docs: add instructions to authenticate to Azure Container Registry with workload identity

[etiennetremel]

Add instructions to authenticate to Azure Container Registry with workload identity.

Closes #586, #550 and #473

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 66.27%. Comparing base (7d93c7a) to head (92459cd).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #676   +/-   ##
=======================================
  Coverage   66.27%   66.27%           
=======================================
  Files          22       22           
  Lines        2150     2150           
=======================================
  Hits         1425     1425           
  Misses        591      591           
  Partials      134      134           

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

[Pionerd]

I just tested this, but the credentials are not picked up (argocd-image-updater test <private_image> fails). How can I know the script is actually ran? I can see the script present, the registries.conf is OK, the /var/run/secrets/azure/tokens/azure-identity-token is set, what am I missing?

Edit: Three observations:

• I think it makes sense to document that the ConfigMap should be mounted in such a way that the script becomes executable (e.g. defaultMode: 493).
• The documentation should be clear in the ACR_NAME is expected to be including azurecr.io.
• Although the script gives a good token when run manually (I can use it with docker login and docker pull), it still does not work when used in argocd-image-updater test. Please see: https://github.com/argoproj-labs/argocd-image-updater/issues/550#issuecomment-2047839433

[vepetkov]

I just tested this, but the credentials are not picked up (argocd-image-updater test <private_image> fails). How can I know the script is actually ran? I can see the script present, the registries.conf is OK, the /var/run/secrets/azure/tokens/azure-identity-token is set, what am I missing?

Edit: Three observations:

• I think it makes sense to document that the ConfigMap should be mounted in such a way that the script becomes executable (e.g. defaultMode: 493).
• The documentation should be clear in the ACR_NAME is expected to be including azurecr.io.
• Although the script gives a good token when run manually (I can use it with docker login and docker pull), it still does not work when used in argocd-image-updater test. Please see: Cannot pull images from Azure Container Registry #550 (comment)

I was able to test it successfully but I in addition to the 2 things you mentioned above about the defaultMode and the ACR_NAME, I also had to add the shebang #!/bin/sh on top of the auth.sh file in the configmap. Without it the script would run manually but fail when the image updater tries to run it with the error Could not set registry endpoint credentials: error executing /app/auth/auth.sh: fork/exec /app/auth/auth.sh: exec format error.

To test it within the pod, I had to explicitly specify the path to the registries.conf file as it did not pick it up ( argocd-image-updater --registries-conf-path /app/config/registries.conf test <private_image>). However, it all works fine when deployed and the workload identity is used for get the available tags from ACR.

[etiennetremel]

Thanks for testing out @vepetkov and @Pionerd, I was using the official helm chart which does include some of these settings by itself.

[avo-sepp]

This works if you only have a single ACR, it relies on the ACR being name being hard coded into a single Environment variable $ACR_NAME. This is not a viable solution for the project as a whole. As it's pretty common to have more that one Container Registry at an Org, usually with the same vendor.

We need true support for Workload Identities in the project or Azure Container Registry push secrets.