ARO-24037 feat(azure): add ACR pull identity to worker cloud.conf and VMSS

[twolff-gh]

What this PR does / why we need it:

Adds an optional acrImagePullManagedIdentityID field to AzurePlatformSpec that configures worker nodes to pull images from Azure Container Registry using a user-assigned managed identity. When set, CPO writes userAssignedIdentityID into the worker cloud.conf and the NodePool controller attaches the MI to the VMSS via CAPZ. This gives kubelet's ACR credential provider the identity it needs to authenticate without image pull secrets.

This is the AKS-equivalent --attach-acr pattern for ARO-HCP. The cloud-provider-azure auth library auto-detects ARM resource IDs vs client IDs in the userAssignedIdentityID field, so a single field serves both CAPZ attachment and cloud.conf configuration.

Which issue(s) this PR fixes:

Fixes ARO-24037

Special notes for your reviewer:

cloud-provider-azure accepts both ARM resource ID and client ID formats in userAssignedIdentityID` — see
auth_func.go#L80. We use the ARM resource ID since CAPZ also needs it for VMSS identity attachment.

Only the worker cloud.conf (ConfigMap) is modified — the CP cloud.conf (Secret) is unchanged.

Checklist:

• Subject and description added to both, commit and PR.
• Relevant issues have been referenced.
• This change includes docs.
• This change includes unit tests.

Summary by CodeRabbit

• New Features

  • Added support for Azure managed identities for container image pulls from Azure Container Registry (ACR). Users can now specify a managed identity to be attached to worker VM scale sets, enabling more secure and seamless ACR access.

• Tests

  • Added comprehensive test coverage for Azure ACR managed identity configuration.

[openshift-merge-bot]

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: twolff-gh
Once this PR has been reviewed and has the lgtm label, please assign sjenning for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS
• api/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

📝 Walkthrough

Walkthrough

These changes add support for specifying an Azure user-assigned managed identity for pulling images from Azure Container Registry (ACR) on worker VMs. A new optional field AcrImagePullManagedIdentityID is introduced to the Azure platform specification with ARM resource ID format validation. The control plane operator reads this field and includes it in the generated cloud controller manager configuration. The node pool controller uses this field to configure user-assigned managed identities on worker VM scale sets through the Azure machine template. Corresponding test coverage is added across all modified components.

🚥 Pre-merge checks | ✅ 11 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 22.22% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (11 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically summarizes the main change: adding an ACR pull identity field to Azure worker cloud.conf and VMSS configuration.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All test names are stable and deterministic. New tests use static descriptive names with no dynamic content like IDs, timestamps, or generated values.
Test Structure And Quality	✅ Passed	All test quality requirements met: single responsibility, setup/cleanup patterns, no improper timeouts, meaningful assertions, consistent codebase patterns.
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All new tests are standard Go unit tests (func TestXxx(t *testing.T)), not Ginkgo-style tests (Describe/It/Context/When). The custom check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added. The PR adds unit tests only (standard Go testing package). These tests don't make SNO-incompatible assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	No topology-aware scheduling constraints introduced. Changes add optional managed identity config field wired through to Azure machine templates and cloud provider config only.
Ote Binary Stdout Contract	✅ Passed	No OTE stdout contract violations found. Modified files contain only library code and tests with no process-level entry points or stdout writes. All code follows standard patterns.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The PR adds standard Go unit tests (func Test*), not Ginkgo e2e tests. The custom check applies only to Ginkgo e2e tests with It(), Describe(), Context(), When() syntax. This check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hypershift-operator/controllers/nodepool/azure.go`:
- Around line 248-256: The code is prepending capzutil.ProviderIDPrefix to the
user-assigned identity but CAPZ v1.21 requires a raw ARM resource ID; update the
block that populates azureMachineTemplate.Template.Spec.UserAssignedIdentities
so the ProviderID is set directly from
hostedCluster.Spec.Platform.Azure.AcrImagePullManagedIdentityID (remove
capzutil.ProviderIDPrefix) while keeping the same append logic and
VMIdentityUserAssigned assignment on
azureMachineTemplate.Template.Spec.Identity.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 651c0b52-b089-404a-a89f-e3b0947abee4

📥 Commits

Reviewing files that changed from the base of the PR and between bded456 and 5491fa7.

