Expected behavior

I'd like to use Azure AD Workload Identity to authenticate my kaniko in-cluster build pod to my Azure container registry, rather than use hard coded service provider credentials in the skaffold.yaml which will be checked in VCS.

In order for workload identity to work, the kaniko pod needs the below label present per the reference here
azure.workload.identity/use: "true"

It is odd that MS have opted to use a Label rather than an Annotation for this behaviour.

While we can set annotations via build.cluster:annotations, it would be nice if we could achieve the above with a build.cluster.labels or build.artifacts:kaniko.labels.

Actual behavior

As the environmental variables are not injected because the label is absent, the build fails to authenticate with the ACR

DEBU[0000] Getting source context from dir:///kaniko/buildcontext
DEBU[0000] Build context located at /kaniko/buildcontext
DEBU[0000] Copying file /kaniko/buildcontext/Dockerfile to /kaniko/Dockerfile
error checking push permissions -- make sure you entered the correct tag name, and that you are authenticated correctly, and try again: checking push permission for "acrname.azurecr.io/testimg:latest": POST https://acrname.azurecr.io/v2/testimg/blobs/uploads/: UNAUTHORIZED: authentication required, visit https://aka.ms/acr/authorization for more information.; [map[Action:pull Name:testimg Type:repository] map[Action:push Name:testimg Type:repository]]
build [acrname.azurecr.io/testimg] failed: pod has failed

If I manually insert credentials via build.artifacts.kaniko.env, it authenticates as expected. However I don't want these credentials sitting in plain text checked into VCS for obvious reasons.