Support Azure Managed Identities for download blob

[zhoufenqin]

Similar to #1503 feature request.

When using Azure storage account file share to store source code, we should use blob url with sas token, Currently, kpack doesn't support fetch blob with keychains, it should be supported.

See the reference about Azure Files identity-based authentication options for SMB access

[chenbh]

Talked to @zhoufenqin on another forum, the main thing asked here is the ability to use workload identity (i.e. service account identity) to access Iaas specific blob stores. What we came up with is an additional field to the source configuration

source:
  blob:
    url: "blah.blob.azure.com/1234"
    auth: "" | "helper" | "secret"

• "" means no auth performed
• secret will do the stuff in Download Blob with Basic Auth Secret #1503
• helper will delegate to IaaS specific SDKs to get an oauth2 token, which it will use as a bearer token for the GET request.
  For now I'll implement a GCP and Azure helper (purely because those are the only 2 environments I have access to test on). But the cred interface should be simple enough for anyone to implement and contribute.

[zhoufenqin]

support managed identity first, workload identity priority is lower than managed identity in our case now

[chenbh]

Would azidentity.DefaultAzureCredentials work instead of azidentity.ManagedIdentityCredential? It looks it's the recommended approach by the SDK and will fall back to Managed Identity if none of the other options work.

[zhoufenqin]

yes, it works

[zhoufenqin]

@chenbh Do you know which kpack version will release this feature, I didn't see the version tag in PR

[chenbh]

@zhoufenqin this feature was released in v0.14.0, but you probably want v0.14.1 which has the fix in #1637