Azure Arc-enabled Kubernetes - Circular dependency problem

[florinciubotariu]

Hi.

I have an on-premise cluster I want to connect to an Azure Key Vault. I want to avoid storing credentials so I have 2 possible ways of handling this: managed identity (not possible because the cluster is on-premise) or using workload identity federation with an user-assigned managed identity with an Azure Arc-enabled Kubernetes cluster.

Long story short:

1. After I connect my k3d cluster to Azure Arc with --enable-oidc-issuer and --enable-workload-identity, I get an OIDC Issuer.
2. This OIDC Issuer must be passed as args to kube-apiserver-args.

The problem I have is that:

• In order to pass the OIDC Issuer data to kube-apiserver, I need to recreate the cluster with k3d. But if I recreate the cluster, I have to connect it to Azure Arc, and the OIDC Issue is regenerated.

https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/workload-identity#retrieve-the-oidc-issuer-url
https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/workload-identity#configure-workload-identity-settings-on-the-kubernetes-cluster

Can I somehow pass those parameters to kube-apiserver without recreating the k3d cluster?
Thanks!