Support workload identity for Azure Devops Git repos

[Poltergeisen]

My goal is to have no manually created secrets. Workload identity for git repos is my last step.

I'd like to see Azure Devops repositories set so that I can use a managed identity to pull and update source code.

If this is already supported then I think the documentation should give examples of how to use it when connecting to Azure Devops

[alangilmor]

Have a look here.

Using Workload Identity to obtain an access token to Azure Devops, you can interact with the repo via git+https.

Create a Pod that has the federated credential, install az cli, and use the az login command from the last comment in this open issue here.

Use this instruction from Microsoft's guidance in the first link above ^^^ az account get-access-token --resource 499b84ac-1321-427f-aa17-267ca6975798 --query accessToken -o tsv.

Then clone the repo via git -c http.extraheader="AUTHORIZATION: bearer <your access token>"

So it looks like 2 small changes are required:

• source-controller or some other sidecar Pod needs to get & refresh an 'access token' for Azure Devops.
• this access token is used for git operations, I assume using gogit options BearerToken here