Support managed identities to pull image bundle from remote private docker repository

[leonard520]

Describe the problem/challenge you have

Currently, kapp needs a image pull secret to pull image bundle from remote private docker repository. However, it is not secure to use a secret to store credentials in k8s cluster.

I think passwordless is a better solution. E.g. in Azure, I would like to use managed identities. In this way, I don't need to handle credentials store and rotation.

Describe the solution you'd like

Actually there is some other project doing similar features. E.g. kpack has integrated with ACR key chain to get docker credential on demand.

Another project is doing similar thing. azure_credentials support GetCredentials through cloud provider interface.

Anything else you would like to add:

N/A

---

Vote on this request

This is an invitation to the community to vote on issues, to help us prioritize our backlog. Use the "smiley face" up to the right of this comment to vote.

👍 "I would like to see this addressed as soon as possible" 👎 "There are other more important things to focus on right now"

We are also happy to receive and review Pull Requests if you want to help working on this issue.

[100mik]

kapp-controller today will pick up credentials from the ACR keychain if the Kubernetes cluster is attached to an ACR registry.

Are your observations saying otherwise? I believe all you need to do is documented here

[leonard520]

@100mik Let me clarify my question. From my understanding, when kapp-controller try to reconcile a packageinstall, it request a secret contains the credential to the repo to pull the image/imagebundle. User can provide the image pull secret in package install or leverage secretgen-controller. https://github.com/carvel-dev/kapp-controller/blob/2a68e24829837e8b2c326f28e75a2f46448dadcb/pkg/packageinstall/packageinstall.go#L494

I am wondering if we can elimiate this credential? I am not able to find the code that leverage ACR keychain in code path.