Skip to content

feat: add ACR authentication #1014

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xgugeng merged 15 commits into from
Jan 15, 2026
Merged

feat: add ACR authentication #1014

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
c63356a
feat: add ACR authentication
xgugeng Jan 13, 2026
bd4fc3e
Enable registry scraping for image-pull-n10 scenario (#1013)
jasminetMSFT Jan 13, 2026
ca1ea37
add two pipeline job
xgugeng Jan 13, 2026
023c28b
pipeline test
xgugeng Jan 13, 2026
ccfd379
Merge branch 'main' into gugeng/acr-auth
xgugeng Jan 13, 2026
60edf47
fix typo
xgugeng Jan 13, 2026
1a614f2
fix parsing error
xgugeng Jan 13, 2026
bdf81dc
fix location rissue
xgugeng Jan 13, 2026
12e0b6d
remove location from az acr
xgugeng Jan 13, 2026
1b90e2f
fix missing role
xgugeng Jan 13, 2026
cccc265
fix missing role #2
xgugeng Jan 13, 2026
743749f
Merge branch 'main' into gugeng/acr-auth
xgugeng Jan 14, 2026
6d701e0
reorder cases
xgugeng Jan 14, 2026
bdca669
Merge branch 'main' into gugeng/acr-auth
xgugeng Jan 15, 2026
a997672
Revert new-pipeline-test
xgugeng Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion modules/python/clusterloader2/cri/config/config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ name: resource-consumer
{{$loadType := DefaultParam .CL2_LOAD_TYPE "memory"}}

{{$provider := DefaultParam .CL2_PROVIDER "aks"}}
{{$registryEndpoint := DefaultParam .CL2_REGISTRY_ENDPOINT "akscritelescope.azure.io" }}
{{$registryEndpoint := DefaultParam .CL2_REGISTRY_ENDPOINT "akscritelescope.azurecr.io" }}
{{$osType := DefaultParam .CL2_OS_TYPE "linux"}}
{{$scrapeKubelets := DefaultParam .CL2_SCRAPE_KUBELETS false}}
{{$scrapeContainerd := DefaultParam .CL2_SCRAPE_CONTAINERD false}}
Expand Down
17 changes: 16 additions & 1 deletion pipelines/perf-eval/ACR Benchmark/image-pull-n10.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ stages:
image: "ghcr.io/azure/clusterloader2:v20250513"
topology: image-pull
matrix:
image-pull-10pods:
image-pull-10pods-authenticated:
node_count: 10
max_pods: 30
repeats: 1
Expand All @@ -38,6 +38,21 @@ stages:
registry_endpoint: acrtelescope.azurecr.io
kubernetes_version: "1.34"
pod_startup_latency_threshold: 20s
anonymous_pull: False
image-pull-10pods-anonymous:
node_count: 10
max_pods: 30
repeats: 1
operation_timeout: 3m
load_type: memory
scrape_containerd: True
scrape_kubelets: True
scrape_registry: True
containerd_scrape_interval: 15s
registry_endpoint: acrtelescope.azurecr.io
kubernetes_version: "1.34"
pod_startup_latency_threshold: 20s
anonymous_pull: True
max_parallel: 1
credential_type: service_connection
ssh_key_enabled: false
Expand Down
68 changes: 68 additions & 0 deletions steps/cloud/azure/authenticate-acr.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
parameters:
- name: region
type: string
- name: role
type: string

steps:
- script: |
set -euo pipefail
set -x

anonymous_pull="${ANONYMOUS_PULL:-True}"
anonymous_pull="${anonymous_pull,,}"

acr_name=""
if [[ -n "$REGISTRY_ENDPOINT" ]]; then
az config unset defaults.location

acr_name=$(az resource list --resource-type Microsoft.ContainerRegistry/registries \
--name "${REGISTRY_ENDPOINT%%.*}" \
--query "[0].name" --output tsv)

az config set defaults.location="$REGION"
fi

[[ -n "$acr_name" ]] || exit 0

acr_info=$(az acr show --name "$acr_name" --output json)
anonymous_pull_enabled=$(echo "$acr_info" | jq -r '.anonymousPullEnabled')
role_assignment_mode=$(echo "$acr_info" | jq -r '.roleAssignmentMode')

if [[ "$anonymous_pull" == "true" ]]; then
if [[ "$anonymous_pull_enabled" == "false" ]]; then
echo "Enabling anonymous pull for ACR $acr_name"
az acr update --name $acr_name --anonymous-pull-enabled
fi
else
if [[ "$anonymous_pull_enabled" == "true" ]]; then
echo "Disabling anonymous pull for ACR $acr_name"
az acr update --name $acr_name --anonymous-pull-enabled false
fi

if [[ "$role_assignment_mode" == "AbacRepositoryPermissions" ]]; then
echo "Updating role assignment mode from rbac-abac to rbac for ACR $acr_name"
az acr update --name $acr_name --role-assignment-mode "rbac"
fi

aks_info=$(az resource list \
--resource-type Microsoft.ContainerService/managedClusters \
--location "$REGION" \
--query "[?tags.run_id=='${RUN_ID}' && tags.role=='${ROLE}']" \
--output json)

aks_name=$(echo "$aks_info" | jq -r '.[0].name')
aks_rg=$(echo "$aks_info" | jq -r '.[0].resourceGroup')

if [ -z "$aks_name" ]; then
echo "##vso[task.logissue type=error;] No AKS instance with role $ROLE and tag $RUN_ID found in region $REGION."
exit 1
fi

az aks update --name $aks_name --resource-group $aks_rg --attach-acr $acr_name
fi
env:
RUN_ID: $(RUN_ID)
REGION: ${{ parameters.region }}
ROLE: ${{ parameters.role }}
displayName: "Authenticate with ACR from AKS"
5 changes: 5 additions & 0 deletions steps/topology/image-pull/validate-resources.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,11 @@ steps:
parameters:
role: client
region: ${{ parameters.regions[0] }}
- ${{ if eq(parameters.cloud, 'azure') }}:
- template: /steps/cloud/azure/authenticate-acr.yml
parameters:
role: client
region: ${{ parameters.regions[0] }}
- template: /steps/engine/clusterloader2/large-cluster/validate.yml
parameters:
desired_nodes: 14