func()

in pkg/handler/handler.go [420:488]

• 63 lines of code
• 11 McCabe index (conditional complexity)

func (m *Modifier) buildPodPatchConfig(pod *corev1.Pod) *podPatchConfig {
	// Container credentials method takes precedence
	containerCredentialsPatchConfig := m.ContainerCredentialsConfig.Get(pod.Namespace, pod.Spec.ServiceAccountName)
	if containerCredentialsPatchConfig != nil {
		regionalSTS, tokenExpiration := m.Cache.GetCommonConfigurations(pod.Spec.ServiceAccountName, pod.Namespace)
		tokenExpiration, containersToSkip := m.parsePodAnnotations(pod, tokenExpiration)

		tokenExpiration = m.addJitterToDefaultToken(tokenExpiration)
		webhookPodCount.WithLabelValues("container_credentials").Inc()

		return &podPatchConfig{
			ContainersToSkip:                containersToSkip,
			TokenExpiration:                 tokenExpiration,
			UseRegionalSTS:                  regionalSTS,
			Audience:                        containerCredentialsPatchConfig.Audience,
			MountPath:                       containerCredentialsPatchConfig.MountPath,
			VolumeName:                      containerCredentialsPatchConfig.VolumeName,
			TokenPath:                       containerCredentialsPatchConfig.TokenPath,
			WebIdentityPatchConfig:          nil,
			ContainerCredentialsPatchConfig: containerCredentialsPatchConfig,
		}
	}

	// Use the STS WebIdentity method if set
	gracePeriodEnabled := m.saLookupGraceTime > 0
	request := cache.Request{Namespace: pod.Namespace, Name: pod.Spec.ServiceAccountName, RequestNotification: gracePeriodEnabled}
	response := m.Cache.Get(request)
	if !response.FoundInCache && !gracePeriodEnabled {
		missingSACounter.WithLabelValues().Inc()
	}
	if !response.FoundInCache && gracePeriodEnabled {
		klog.Warningf("Service account %s not found in the cache. Waiting up to %s to be notified", request.CacheKey(), m.saLookupGraceTime)
		select {
		case <-response.Notifier:
			request = cache.Request{Namespace: pod.Namespace, Name: pod.Spec.ServiceAccountName, RequestNotification: false}
			response = m.Cache.Get(request)
			if !response.FoundInCache {
				klog.Warningf("Service account %s not found in the cache after being notified. Not mutating.", request.CacheKey())
				missingSACounter.WithLabelValues().Inc()
				return nil
			}
		case <-time.After(m.saLookupGraceTime):
			klog.Warningf("Service account %s not found in the cache after %s. Not mutating.", request.CacheKey(), m.saLookupGraceTime)
			missingSACounter.WithLabelValues().Inc()
			return nil
		}
	}
	klog.V(5).Infof("Value of roleArn after after cache retrieval for service account %s: %s", request.CacheKey(), response.RoleARN)
	if response.RoleARN != "" {
		tokenExpiration, containersToSkip := m.parsePodAnnotations(pod, response.TokenExpiration)

		webhookPodCount.WithLabelValues("sts_web_identity").Inc()

		return &podPatchConfig{
			ContainersToSkip:                containersToSkip,
			TokenExpiration:                 tokenExpiration,
			UseRegionalSTS:                  response.UseRegionalSTS,
			Audience:                        response.Audience,
			MountPath:                       m.MountPath,
			VolumeName:                      m.volName,
			TokenPath:                       m.tokenName,
			WebIdentityPatchConfig:          &webIdentityPatchConfig{RoleArn: response.RoleARN},
			ContainerCredentialsPatchConfig: nil,
		}
	}

	// No mutations needed
	return nil
}