Skip to content

Commit

Permalink
feat: Add support for Azure workload identity for Git and OCI reposit…
Browse files Browse the repository at this point in the history
…ories. (argoproj#21118)



---------

Signed-off-by: Jagpreet Singh Tamber <[email protected]>
Co-authored-by: Alexandre Gaudreault <[email protected]>
  • Loading branch information
jagpreetstamber and agaudreault authored Jan 17, 2025
1 parent c93924b commit 89c4817
Show file tree
Hide file tree
Showing 43 changed files with 2,273 additions and 919 deletions.
5 changes: 4 additions & 1 deletion .mockery.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -66,11 +66,14 @@ packages:
github.com/argoproj/argo-cd/v3/util/notification/argocd:
interfaces:
Service:
github.com/argoproj/argo-cd/v3/util/workloadidentity:
interfaces:
TokenProvider:
# These mocks are not currently used, but they are part of the public API of this package.
github.com/argoproj/argo-cd/v3/pkg/apiclient/session:
interfaces:
SessionServiceServer:
SessionServiceClient:
github.com/argoproj/argo-cd/v3/pkg/apiclient/cluster:
interfaces:
ClusterServiceServer:
ClusterServiceServer:
20 changes: 20 additions & 0 deletions assets/swagger.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions cmd/argocd/commands/admin/repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -126,6 +126,7 @@ func NewGenRepoSpecCommand() *cobra.Command {
repoOpts.Repo.Insecure = repoOpts.InsecureSkipServerVerification
repoOpts.Repo.EnableLFS = repoOpts.EnableLfs
repoOpts.Repo.EnableOCI = repoOpts.EnableOci
repoOpts.Repo.UseAzureWorkloadIdentity = repoOpts.UseAzureWorkloadIdentity

if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
errors.CheckError(stderrors.New("must specify --name for repos of type 'helm'"))
Expand Down
2 changes: 2 additions & 0 deletions cmd/argocd/commands/repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -182,6 +182,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
repoOpts.Repo.Proxy = repoOpts.Proxy
repoOpts.Repo.NoProxy = repoOpts.NoProxy
repoOpts.Repo.ForceHttpBasicAuth = repoOpts.ForceHttpBasicAuth
repoOpts.Repo.UseAzureWorkloadIdentity = repoOpts.UseAzureWorkloadIdentity

if repoOpts.Repo.Type == "helm" && repoOpts.Repo.Name == "" {
errors.CheckError(stderrors.New("Must specify --name for repos of type 'helm'"))
Expand Down Expand Up @@ -222,6 +223,7 @@ func NewRepoAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Command {
Project: repoOpts.Repo.Project,
GcpServiceAccountKey: repoOpts.Repo.GCPServiceAccountKey,
ForceHttpBasicAuth: repoOpts.Repo.ForceHttpBasicAuth,
UseAzureWorkloadIdentity: repoOpts.Repo.UseAzureWorkloadIdentity,
}
_, err := repoIf.ValidateAccess(ctx, &repoAccessReq)
errors.CheckError(err)
Expand Down
1 change: 1 addition & 0 deletions cmd/argocd/commands/repocreds.go
Original file line number Diff line number Diff line change
Expand Up @@ -189,6 +189,7 @@ func NewRepoCredsAddCommand(clientOpts *argocdclient.ClientOptions) *cobra.Comma
command.Flags().StringVar(&repo.Type, "type", common.DefaultRepoType, "type of the repository, \"git\" or \"helm\"")
command.Flags().StringVar(&gcpServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
command.Flags().BoolVar(&repo.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force basic auth when connecting via HTTP")
command.Flags().BoolVar(&repo.UseAzureWorkloadIdentity, "use-azure-workload-identity", false, "whether to use azure workload identity for authentication")
command.Flags().StringVar(&repo.Proxy, "proxy-url", "", "If provided, this URL will be used to connect via proxy")
return command
}
Expand Down
2 changes: 2 additions & 0 deletions cmd/util/repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ type RepoOptions struct {
NoProxy string
GCPServiceAccountKeyPath string
ForceHttpBasicAuth bool
UseAzureWorkloadIdentity bool
}

func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
Expand All @@ -48,4 +49,5 @@ func AddRepoFlags(command *cobra.Command, opts *RepoOptions) {
command.Flags().StringVar(&opts.NoProxy, "no-proxy", "", "don't access these targets via proxy")
command.Flags().StringVar(&opts.GCPServiceAccountKeyPath, "gcp-service-account-key-path", "", "service account key for the Google Cloud Platform")
command.Flags().BoolVar(&opts.ForceHttpBasicAuth, "force-http-basic-auth", false, "whether to force use of basic auth when connecting repository via HTTP")
command.Flags().BoolVar(&opts.UseAzureWorkloadIdentity, "use-azure-workload-identity", false, "whether to use azure workload identity for authentication")
}
Binary file added docs/assets/repo-add-azure-workload-identity.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
17 changes: 16 additions & 1 deletion docs/operator-manual/argocd-repositories.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -68,4 +68,19 @@ metadata:
labels:
argocd.argoproj.io/secret-type: repository
stringData:
url: https://github.com/argoproj/private-repo
url: https://github.com/argoproj/private-repo
---
apiVersion: v1
kind: Secret
metadata:
name: aci-private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: helm
url: contoso.azurecr.io/charts
name: contosocharts
enableOCI: "true"
useAzureWorkloadIdentity: "true"

