Update pipeline drone-kaniko-harness (#166)

* fix: [CI-20436] adding fallback in case of del con

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] adding fallback in case of del con testcase

* fix: [CI-20436] reverting some changes

.harness/harness.yaml

@@ -37,7 +37,7 @@ pipeline:
                       identifier: Build
                       spec:
                         connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.24.11
+                        image: golang:1.25.7
                         shell: Sh
                         command: |-
                           go test ./...
@@ -322,7 +322,7 @@ pipeline:
                       identifier: Build_and_Test
                       spec:
                         connectorRef: Plugins_Docker_Hub_Connector
-                        image: golang:1.24.11
+                        image: golang:1.25.7
                         shell: Sh
                         command: |-
                           go test ./...

cmd/kaniko-acr/main.go

@@ -536,21 +536,21 @@ func setupAuth(tenantId, clientId, oidcIdToken, cert,
 		return "", fmt.Errorf("registry must be specified")
 	}
 
-	// Determine auth path: OIDC or Service Principal (secret/cert)
-	if tenantId == "" || clientId == "" {
-		if noPush {
-			logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided")
-			return "", nil
-		}
-		return "", fmt.Errorf("tenantId and clientId must be provided")
-	}
-
 	var aadAccessToken string
 	var acrToken string
 	var publicUrl string
 	var err error
 
 	if oidcIdToken != "" {
+		// OIDC authentication flow requires tenantId and clientId
+		if tenantId == "" || clientId == "" {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: tenantId or clientId not provided for OIDC")
+				return "", nil
+			}
+			return "", fmt.Errorf("tenantId and clientId must be provided for OIDC authentication")
+		}
+		logrus.Debug("Using OIDC authentication flow")
 		// Exchange OIDC ID token for AAD access token via client_assertion
 		aadAccessToken, err = azureutil.GetAADAccessTokenViaClientAssertion(context.Background(), tenantId, clientId, oidcIdToken, authorityHost)
 		if err != nil {
@@ -565,16 +565,21 @@ func setupAuth(tenantId, clientId, oidcIdToken, cert,
 		if err != nil {
 			return handleError(noPush, err, "failed to fetch ACR token")
 		}
-	} else if clientSecret != "" || cert != "" {
+	} else {
+		logrus.Debug("Using traditional Azure AD authentication flow")
+		// Validate that if tenantId is provided, clientId must also be provided
+		// (unless using managed identity with no explicit tenantId)
+		if tenantId != "" && clientId == "" && clientSecret == "" && cert == "" {
+			if noPush {
+				logrus.Warnf("NO_PUSH mode: tenantId provided but clientId is missing")
+				return "", nil
+			}
+			return "", fmt.Errorf("tenantId and clientId must be provided")
+		}
 		acrToken, publicUrl, err = getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry)
 		if err != nil {
 			return handleError(noPush, err, "failed to fetch ACR Token")
 		}
-	} else {
-		if noPush {
-			return "", nil
-		}
-		return "", fmt.Errorf("managed authentication is not supported")
 	}
 
 	if err := setDockerAuth(username, acrToken, registry, dockerUsername, dockerPassword, dockerRegistry); err != nil {
@@ -593,10 +598,46 @@ func handleError(noPush bool, err error, msg string) (string, error) {
 }
 
 func getACRToken(subscriptionId, tenantId, clientId, clientSecret, cert, registry string) (string, string, error) {
+	// Handle managed identity (when no clientSecret or cert provided)
+	if clientSecret == "" && cert == "" {
+		if tenantId == "" {
+			tenantId = os.Getenv("AZURE_TENANT_ID")
+			if tenantId == "" {
+				tenantId = os.Getenv("TENANT_ID")
+			}
+		}
+		opts := &azidentity.DefaultAzureCredentialOptions{}
+		if tenantId != "" {
+			opts.TenantID = tenantId
+		}
+		cred, err := azidentity.NewDefaultAzureCredential(opts)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to get credentials")
+		}
+		policy := policy.TokenRequestOptions{
+			Scopes: []string{"https://management.azure.com/.default"},
+		}
+		azToken, err := cred.GetToken(context.Background(), policy)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to fetch access token")
+		}
+		publicUrl, err := getPublicUrl(azToken.Token, registry, subscriptionId)
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "failed to get public url with error: %s\n", err)
+		}
+		if tenantId == "" {
+			return "", "", fmt.Errorf("tenantId cannot be empty for ACR token exchange")
+		}
+		ACRToken, err := fetchACRToken(tenantId, azToken.Token, registry)
+		if err != nil {
+			return "", "", errors.Wrap(err, "failed to fetch ACR token")
+		}
+		return ACRToken, publicUrl, nil
+	}
+
 	if tenantId == "" {
 		return "", "", fmt.Errorf("tenantId can't be empty for AAD authentication")
 	}
-
 	if clientId == "" {
 		return "", "", fmt.Errorf("clientId can't be empty for AAD authentication")
 	}

