From 2182866ae77ef49b24cd7c4e8e3805b4dc30a826 Mon Sep 17 00:00:00 2001
From: Ole Markus With <olemarkus@gmail.com>
Date: Wed, 18 Dec 2024 20:18:39 +0100
Subject: [PATCH] Support ConfigMap cache entries with wildcard namespace

---
 pkg/cache/cache.go      |  3 +++
 pkg/cache/cache_test.go | 60 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+)

diff --git a/pkg/cache/cache.go b/pkg/cache/cache.go
index 44d78e47f..2c8dd0d2d 100644
--- a/pkg/cache/cache.go
+++ b/pkg/cache/cache.go
@@ -131,6 +131,9 @@ func (c *serviceAccountCache) Get(req Request) Response {
 	}
 	{
 		entry := c.getCM(req.Name, req.Namespace)
+		if entry == nil {
+			entry = c.getCM(req.Name, "*")
+		}
 		if entry != nil {
 			result.FoundInCache = true
 			result.RoleARN = entry.RoleARN
diff --git a/pkg/cache/cache_test.go b/pkg/cache/cache_test.go
index d4a540cfd..6aad30771 100644
--- a/pkg/cache/cache_test.go
+++ b/pkg/cache/cache_test.go
@@ -336,6 +336,66 @@ func TestPopulateCacheFromCM(t *testing.T) {
 
 }
 
+func TestPopulateCacheFromCMWithWildcard(t *testing.T) {
+	cm := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod-identity-webhook",
+		},
+		Data: map[string]string{
+			"config": "{\"*/mysa\":{\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader\"},\"*/mysa2\": {\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader2\"}}",
+		},
+	}
+	cm2 := &v1.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pod-identity-webhook",
+		},
+		Data: map[string]string{
+			"config": "{\"*/mysa\":{\"RoleARN\":\"arn:aws:iam::111122223333:role/s3-reader\"}}",
+		},
+	}
+
+	c := serviceAccountCache{
+		cmCache: make(map[string]*Entry),
+	}
+
+	{
+		err := c.populateCacheFromCM(nil, cm)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN == "" {
+			t.Errorf("cloud not find entry that should have been added")
+		}
+	}
+
+	{
+		err := c.populateCacheFromCM(cm, cm)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN == "" {
+			t.Errorf("cloud not find entry that should have been added")
+		}
+	}
+
+	{
+		err := c.populateCacheFromCM(cm, cm2)
+		if err != nil {
+			t.Errorf("failed to build cache: %v", err)
+		}
+
+		resp := c.Get(Request{Name: "mysa2", Namespace: "myns2"})
+		if resp.RoleARN != "" {
+			t.Errorf("found entry that should have been removed")
+		}
+	}
+
+}
+
 func TestSAAnnotationRemoval(t *testing.T) {
 	roleArn := "arn:aws:iam::111122223333:role/s3-reader"
 	oldSA := &v1.ServiceAccount{