feat: add ServiceAccountImagePullProfile for identity-binding-based image pull

[qweeah]

What type of PR is this?
/kind feature

What this PR does / why we need it:

This PR adds support for service-account-based image pull authentication (aka Identity Binding) from Azure Container Registry (ACR), implementing KEP-4412 projected service account tokens for kubelet image credential providers.

Changes

Data Model

Added ServiceAccountImagePullProfile to SecurityProfile with fields:

• Enabled: Enable/disable service account-based image pull
• DefaultClientID: Default managed identity client ID
• DefaultTenantID: Default managed identity tenant ID
• LocalAuthoritySNI: SNI endpoint for Identity Bindings Local Authority

Added getter methods to SecurityProfile for null-safe access.

Implementation Paths

1. Legacy CSE (Template-based)

• pkg/agent/variables.go: Template variables for CSE scripts (using the naming convention serviceAccountImagePull...)
• parts/linux/cloud-init/artifacts/cse_cmd.sh: Environment variable declarations (e.g., SERVICE_ACCOUNT_IMAGE_PULL_ENABLED, SERVICE_ACCOUNT_IMAGE_PULL_DEFAULT_CLIENT_ID)
• parts/linux/cloud-init/artifacts/cse_config.sh: Credential provider config generation

2. AKSNodeConfig (Proto-based)

• aks-node-controller/proto/aksnodeconfig/v1/security_profile.proto: Proto definitions (ServiceAccountImagePullProfile)
• aks-node-controller/parser/parser.go: Environment variable generation
• aks-node-controller/parser/helper.go: Null-safe helper functions

Both paths converge at cse_config.sh to generate /var/lib/kubelet/credential-provider-config.yaml with identity binding arguments (--ib-default-client-id, --ib-default-tenant-id, --ib-sni-name) and token attributes.

Testing

• Unit Tests: Updated tests across variables_test.go, datamodel/types_test.go, and parser/helper_test.go to reflect the new naming convention.
• E2E Tests: Verified scenarios (enabled, disabled, network isolated).

All tests validate that the credential provider config file contains the correct identity binding configuration.

Cluster Support

• Public cloud (Azure Commercial)
• AKS Custom Cloud
• Network Isolated (NI/airgap) clusters

Which issue(s) this PR fixes:

Fixes #

Requirements:

• uses conventional commit messages
• includes documentation
• adds unit tests
• adds e2e tests
• tested upgrade from previous version
• commits are GPG signed and Github marks them as verified

Special notes for your reviewer:

Dual implementation approach (legacy CSE + modern AKSNodeConfig) for backward compatibility. Both paths are fully tested and generate identical credential provider configuration. The renaming from ImagePullIdentity to ServiceAccountImagePull ensures consistency with the upstream feature name.

Release note:

AgentBaker now supports service-account-based image pull authentication from Azure Container Registry (ACR) via ServiceAccountImagePullProfile in SecurityProfile, using projected service account tokens (KEP-4412) for authentication.

[norshtein]

This PR's logic LGTM. But I don't quiet understand what is step 2 "RP integration and configuration flow". Agentbaker won't rely on anything from AKS RP, I think you could make all changes in the same PR and add E2E for it? Here is an example PR: #7059 .

[github-actions]

The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	✅ passed	✅ passed	✅ passed	Jan 16, 2026, 2:59 AM

[Copilot]

Pull request overview

This pull request adds support for service-account-based image pull authentication (Identity Binding) from Azure Container Registry. The feature implements KEP-4412 projected service account tokens for kubelet image credential providers.

Changes:

• Added ServiceAccountImagePullProfile data structure with fields for enabled status, default client/tenant IDs, and Local Authority SNI
• Extended both legacy CSE (template-based) and modern AKSNodeConfig (proto-based) paths to support the new configuration
• Modified credential provider configuration generation to include identity binding token attributes and CLI arguments when enabled

Reviewed changes

Copilot reviewed 44 out of 131 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
pkg/agent/datamodel/types.go	Added ServiceAccountImagePullProfile struct to Properties
pkg/agent/variables.go	Added getter functions for service account image pull configuration with null-safe access
pkg/agent/variables_test.go	Added unit tests for new variables in Windows CSE and custom data
parts/linux/cloud-init/artifacts/cse_config.sh	Refactored credential provider config generation to support identity binding parameters
spec/parts/linux/cloud-init/artifacts/cse_config_spec.sh	Added comprehensive ShellSpec tests for all credential provider scenarios
pkg/agent/testdata/*/CustomData	Updated snapshot test data with new environment variables
pkg/agent/testdata/*/CSECommand	Updated snapshot test data with new environment variables

[Devinwong]

Pending the e2e tests. Probably rebase/merge with main branch will resolve it

[qweeah]

Pending the e2e tests. Probably rebase/merge with main branch will resolve it

Already rebased to the latest main. Added E2Es are passing.

[Devinwong]

Now that all required check-in tests passed (with retries), feel free to merge.

[cameronmeissner]

seems like this is pretty much ready to go in so I won't block on this, but I did unresolve this: https://github.com/Azure/AgentBaker/pull/7596/files#r2695871875

[qweeah]

seems like this is pretty much ready to go in so I won't block on this, but I did unresolve this: https://github.com/Azure/AgentBaker/pull/7596/files#r2695871875

Thank you, @cameronmeissner, for the suggestion. I didn't understand your point back then.

Eliminated the redundant helper wrapper and accessed protobuf directly within the parser code.