feat: Workload Identity Authentication against Azure DevOps GIT

[mikebordon]

Summary

Resolves #5812.

The goal of this change is to extend Azure Workload Identity support for Azure DevOps (git) repositories. This eliminates the dependency on long-lived PATs and managed secrets.

Testing

In addition to unit tests, these changes were validated against a real environment with the following (existing) configuration:

• Entra tenant
• Azure DevOps organization
• K8s cluster with Azure Workload Identity configured
• Kargo installation with Azure DevOps PAT stored as kargo.akuity.io/cred-type: git secret

The following changes were made to validate:

• Update the installation to use the development image
• (Promote freight to verify existing behavior, more specifically the ability to git-clone and git-push)
• Register a new service principal in Entra with federated credentials for the Kargo controller service account
• Register the service principal in Azure DevOps with permissions to contribute to repositories
• Add azure.workload.identity/use: "true" label to Kargo controller pod
• Add azure.workload.identity/client-id annotation to Kargo controller service account
• Delete existing PAT secret
• (Restart deployments)
• Promote freight to verify previous functional behavior (sans PAT)

[netlify]

✅ Deploy Preview for docs-kargo-io ready!

Name	Link
🔨 Latest commit	ea44398
🔍 Latest deploy log	https://app.netlify.com/projects/docs-kargo-io/deploys/69ea90744662cf000812ee4e
😎 Deploy Preview	https://deploy-preview-6154.docs.kargo.io
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.