Merge pull request #251 from olemarkus/fix-wildcard-namespace

Support ConfigMap cache entries with wildcard namespace
aws · Jan 8, 2025 · 9f13e26 · 9f13e26
2 parents e3a5463 + 2182866
commit 9f13e26
Show file tree

Hide file tree

Showing 2 changed files with 63 additions and 0 deletions.
diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go
@@ -131,6 +131,9 @@ func (c *serviceAccountCache) Get(req Request) Response {
 	}
 	{
 		entry := c.getCM(req.Name, req.Namespace)
+		if entry == nil {
+			entry = c.getCM(req.Name, "*")
+		}
 		if entry != nil {
 			result.FoundInCache = true
 			result.RoleARN = entry.RoleARN

diff --git a/pkg/cache/cache_test.go b/pkg/cache/cache_test.go
@@ -336,6 +336,66 @@ func TestPopulateCacheFromCM(t *testing.T) {
 
 }
 
+func TestPopulateCacheFromCMWithWildcard(t *testing.T) {
+	cm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod-identity-webhook",
+		},
+		Data: map[string]string{
+			"config": "{\"*/mysa\":{\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader\"},\"*/mysa2\": {\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader2\"}}",
+		},
+	}
+	cm2 := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod-identity-webhook",
+		},
+		Data: map[string]string{
+			"config": "{\"*/mysa\":{\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader\"}}",
+		},
+	}
+
+	c := serviceAccountCache{
+		cmCache: make(map[string]*Entry),
+	}
+
+	{
+		err := c.populateCacheFromCM(nil, cm)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN == "" {
+			t.Errorf("cloud not find entry that should have been added")
+		}
+	}
+
+	{
+		err := c.populateCacheFromCM(cm, cm)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN == "" {
+			t.Errorf("cloud not find entry that should have been added")
+		}
+	}
+
+	{
+		err := c.populateCacheFromCM(cm, cm2)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN != "" {
+			t.Errorf("found entry that should have been removed")
+		}
+	}
+
+}
+
 func TestSAAnnotationRemoval(t *testing.T) {
 	roleArn := "arn:aws:iam::111122223333:role/s3-reader"
 	oldSA := &v1.ServiceAccount{