cmd/kaniko-acr/main_test.go

@@ -387,3 +387,52 @@ func TestSetupAuth_NoCreds_NoPushTrue(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, "", pub)
 }
+
+// Test cases for managed identity support
+
+func TestSetupAuth_ManagedIdentity_NoPush_Positive(t *testing.T) {
+	// Positive test: Managed identity flow with noPush=true should succeed
+	// This tests the new managed identity support when no credentials are provided
+	pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", true)
+	assert.NoError(t, err)
+	assert.Equal(t, "", pub)
+}
+
+func TestSetupAuth_TenantIdButNoClientId_ManagedIdentity(t *testing.T) {
+	// Negative test: When tenantId is provided but clientId is missing for managed identity,
+	// it should fail (unless noPush is true)
+	pub, err := setupAuth("tenant123", "", "", "", "", "sub", "myregistry.azurecr.io", "", "", "", "", false)
+	assert.Error(t, err)
+	assert.Contains(t, err.Error(), "tenantId and clientId must be provided")
+	assert.Equal(t, "", pub)
+}
+
+func TestGetACRToken_ManagedIdentity_NoTenantId(t *testing.T) {
+	// Negative test: Managed identity requires tenantId for ACR token exchange
+	// Clear environment variables to ensure tenantId is not available
+	originalTenantId := os.Getenv("AZURE_TENANT_ID")
+	originalTenantId2 := os.Getenv("TENANT_ID")
+	defer func() {
+		if originalTenantId != "" {
+			os.Setenv("AZURE_TENANT_ID", originalTenantId)
+		} else {
+			os.Unsetenv("AZURE_TENANT_ID")
+		}
+		if originalTenantId2 != "" {
+			os.Setenv("TENANT_ID", originalTenantId2)
+		} else {
+			os.Unsetenv("TENANT_ID")
+		}
+	}()
+	os.Unsetenv("AZURE_TENANT_ID")
+	os.Unsetenv("TENANT_ID")
+
+	// Managed identity path without tenantId should fail
+	// The failure occurs when DefaultAzureCredential tries to acquire a token
+	// since tenantId is required for ACR token exchange but not available
+	_, _, err := getACRToken("sub", "", "", "", "", "myregistry.azurecr.io")
+	assert.Error(t, err)
+	// The error will be from DefaultAzureCredential failing to acquire a token
+	// because tenantId is missing and no credentials are available
+	assert.Contains(t, err.Error(), "failed to fetch access token")
+}

go.mod

@@ -35,7 +35,7 @@ require (
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/docker/cli v27.5.0+incompatible // indirect
+	github.com/docker/cli v29.3.0+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.3.0 // indirect
@@ -58,4 +58,4 @@ require (
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
 
-go 1.24.11
+go 1.25.7

go.sum

@@ -49,8 +49,8 @@ github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6N
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/docker/cli v27.5.0+incompatible h1:aMphQkcGtpHixwwhAXJT1rrK/detk2JIvDaFkLctbGM=
-github.com/docker/cli v27.5.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
+github.com/docker/cli v29.3.0+incompatible h1:z3iWveU7h19Pqx7alZES8j+IeFQZ1lhTwb2F+V9SVvk=
+github.com/docker/cli v29.3.0+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8=
 github.com/docker/distribution v2.8.3+incompatible h1:AtKxIZ36LoNK51+Z6RpzLpddBirtxJnzDrHLEKxTAYk=
 github.com/docker/distribution v2.8.3+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w=
 github.com/docker/docker-credential-helpers v0.8.2 h1:bX3YxiGzFP5sOXWc3bTPEXdEaZSeVMrFgOr3T+zrFAo=