in internal/loader/configuration_client_manager.go [481:520]
func newClientAssertionCredential(ctx context.Context, serviceAccountName string, serviceAccountNamespace string) (azcore.TokenCredential, error) {
cfg, err := ctrlcfg.GetConfig()
if err != nil {
return nil, err
}
client, err := client.New(cfg, client.Options{})
if err != nil {
return nil, err
}
serviceAccountObj := &corev1.ServiceAccount{}
err = client.Get(ctx, types.NamespacedName{Namespace: serviceAccountNamespace, Name: serviceAccountName}, serviceAccountObj)
if err != nil {
return nil, err
}
if _, ok := serviceAccountObj.Annotations[AnnotationClientID]; !ok {
return nil, fmt.Errorf("annotation '%s' of service account %s/%s is required", AnnotationClientID, serviceAccountNamespace, serviceAccountName)
}
tenantId := ""
if _, ok := serviceAccountObj.Annotations[AnnotationTenantID]; ok {
tenantId = serviceAccountObj.Annotations[AnnotationTenantID]
} else if _, ok := os.LookupEnv(strings.ToUpper(AzureTenantId)); ok {
tenantId = os.Getenv(strings.ToUpper(AzureTenantId))
} else {
return nil, fmt.Errorf("annotation '%s' of service account %s/%s is required since using global service account for workload identity is disabled", AnnotationTenantID, serviceAccountNamespace, serviceAccountName)
}
getAssertionFunc := newGetAssertionFunc(serviceAccountNamespace, serviceAccountName)
clientAssertionCredential, err := azidentity.NewClientAssertionCredential(tenantId, serviceAccountObj.Annotations[AnnotationClientID], getAssertionFunc, nil)
if err != nil {
return nil, err
}
return clientAssertionCredential, nil
}