Spring Cloud Data Flow in AKS using ACR with a managed identity : metadata

Question

We have a Spring Cloud Data Flow server (SCDF) deployed in an Azure Kubernetes Service (AKS). We defined a user managed identity assigned to this AKS. This identity has the AcrPull role on an Azure Container Registry (ACR) that doesn't have an admin user.

In the SCDF documentation, only the authorization type 'basicauth' is described :

- spring.cloud.dataflow.container.registry-configurations[myazurecr].registry-host=tzolovazureregistry.azurecr.io
- spring.cloud.dataflow.container.registry-configurations[myazurecr].authorization-type=basicauth
- spring.cloud.dataflow.container.registry-configurations[myazurecr].user=[your Azure registry username]
- spring.cloud.dataflow.container.registry-configurations[myazurecr].secret=[your Azure registry access password]

But as we use an user managed identity, we don't have a user/secret.

We tried the authentication type 'anonymous' without success.

How to configure the SCDF to be authorized to get the metadata of the container application ?

Answer 1

If you are always using the private registry you can configure a secret directly in AKS and reference it using: spring.cloud.deployer.kubernetes.imagePullSecret or

spring.cloud.deployer.kubernetes.imagePullSecrets

Answer 2

It works by defining a service principal and using its application ID and secret.

- spring.cloud.dataflow.container.registry-configurations[myazurecr].registry-host=myazureacr.azurecr.io
- spring.cloud.dataflow.container.registry-configurations[myazurecr].authorization-type=basicauth
- spring.cloud.dataflow.container.registry-configurations[myazurecr].user=[service principal application ID]
- spring.cloud.dataflow.container.registry-configurations[myazurecr].secret=[service principal secret]