env = append(env, corev1.EnvVar{
				Name:  pkg.AwsEnvVarContainerCredentialsFullUri,
				Value: patchConfig.ContainerCredentialsPatchConfig.FullUri,
			})
			env = append(env, corev1.EnvVar{
				Name:  pkg.AwsEnvVarContainerAuthorizationTokenFile,
				Value: tokenFilePath,
			})
			changed = true
		}
	} else if patchConfig.WebIdentityPatchConfig != nil {
		if !webIdentityKeysDefined {
			env = append(env, corev1.EnvVar{
				Name:  "AWS_ROLE_ARN",
				Value: patchConfig.WebIdentityPatchConfig.RoleArn,
			})
			env = append(env, corev1.EnvVar{
				Name:  "AWS_WEB_IDENTITY_TOKEN_FILE",
				Value: tokenFilePath,
			})
			changed = true
		}
	}

	container.Env = env

	volExists := false
	for _, vol := range container.VolumeMounts {
		if vol.Name == patchConfig.VolumeName {
			volExists = true
		}
	}

	if !volExists {
		container.VolumeMounts = append(container.VolumeMounts, corev1.VolumeMount{
			Name:      patchConfig.VolumeName,
			ReadOnly:  true,
			MountPath: patchConfig.MountPath,
		})
		changed = true
	}
	return changed
}