ACR Login: Use Azure SDK library to get the credential and token

[dbalseiro]

Changes

• Add Azure SDK for Go as a dependency
• Use Azure SDK for GO to get credentials and token to log in to [Azure Container Registry[(https://learn.microsoft.com/en-us/cli/azure/msal-based-azure-cli?view=azure-cli-latest)

/kind bug

Fixes #3288

Release Note

`func` no longer relies on Azure CLI’s deprecated `accessToken.json` file to authenticate with Azure Container Registry. Authentication now uses Azure’s supported credential mechanisms (e.g. Azure CLI, environment credentials, managed identity). No action is required for most users.

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: dbalseiro / name: Diego Balseiro (615673b, 6609dd8, 8ebe95c, 9aa595b)

[knative-prow]

Welcome @dbalseiro! It looks like this is your first PR to knative/func 🎉

[knative-prow]

Hi @dbalseiro. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[lkingland]

/ok-to-test

Thanks for the PR!

[codecov]

Codecov Report

❌ Patch coverage is 0% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.54%. Comparing base (94711b0) to head (8ebe95c).
⚠️ Report is 32 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/k8s/keychains.go	0.00%	12 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3398      +/-   ##
==========================================
+ Coverage   54.50%   54.54%   +0.03%     
==========================================
  Files         173      179       +6     
  Lines       19694    20260     +566     
==========================================
+ Hits        10735    11051     +316     
- Misses       7836     8037     +201     
- Partials     1123     1172      +49     

Flag	Coverage Δ
e2e	38.43% <0.00%> (+0.48%)	⬆️
e2e go	32.64% <0.00%> (-0.98%)	⬇️
e2e node	28.55% <0.00%> (-0.75%)	⬇️
e2e python	32.15% <0.00%> (-0.98%)	⬇️
e2e quarkus	28.67% <0.00%> (-0.77%)	⬇️
e2e rust	28.11% <0.00%> (-0.72%)	⬇️
e2e springboot	26.54% <0.00%> (-0.72%)	⬇️
e2e typescript	28.66% <0.00%> (-0.75%)	⬇️
integration	17.53% <0.00%> (+0.96%)	⬆️
unit macos-14	42.25% <0.00%> (-1.05%)	⬇️
unit macos-latest	42.25% <0.00%> (-1.05%)	⬇️
unit ubuntu-24.04-arm	42.56% <0.00%> (-1.06%)	⬇️
unit ubuntu-latest	43.14% <0.00%> (-1.08%)	⬇️
unit windows-latest	42.27% <0.00%> (-1.05%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[lkingland]

Looks good! I have one minor improvement worth at least exploring the feasability of (plumbing through a context object) and one concern worth double-checking (that there's no other code depending on creds.ErrCredentialsNotFound being returned).

/approve
/hold pending possible changes per the above

[lkingland]

We might want to plumb through a context object to GetACRCredentialLoader in case this thing can lock up or need canceling.

[dbalseiro]

giving it a try :)

[lkingland]

I notice that creds.ErrCredentialsNotFound is no longer returned. This sentinel value may be depended upon by other systems to fall-through (despite using error types as flow-control being an antipattern; it's life). It might be a good idea to double-check that there's no other code depending on exactly that error type to ensure we're not breaking any "error fallback" systems if one of the other generic errors is returned instead.

[dbalseiro]

Yes, we are still returning ErrCredentialsNotFound when the registry's domain is not azure.io. And if I'm not mistaken, returning ErrCredentialsNotFound in this line made sense at the time, because it was trying to fetch the token from a JSON file. But now we try to generate the token using the SDK. I think if the SDK fails, we should return a plain error. What do you think?

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dbalseiro, lkingland

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [lkingland]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[knative-prow]

New changes are detected. LGTM label has been removed.

[dbalseiro]

@lkingland Thanks for the review! Sorry it took me so long to do it, but I addressed your comments. Let me know what you think.

[dbalseiro]

Yes, we are still returning ErrCredentialsNotFound when the registry's domain is not azure.io. And if I'm not mistaken, returning ErrCredentialsNotFound in this line made sense at the time, because it was trying to fetch the token from a JSON file. But now we try to generate the token using the SDK. I think if the SDK fails, we should return a plain error. What do you think?

[dbalseiro]

giving it a try :)