Unable to add (Azure Repos) repo which authenticates via Azure Workload Identity #23348
Description
Checklist:
- I've searched in the docs and FAQ for my answer: https://bit.ly/argocd-faq.
- I've included steps to reproduce the bug.
- I've pasted the output of
argocd version.
Describe the bug
Per the documentation, it should be possible to add a repo which uses Azure Workload Identity for authentication. However, this does not work as documented.
It appears the UseAzureWorkloadIdentity flag is not propagated from the server to the repo-server when validating access:
argo-cd/server/repository/repository.go
Lines 689 to 708 in 7496ede
To Reproduce
- Configure the environment, per documentation
a. Label pods
b. Create federate identity credential
c. Add annotation to service account
d. Setup permissions in Azure Repos - Add the repo via the argocd CLI with the explicit
--use-azure-workload-identityoption:
argocd repo add https://[email protected]/my-projectcollection/my-project/_git/my-repo --use-azure-workload-identity
Output:
{"level":"fatal","msg":"rpc error: code = Unknown desc = error testing repository connectivity: unable to ls-remote HEAD on repository: failed to list refs: unexpected client error: unexpected requesting \"https://dev.azure.com/REDACTED/REDACTED/_git/REDACTED/info/refs?service=git-upload-pack\" status code: 302","time":"2025-06-10T18:14:45-05:00"}
Expected behavior
Repository 'https://dev.azure.com/REDACTED/REDACTED/_git/REDACTED' added
Version
argocd: v3.0.6+db93798
BuildDate: 2025-06-09T22:57:47Z
GitCommit: db93798d6643a565c056c6fda453e696719dbe12
GitTreeState: clean
GoVersion: go1.24.4
Compiler: gc
Platform: darwin/arm64
argocd-server: v3.0.6+db93798
BuildDate: 2025-06-09T21:33:23Z
GitCommit: db93798d6643a565c056c6fda453e696719dbe12
GitTreeState: clean
GoVersion: go1.24.4
Compiler: gc
Platform: linux/arm64
Kustomize Version: v5.6.0 2025-01-14T15:12:17Z
Helm Version: v3.17.1+g980d8ac
Kubectl Version: v0.32.2
Jsonnet Version: v0.20.0