⛔ Files ignored due to path filters (40)

• api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !**/zz_generated*.go, !**/zz_generated*
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/AutoNodeKarpenter.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedclusters.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AAA_ungated.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/AutoNodeKarpenter.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterUpdateAcceptRisks.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ClusterVersionOperatorConfiguration.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDC.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUIDAndExtraClaimMappings.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ExternalOIDCWithUpstreamParity.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/GCPPlatform.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HCPEtcdBackup.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/HyperShiftOnlyDynamicResourceAllocation.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/ImageStreamImportMode.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/KMSEncryptionProvider.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• api/hypershift/v1beta1/zz_generated.featuregated-crd-manifests/hostedcontrolplanes.hypershift.openshift.io/OpenStack.yaml is excluded by !**/zz_generated.featuregated-crd-manifests/**
• client/applyconfiguration/hypershift/v1beta1/azureplatformspec.go is excluded by !client/**
• cmd/install/assets/crds/hypershift-operator/tests/hostedclusters.hypershift.openshift.io/stable.hostedclusters.azure.testsuite.yaml is excluded by !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedclusters-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-CustomNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-Default.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• cmd/install/assets/crds/hypershift-operator/zz_generated.crd-manifests/hostedcontrolplanes-Hypershift-TechPreviewNoUpgrade.crd.yaml is excluded by !**/zz_generated.crd-manifests/**, !cmd/install/assets/**/*.yaml
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/testdata/zz_fixture_TestConfigWithAcrMI.yaml is excluded by !**/testdata/**
• docs/content/reference/aggregated-docs.md is excluded by !docs/content/reference/aggregated-docs.md
• docs/content/reference/api.md is excluded by !docs/content/reference/api.md
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go is excluded by !vendor/**, !**/vendor/**
• vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/zz_generated.deepcopy.go is excluded by !vendor/**, !**/vendor/**, !**/zz_generated*.go, !**/zz_generated*

📒 Files selected for processing (5)

• api/hypershift/v1beta1/azure.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config.go
• control-plane-operator/controllers/hostedcontrolplane/v2/cloud_controller_manager/azure/config_test.go
• hypershift-operator/controllers/nodepool/azure.go
• hypershift-operator/controllers/nodepool/azure_test.go

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

For sigs.k8s.io/cluster-api-provider-azure v1.21.0, what exact format is required for AzureMachineSpec.UserAssignedIdentities[].ProviderID: raw ARM resource ID (/subscriptions/...) or provider ID with azure:/// prefix?

💡 Result:

For sigs.k8s.io/cluster-api-provider-azure v1.21.0, AzureMachineSpec.UserAssignedIdentities[].ProviderID must be the raw Azure ARM resource ID string in the form “/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/...”, i.e., it should NOT include the “azure:///” scheme prefix.[1][2] Why: CAPZ’s identity parsing for user-assigned identities rejects values that start with “azure:///” as invalid resource IDs (it requires the ID to start with “/”), and CAPZ’s own documentation for identity ProviderID examples uses the raw ARM resource ID format.[1][2]

Citations:

• 1: userAssignedIdentities providerID value format unexpectedly changed in CAPZ v1.9.0 kubernetes-sigs/cluster-api-provider-azure#3597
• 2: https://capz.sigs.k8s.io/topics/vm-identity.html

---

Remove the capzutil.ProviderIDPrefix — CAPZ v1.21 expects raw ARM resource IDs.

Line 253 must use the ARM ID directly without the azure:/// prefix. CAPZ's identity parsing explicitly rejects provider IDs starting with the scheme prefix and requires the raw format /subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/....

Update to:

ProviderID: *hostedCluster.Spec.Platform.Azure.AcrImagePullManagedIdentityID,

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hypershift-operator/controllers/nodepool/azure.go` around lines 248 - 256,
The code is prepending capzutil.ProviderIDPrefix to the user-assigned identity
but CAPZ v1.21 requires a raw ARM resource ID; update the block that populates
azureMachineTemplate.Template.Spec.UserAssignedIdentities so the ProviderID is
set directly from
hostedCluster.Spec.Platform.Azure.AcrImagePullManagedIdentityID (remove
capzutil.ProviderIDPrefix) while keeping the same append logic and
VMIdentityUserAssigned assignment on
azureMachineTemplate.Template.Spec.Identity.

[twolff-gh]

/retest

[hypershift-jira-solve-ci]

Test Failure Analysis Complete

Job Information

• Prow Job: tide (merge automation)
• Build ID: N/A (tide is not a test job — it is the Prow merge-automation controller)
• PR: #8472 — ARO-24037 feat(azure): add ACR pull identity to worker cloud.conf and VMSS
• Branch: ARO-24037-acr-pull-umi-cloud-conf → main
• Status: error — Not mergeable. PR has a merge conflict.

