There should be an E2E to test if a node has sufficient permissions to pull an image from ACR

[comtalyst]

Tell us about your request

There should be at least a suite of E2E (or equivalent) to check if the feature of ACR integration is valid.

Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?

#197 is a gap in our E2E test coverage. In other words—the feature of ACR integration in general (https://learn.microsoft.com/en-us/azure/aks/cluster-container-registry-integration?tabs=azure-cli#attach-an-acr-to-an-existing-aks-cluster).
The root cause of the issue appears to be incorrect propagation of identities to the provisioning nodes. We could also expand the scope to other areas that depends on this too if there is an opportunity.

The assumption that the identities are propagated properly is also something that could be broken (e.g., refactoring identities propagation), thus check-in test suites would help catching such breaking changes.

Are you currently working around this issue?

No

Additional Context

See #197 and its associated PR.

Attachments

No response

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[Bryce-Soghigian]

Seems easy enough to upload the pause image we use to the acr created with the cluster and use that image rather than an mcr pause image.

There is more testing we could do around image pull with features like artifact streaming that would require we upload images and enable streaming on them anyway that could make sense to do it there as well.