How to use Workload Identity with Go client-go library?

[akselleirv]

Hello!

I'm trying to authenticate using Workload Identity, but I'm having difficulties finding documentation of how to do it with using the k8s client-go library. I have created a the following azure resources using Terraform:

terraform {
  required_providers {
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "3.35.0"
    }
  }
}

provider "azurerm" {
  features {}
}


locals {
  name      = "example"
  namespace = "default"


  // This is only used for testing
  testing_name = "my-cluster"
}

resource "azurerm_resource_group" "this" {
  name     = local.name
  location = "Norway East"
}

resource "azurerm_user_assigned_identity" "this" {
  name                = local.name
  location            = azurerm_resource_group.this.location
  resource_group_name = azurerm_resource_group.this.name
}

data "azurerm_kubernetes_cluster" "service" {
  name                = local.testing_name
  resource_group_name = local.testing_name
}

resource "azurerm_federated_identity_credential" "this" {
  name                = local.name
  resource_group_name = azurerm_resource_group.this.name
  issuer              = data.azurerm_kubernetes_cluster.service.oidc_issuer_url
  parent_id           = azurerm_user_assigned_identity.this.id
  subject             = "system:serviceaccount:${local.namespace}:default"
  audience            = ["api://AzureADTokenExchange"]
}

And I have created this application which uses the projected tokens:

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app.kubernetes.io/name: my-app
  name: my-app
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: my-app
  template:
    metadata:
      labels:
        app.kubernetes.io/name: my-app
    spec:
      containers:
        - name: my-app
          image: my-image:0.0.1
          imagePullPolicy: Always
          env:
            - name: AZURE_CLIENT_ID
              value: <redacted>
            - name: AZURE_TENANT_ID
              value: <redacted
            - name: AZURE_FEDERATED_TOKEN_FILE
              value: /var/run/secrets/tokens/token
            - name: SERVER_ID
              value: 6dae42f8-4368-4678-94ff-3960e28e3630 
          volumeMounts:
            - mountPath: /var/run/secrets/tokens
              name: token
      volumes:
        - name: token
          projected:
            sources:
              - serviceAccountToken:
                  path: token
                  expirationSeconds: 3600
                  audience: api://AzureADTokenExchange

In the image I have included the KubeLogin binary, but the next steps are unclear for me. I have looked into this example from Kubernetes: https://github.com/kubernetes/client-go/tree/master/examples/out-of-cluster-client-configuration

There they use the local kubeconfig to authenticate, but what would I need to change out in order to make it work with Workload Identity? Any links to some documentation which describes how to do this?

UPDATE:
I managed to figure out the requirements for the kubeconfig, but I have not solved the authorization to the kube api. I have created this kubeconfig:

apiVersion: v1
kind: Config
contexts:
  - context:
      cluster: my-cluster
      user: <object-principal-id>
    name: my-cluster
current-context: my-cluster
clusters:
  - cluster:
      certificate-authority-data: <ca-data>
      server: https://my-cluster.hcp.norwayeast.azmk8s.io:443
    name: my-cluster
preferences: { }
users:
  - name: <object-principal-id>
    user:
      exec:
        apiVersion: client.authentication.k8s.io/v1beta1
        args:
          - get-token
          - --server-id
          - 6dae42f8-4368-4678-94ff-3960e28e3630
          - --login
          - workloadidentity
        command: kubelogin
        env: null

My program looks like the following:

package main

import (
	"context"
	"fmt"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/client-go/kubernetes"
	"k8s.io/client-go/tools/clientcmd"
)

func main() {
	config, err := clientcmd.BuildConfigFromFlags("", "kube/config")
	if err != nil {
		panic(err.Error())
	}
	
	clientset, err := kubernetes.NewForConfig(config)
	if err != nil {
		panic(err.Error())
	}
	pods, err := clientset.CoreV1().Pods("").List(context.TODO(), metav1.ListOptions{})
	if err != nil {
		panic(err.Error())
	}
	fmt.Printf("There are %d pods in the cluster\n", len(pods.Items))
}

It is able to create the clientset, but when I try to list pods I get Unauthorized back. I have tried to create the following rolebinding:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sp-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: User
    apiGroup: rbac.authorization.k8s.io
    name: <object-principal-id>

But it does not seem to work. How can I debug this further?