func retrieveClientIdForListener()

in pkg/controller/keyvault/gateway_secret_provider_class.go [211:234]

• 18 lines of code
• 8 McCabe index (conditional complexity)

func retrieveClientIdForListener(ctx context.Context, k8sclient client.Client, namespace string, options map[gatewayv1.AnnotationKey]gatewayv1.AnnotationValue) (string, error) {
	certUri := string(options[certUriTLSOption])
	saName := string(options[serviceAccountTLSOption])

	// validate user input
	if certUri != "" && saName == "" {
		return "", util.NewUserError(errors.New("user specified cert URI but no ServiceAccount in a listener"), "KeyVault Cert URI provided, but the required ServiceAccount option was not. Please provide a ServiceAccount via the TLS option kubernetes.azure.com/tls-cert-service-account")
	}
	if certUri == "" && saName != "" {
		return "", util.NewUserError(errors.New("user specified ServiceAccount but no cert URI in a listener"), "ServiceAccount for WorkloadIdentity provided, but KeyVault Cert URI was not. Please provide a TLS Cert URI via the TLS option kubernetes.azure.com/tls-cert-keyvault-uri")
	}

	// this should never happen since we check for this prior to this function call but just to be safe
	if certUri == "" && saName == "" {
		return "", util.NewUserError(errors.New("none of the required TLS options were specified"), "KeyVault Cert URI and ServiceAccount must both be specified to use TLS functionality in App Routing")
	}

	// pull service account
	wiSaClientId, err := util.GetServiceAccountAndVerifyWorkloadIdentity(ctx, k8sclient, saName, namespace)
	if err != nil {
		return "", err
	}
	return wiSaClientId, nil
}