forked from argoproj/argo-cd
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Add support for Azure workload identity for Git and OCI reposit…
…ories. (argoproj#21118) --------- Signed-off-by: Jagpreet Singh Tamber <[email protected]> Co-authored-by: Alexandre Gaudreault <[email protected]>
- Loading branch information
1 parent
c93924b
commit 89c4817
Showing
43 changed files
with
2,273 additions
and
919 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -161,6 +161,75 @@ Using the UI: | |
|
||
3. Click `Connect` to test the connection and have the repository added | ||
|
||
|
||
### Azure Container Registry/Azure Repos using Azure Workload Identity | ||
|
||
Before using this feature, you must perform the following steps to enable workload identity configuration in Argo CD: | ||
|
||
- **Label the Pods:** Add the `azure.workload.identity/use: "true"` label to the repo-server pods. | ||
- **Create Federated Identity Credential:** Generate an Azure federated identity credential for the repo-server service account. Refer to the [Federated Identity Credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) documentation for detailed instructions. | ||
- **Add Annotation to Service Account:** Add `azure.workload.identity/client-id: "$CLIENT_ID"` annotation to the repo-server service account, using the `CLIENT_ID` from the workload identity. | ||
- Setup the permissions for Azure Container Registry/Azure Repos for the workload identity. | ||
|
||
Using CLI for Helm OCI with Azure workload identity: | ||
|
||
``` | ||
argocd repo add contoso.azurecr.io/charts --type helm --enable-oci --use-azure-workload-identity | ||
``` | ||
|
||
Using CLI for Azure Repos with Azure workload identity: | ||
|
||
``` | ||
argocd repo add https://[email protected]/my-projectcollection/my-project/_git/my-repo --use-azure-workload-identity | ||
``` | ||
|
||
Using the UI: | ||
|
||
- Navigate to `Settings/Repositories` | ||
|
||
![connect repo overview](../assets/repo-add-overview.png) | ||
- Click on `+ Connect Repo` | ||
- On the connection page: | ||
- Choose Connection Method as `VIA HTTPS` | ||
- Select the type as `git` or `helm` | ||
- Enter the Repository URL | ||
- Enter name, if the repo type is helm | ||
- Select `Enable OCI`, if repo type is helm | ||
- Select `Use Azure Workload Identity` | ||
|
||
![connect repo](../assets/repo-add-azure-workload-identity.png) | ||
- Click `Connect` | ||
|
||
Using secret definition: | ||
|
||
```yaml | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: helm-private-repo | ||
namespace: argocd | ||
labels: | ||
argocd.argoproj.io/secret-type: repository | ||
stringData: | ||
type: helm | ||
url: contoso.azurecr.io/charts | ||
name: contosocharts | ||
enableOCI: "true" | ||
useAzureWorkloadIdentity: "true" | ||
--- | ||
apiVersion: v1 | ||
kind: Secret | ||
metadata: | ||
name: git-private-repo | ||
namespace: argocd | ||
labels: | ||
argocd.argoproj.io/secret-type: repository | ||
stringData: | ||
type: git | ||
url: https://[email protected]/my-projectcollection/my-project/_git/my-repo | ||
useAzureWorkloadIdentity: "true" | ||
``` | ||
## Credential templates | ||
You can also set up credentials to serve as templates for connecting repositories, without having to repeat credential configuration. For example, if you setup credential templates for the URL prefix `https://github.com/argoproj`, these credentials will be used for all repositories with this URL as prefix (e.g. `https://github.com/argoproj/argocd-example-apps`) that do not have their own credentials configured. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.