in pkg/cmd/podidentity/detect.go [243:282]
func (dc *detectCmd) createServiceAccountFile(name, ownerName, clientID string) (*corev1.ServiceAccount, error) {
sa := &corev1.ServiceAccount{}
var err error
if name == "" || name == "default" {
mlog.Debug("generating a new service account instead of using default service account", "owner", ownerName)
// generate a new service account yaml file with owner name as service account name
sa.SetName(ownerName)
sa.SetNamespace(dc.namespace)
} else {
// get service account referenced by the owner
if sa, err = kuberneteshelper.GetServiceAccount(context.TODO(), dc.kubeClient, dc.namespace, name); err != nil {
return nil, err
}
}
// set the annotations for the service account
saAnnotations := make(map[string]string)
if sa.GetAnnotations() != nil {
saAnnotations = sa.GetAnnotations()
}
saAnnotations[webhook.ClientIDAnnotation] = clientID
// Round to the nearest second before converting to a string
saAnnotations[webhook.ServiceAccountTokenExpiryAnnotation] = fmt.Sprintf("%.0f", dc.serviceAccountTokenExpiration.Round(time.Second).Seconds())
if dc.tenantID != "" {
saAnnotations[webhook.TenantIDAnnotation] = dc.tenantID
}
sa.SetAnnotations(saAnnotations)
sa.SetGroupVersionKind(schema.GroupVersionKind{Group: "", Version: "v1", Kind: "ServiceAccount"})
sa.SetResourceVersion("")
fileName := filepath.Join(dc.getServiceAccountFileName(ownerName))
// write the service account yaml file
file, err := os.Create(fileName)
if err != nil {
return nil, err
}
defer file.Close()
return sa, dc.serializer.Encode(sa, file)
}