ACRAccessToken Generation fails when using System Assigned Managed Identity #4889
Description
Describe the bug
When creating an ACR token using the ACRAccessToken generator on a K3s cluster running on an Azure Virtual Machine, the generator fails unless a User Assigned Managed Identity is used.
We're running a cluster on Azure VMs using K3s (I know we should be using AKS, but at the moment that isn't an option for us). The VMs that are part of the cluster are all configured with System Assigned Managed Identities. The ACRAccessToken generator doesn't support this option, even though it is supported by the Azure Identity SDK.
Information:
- ESO Version: 0.17.0
- K3s Version: v1.32.3+k3s1
- Host OS: Ubuntu 24.04.2 LTS
To Reproduce
Create a ACRAccessToken generator with an empty managedIdentity section:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
metadata:
name: acr-generator
spec:
tenantId: 00000000-0000-0000-0000-000000000000
registry: my-private-acr.azurecr.io
auth:
managedIdentity:Create a Secret referencing the generator
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: acr-token
spec:
refreshInterval: 1h
dataFrom:
- sourceRef:
generatorRef:
apiVersion: generators.external-secrets.io/v1alpha1
kind: ACRAccessToken
name: "acr-generator"
target:
name: acr-token
template:
type: kubernetes.io/dockerconfigjson
data:
.dockerconfigjson: |
{
"auths": {
"my-private-acr.azurecr.io": {
"username": "00000000-0000-0000-0000-000000000000",
"password": "{{ .password }}"
}
}
}Expected behavior
If no identity id is provided, the generator should fall back to using the System Assigned managed Identity. Alternativly there could be a property useSystemAssignedManagedIdentity: true that allows this behavior.
Screenshots
Error message from the controller:
{"level":"error","ts":1749492524.1120706,"msg":"Reconciler error","controller":"externalsecret","controllerGroup":"external-secrets.io","controllerKind":"ExternalSecret","ExternalSecret":{"name":"acr-token","namespace":"aio"},"namespace":"aio","name":"acr-token","reconcileID":"5455e24b-2d0c-440d-831d-51d8dae1e194","error":"error processing spec.dataFrom[0].sourceRef.generatorRef, err: error using generator: unexpeted configuration","stacktrace":"sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).reconcileHandler\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:347\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).processNextWorkItem\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:294\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller[...]).Start.func2.2\n\t/home/runner/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.20.4/pkg/internal/controller/controller.go:255"}Additional context
By Default The Managed Identity Client will use a SystemAssigned identity. If the passed in options are not nill then it will switch to a User Assigned identity.
In the ACR Generator code, options are always generated and passed into the NewManagedIdentityCredential function, meaning system assigned managed identities can never be used.
