func filterAzureIdentities()

in pkg/cmd/podidentity/detect.go [454:480]

• 19 lines of code
• 6 McCabe index (conditional complexity)

func filterAzureIdentities(bindings []aadpodv1.AzureIdentityBinding, identities map[string]aadpodv1.AzureIdentity) map[string]aadpodv1.AzureIdentity {
	labelsToAzureIdentityMap := make(map[string]aadpodv1.AzureIdentity)
	for _, binding := range bindings {
		if binding.Spec.Selector == "" || binding.Spec.AzureIdentity == "" {
			continue
		}
		// this can happen when multiple AzureIdentityBinding exist in the namespace with same selector
		// Multiple AzureIdentityBinding with same selector are configured in AAD Pod Identity to enable a
		// a single pod to have access to multiple identities.
		// In case of workload identity, we can only annotate with a single client id and there can only
		// be one AZURE_CLIENT_ID environment variable. The client id annotation will be configured to the first
		// AzureIdentityBinding with the selector. The workload will use the client id of the specific identity
		// to get a token and will not really use the AZURE_CLIENT_ID environment variable.
		if b, ok := labelsToAzureIdentityMap[binding.Spec.Selector]; ok {
			mlog.Debug("multiple AzureIdentityBinding found, using the first one",
				"selector", binding.Spec.Selector,
				"binding", b.Name,
			)
			continue
		}
		if azureIdentity, ok := identities[binding.Spec.AzureIdentity]; ok {
			labelsToAzureIdentityMap[binding.Spec.Selector] = azureIdentity
		}
	}

	return labelsToAzureIdentityMap
}