ACR credential helper blocks when using non-ACR registries

[codysoyland]

Description

The ACR credential helper seems to block execution when using non-ACR images in some clusters. I've observed this behavior in GKE, but not in local kind clusters.

The blocking call occurs on this line in the ACR credential helper.

This results in pods failing admission due to the webhook timeout elapsing:

error: failed to create deployment: Internal error occurred: failed calling webhook "policy.sigstore.dev": failed to call webhook: Post "https://webhook.cosign-system.svc:443/mutations?timeout=25s": context deadline exceeded

The commit that introduced this bug is f099546, which is between Policy Controller v0.9.0 and v0.10.0 (neither version is yet referenced by the Helm chart, hence why this bug has seen little visibility). It seems the upstream azidentity package made a change that causes the call to DefaultAzureCredential.GetToken to block. I believe this has something to do with timeout modifications that were made in that version of the azidentity library.

I have a fix I will publish shortly that will only attempt to use this helper if the registry is a subdomain of azurecr.io.

Version

v0.10.0

[codysoyland]

This seems to be fixed in #1656. My PR #1658 is still a good practice though, in my opinion.