func GetServiceAccountAndVerifyWorkloadIdentity()

in pkg/util/serviceaccount.go [15:34]

• 14 lines of code
• 5 McCabe index (conditional complexity)

func GetServiceAccountAndVerifyWorkloadIdentity(ctx context.Context, k8sclient client.Client, saName, saNamespace string) (string, error) {
	// ensure referenced serviceaccount exists
	saObj := &corev1.ServiceAccount{}
	err := k8sclient.Get(ctx, types.NamespacedName{Name: saName, Namespace: saNamespace}, saObj)

	if client.IgnoreNotFound(err) != nil {
		return "", fmt.Errorf("failed to fetch serviceaccount to verify workload identity configuration: %w", err)
	}

	// SA wasn't found, return appropriate error
	if err != nil {
		return "", NewUserError(err, fmt.Sprintf("serviceAccount %s does not exist in namespace %s", saName, saNamespace))
	}
	// check for required annotations
	if saObj.Annotations == nil || saObj.Annotations[wiSaClientIdAnnotation] == "" {
		return "", NewUserError(errors.New("user-specified service account does not contain WI annotation"), fmt.Sprintf("serviceAccount %s was specified but does not include necessary annotation for workload identity", saName))
	}

	return saObj.Annotations[wiSaClientIdAnnotation], nil
}