4 changes: 4 additions & 0 deletions docs/operator-manual/declarative-setup.md
Original file line number Diff line number Diff line change
Expand Up @@ -288,6 +288,10 @@ stringData:
!!! tip
The Kubernetes documentation has [instructions for creating a secret containing a private key](https://kubernetes.io/docs/concepts/configuration/secret/#use-case-pod-with-ssh-keys).

Example for Azure Container Registry/ Azure Devops repositories using Azure workload identity:

Refer to [Azure Container Registry/Azure Repos using Azure Workload Identity](../user-guide/private-repositories.md#azure-container-registryazure-repos-using-azure-workload-identity)

### Repository Credentials

If you want to use the same credentials for multiple repositories, you can configure credential templates. Credential templates can carry the same credentials information as repositories.
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/user-guide/commands/argocd_repo_add.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

1 change: 1 addition & 0 deletions docs/user-guide/commands/argocd_repocreds_add.md

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

69 changes: 69 additions & 0 deletions docs/user-guide/private-repositories.md
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,75 @@ Using the UI:

3. Click `Connect` to test the connection and have the repository added


### Azure Container Registry/Azure Repos using Azure Workload Identity

Before using this feature, you must perform the following steps to enable workload identity configuration in Argo CD:

- **Label the Pods:** Add the `azure.workload.identity/use: "true"` label to the repo-server pods.
- **Create Federated Identity Credential:** Generate an Azure federated identity credential for the repo-server service account. Refer to the [Federated Identity Credential](https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html) documentation for detailed instructions.
- **Add Annotation to Service Account:** Add `azure.workload.identity/client-id: "$CLIENT_ID"` annotation to the repo-server service account, using the `CLIENT_ID` from the workload identity.
- Setup the permissions for Azure Container Registry/Azure Repos for the workload identity.

Using CLI for Helm OCI with Azure workload identity:

```
argocd repo add contoso.azurecr.io/charts --type helm --enable-oci --use-azure-workload-identity
```

Using CLI for Azure Repos with Azure workload identity:

```
argocd repo add https://[email protected]/my-projectcollection/my-project/_git/my-repo --use-azure-workload-identity
```

Using the UI:

- Navigate to `Settings/Repositories`

![connect repo overview](../assets/repo-add-overview.png)
- Click on `+ Connect Repo`
- On the connection page:
- Choose Connection Method as `VIA HTTPS`
- Select the type as `git` or `helm`
- Enter the Repository URL
- Enter name, if the repo type is helm
- Select `Enable OCI`, if repo type is helm
- Select `Use Azure Workload Identity`

![connect repo](../assets/repo-add-azure-workload-identity.png)
- Click `Connect`

Using secret definition:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: helm-private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: helm
url: contoso.azurecr.io/charts
name: contosocharts
enableOCI: "true"
useAzureWorkloadIdentity: "true"
---
apiVersion: v1
kind: Secret
metadata:
name: git-private-repo
namespace: argocd
labels:
argocd.argoproj.io/secret-type: repository
stringData:
type: git
url: https://[email protected]/my-projectcollection/my-project/_git/my-repo
useAzureWorkloadIdentity: "true"
```
## Credential templates
You can also set up credentials to serve as templates for connecting repositories, without having to repeat credential configuration. For example, if you setup credential templates for the URL prefix `https://github.com/argoproj`, these credentials will be used for all repositories with this URL as prefix (e.g. `https://github.com/argoproj/argocd-example-apps`) that do not have their own credentials configured.
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ go 1.22.0
require (
code.gitea.io/sdk/gitea v0.20.0
dario.cat/mergo v1.0.1
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0
github.com/Azure/kubelogin v0.1.6
github.com/Masterminds/semver/v3 v3.3.1
github.com/Masterminds/sprig/v3 v3.3.0
Expand Down Expand Up @@ -114,8 +116,6 @@ require (

require (
github.com/42wim/httpsig v1.2.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.14.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2 // indirect
github.com/aws/aws-sdk-go-v2 v1.24.1 // indirect
Expand Down
Loading

0 comments on commit 89c4817

Please sign in to comment.