Skip to content

feat: Workload Identity Authentication against Azure DevOps GIT#6154

Draft
mikebordon wants to merge 4 commits intoakuity:mainfrom
mikebordon:mikebordon/ado-workload-identity
Draft

feat: Workload Identity Authentication against Azure DevOps GIT#6154
mikebordon wants to merge 4 commits intoakuity:mainfrom
mikebordon:mikebordon/ado-workload-identity

Conversation

@mikebordon
Copy link
Copy Markdown

@mikebordon mikebordon commented Apr 23, 2026
edited
Loading

Summary

Resolves #5812.

The goal of this change is to extend Azure Workload Identity support for Azure DevOps (git) repositories. This eliminates the dependency on long-lived PATs and managed secrets.

Testing

In addition to unit tests, these changes were validated against a real environment with the following (existing) configuration:

  • Entra tenant
  • Azure DevOps organization
  • K8s cluster with Azure Workload Identity configured
  • Kargo installation with Azure DevOps PAT stored as kargo.akuity.io/cred-type: git secret

The following changes were made to validate:

  • Update the installation to use the development image
  • (Promote freight to verify existing behavior, more specifically the ability to git-clone and git-push)
  • Register a new service principal in Entra with federated credentials for the Kargo controller service account
  • Register the service principal in Azure DevOps with permissions to contribute to repositories
  • Add azure.workload.identity/use: "true" label to Kargo controller pod
  • Add azure.workload.identity/client-id annotation to Kargo controller service account
  • Delete existing PAT secret
  • (Restart deployments)
  • Promote freight to verify previous functional behavior (sans PAT)

@netlify
Copy link
Copy Markdown

netlify Bot commented Apr 23, 2026
edited
Loading

Deploy Preview for docs-kargo-io ready!

Name Link
🔨 Latest commit ea44398
🔍 Latest deploy log https://app.netlify.com/projects/docs-kargo-io/deploys/69ea90744662cf000812ee4e
😎 Deploy Preview https://deploy-preview-6154.docs.kargo.io
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@mikebordon mikebordon changed the title feat: Add ADO support to workload identity provider feat: Workload Identity Authentication against Azure DevOps GIT Apr 23, 2026
@mikebordon
Add ADO support to workload identity provider
73ebb64 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon mikebordon force-pushed the mikebordon/ado-workload-identity branch from adddc58 to 73ebb64 Compare April 23, 2026 17:27
@mikebordon
Add extra unit test coverage
89d3002 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon
Rename acr package to azure
88cb731 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon
Update ambient credentials doc for ADO
ea44398 
Signed-off-by: Mike Bordon <mikebordon@gmail.com>
@mikebordon mikebordon marked this pull request as ready for review April 23, 2026 22:09
@mikebordon mikebordon requested review from a team as code owners April 23, 2026 22:09
@mikebordon mikebordon mentioned this pull request Apr 23, 2026
Open
2 tasks
@krancour krancour added kind/enhancement An entirely new feature needs discussion A maintainer explicitly requests no action be taken without further discussion kind/proposal Indicates maintainers have not yet committed to a feature request area/controller Affects the (main) controller needs/priority Priority has not yet been determined; a good signal that maintainers aren't fully committed labels Apr 24, 2026
@krancour krancour marked this pull request as draft April 24, 2026 14:01
@krancour
Copy link
Copy Markdown
Member

krancour commented Apr 24, 2026

I've converted this to a draft since #5812 was still labeled as a proposal requiring further discussion and had no relative degree of priority established. Please be prepared for it to be a while before the team can do its due diligence on this PR.

At a glance, the code looks very solid, so to clarify what "diligence" I believe is called for here, I'm (justifiably, I think) dubious of using just on token for all of ADO. That's really quite different from what's done for ACR. It may turn out to be correct, but it's something I'd like to independently validate before moving forward.

@mikebordon
Copy link
Copy Markdown
Author

mikebordon commented Apr 24, 2026

Thanks, @krancour. Makes sense.

Full transparency, I'll be leaving my company at the end of the next week, so I won't be able to "properly" own this going forward.

Two options: I can try to hand this off to someone else on my team to pick back up when it's ready, or we can merge the existing change from my fork into some other branch in this repo, that way you or anyone else can pick it up in the future (should you so choose).

Any preference?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@mikebordon mikebordon

Labels

area/controller Affects the (main) controller kind/enhancement An entirely new feature kind/proposal Indicates maintainers have not yet committed to a feature request needs discussion A maintainer explicitly requests no action be taken without further discussion needs/priority Priority has not yet been determined; a good signal that maintainers aren't fully committed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Workload Identity Authentication against Azure DevOps GIT

2 participants

@mikebordon @krancour