Test Failure Analysis

Error

tide: Not mergeable. PR has a merge conflict.
GitHub merge state: CONFLICTING (mergeable=false, rebaseable=false)

Summary

This is not a test failure — no Prow CI test jobs ran at all. The tide merge controller reports the PR is unmergeable due to git merge conflicts. The PR branch is based on commit 6a333169a218 (merged April 9, PR #8195), which is 334 commits behind current main (bded4561, May 8). Multiple commits on main since April 9 have modified the same auto-generated files that this PR touches — specifically zz_generated.deepcopy.go (changed by 2 commits), zz_generated.featuregated-crd-manifests/*.yaml (changed by 6+ commits), and vendored copies. Because the PR has conflicts, all other Prow presubmit jobs (e2e-aks, e2e-aws, e2e-azure-self-managed, etc.) are blocked with status "Waiting for pipeline condition to trigger this job" and will never run until the conflicts are resolved.

Root Cause

The PR branch was forked from main at commit 6a333169a218 (April 9, 2026 — PR #8195 "fix-catalog-version-5.0"). Since then, 334 commits have landed on main that modify the same auto-generated files this PR touches. The specific conflicting files are:

1. api/hypershift/v1beta1/zz_generated.deepcopy.go — The PR's base has blob SHA 558be0746f8, but main now has d429305a. This file was modified by:

   • d64c2229 (Apr 30) — "chore(generated): regenerate CRDs, clients, vendor, and docs"
   • 8147c32c (Apr 30) — "feat(metrics): include Karpenter node vCPUs in hypershift_cluster_vcpus billing metric"

2. zz_generated.featuregated-crd-manifests/*.yaml (26 files) — These CRD YAML manifests were regenerated by at least 6 commits since April 9, including:

   • eb064c33 (Apr 10) — "OCPBUGS-82166: fix etcd snapshot restore"
   • 4402b114 (Apr 10) — "CNTRLPLANE-3173: persist lastSuccessfulEtcdBackupURL"
   • 15b9f136 (Apr 29) — "CNTRLPLANE-3308: deps: bump k8s.io 0.34 → 0.35"
   • d64c2229 (Apr 30) — "chore(generated): regenerate CRDs, clients, vendor, and docs"
   • 8147c32c (Apr 30) — "feat(metrics): include Karpenter node vCPUs"
   • c783b4c6 (May 4) — "chore: clarify pull secret in-place update behavior"

3. Vendored copies (vendor/github.com/openshift/hypershift/api/hypershift/v1beta1/azure.go and zz_generated.deepcopy.go) — These mirror the API types and are regenerated alongside the main files.

The PR adds a new AcrImagePullManagedIdentityID field to AzurePlatformSpec in azure.go and then regenerates all dependent files. Because the regeneration was performed against a month-old base, the generated output conflicts with the current generated output on main. The deepcopy.go conflict is particularly acute — the PR inserts the new field's deepcopy logic adjacent to AzureAuthenticationConfig.DeepCopyInto, but main has shifted the surrounding context.

Recommendations

1. Rebase the branch onto current main — This is the required fix. Run:

   git fetch origin main
   git rebase origin/main

   Then resolve any conflicts in azure.go (the source-of-truth file), and regenerate all dependent files:

   make generate      # regenerate deepcopy, CRDs, featuregated manifests
   make vendor        # update vendored copies

2. Force-push the rebased branch — After regeneration, force-push to update the PR:

   git push --force-with-lease origin [ARO-24037](https://redhat.atlassian.net/browse/ARO-24037)-acr-pull-umi-cloud-conf

3. Verify locally before pushing — Run make verify to ensure all generated files are consistent. This avoids a second round-trip if the regeneration missed something.

4. Consider rebasing more frequently — The branch was 334 commits (1 month) behind main. For PRs touching API types and auto-generated CRD manifests, frequent rebases (at least weekly) prevent large conflict surfaces.

Evidence

Evidence	Detail
GitHub merge state	mergeable: CONFLICTING, mergeStateStatus: DIRTY, rebaseable: false
Tide error	Not mergeable. PR has a merge conflict.
PR base commit	6a333169a218 — Merge PR #8195 (April 9, 2026)
Current main HEAD	bded4561 — Merge PR #8453 (May 8, 2026)
Commits behind main	334 commits
PR files changed	45 files (9 source, 34 auto-generated, 2 vendored)
Conflicting file: deepcopy.go	PR base SHA 558be074 ≠ main SHA d429305a (changed by commits d64c2229, 8147c32c)
Conflicting files: CRD manifests	26 featuregated-crd YAML files modified by 6+ commits since April 9
Blocked presubmit jobs	e2e-aks, e2e-aws, e2e-azure-self-managed, e2e-v2-aws, and 4 others — all "Waiting for pipeline condition"

---