Support Workload Identity in git source controller for Azure DevOps Repos

[miqm]

Is there option to use workload identity token as password for git source controller? If not, that would be very helpful. Recently Azure DevOps Repos introduced ability to use Service Principal and Azure Managed Identities to access source code in Azure Repos. However Flux seems not to have ability to work with this, or this is not documented.

Here's doc how to access Repos with Token: https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/service-principal-managed-identity?view=azure-devops#q-can-i-use-a-service-principal-to-do-git-operations-like-clone-a-repo

[souleb]

this is work in progress here fluxcd/pkg#664

[hatfarm]

For those who came here and saw the above message, unfortunately, there has been no more work on this since February, and it looks like it's kind of dead. I may try to put together a PR for this, as it's the biggest blocker for using flux for my team.

[dineshkumar181094]

I have a working solution, you can create a cron job that generates the token, create secret bearerToken out of generated token.
Use this secret as secret in gitRepo object it will work.

[stefanprodan]

Prerequisite:

• [RFC] Passwordless authentication for Git repositories flux2#4806
• Implement new packages auth, azure and git for passwordless authentication scenarios pkg#789
• Add new integration tests for Azure OIDC for git repositories pkg#793

[chrisdot]

I have a working solution, you can create a cron job that generates the token, create secret bearerToken out of generated token. Use this secret as secret in gitRepo object it will work.

Could you give us a bit more details about that? How did you do? Using the az cli in a cronjob?