I want to use user assigned or managed identity for AKS and ArgoCD to create an application.

I assigned AcrPull on my ACR for AKS identity, and then tried to create a ArgoCD repo with

argocd repo add myACR.azurecr.io --type helm --name helm --enable-oci

helm is the root of my repos there. It worked correctly and I can see a green "successful" tick in a connection status in ArgoCD UI.

But when I try to create an app for one of the actual images, it fails with

helm pull oci://myACR.azurecr.io/helm/mychart --version 0.0.1 --destination /tmp/helm706383544

failed exit status 1: Error: failed to authorize: failed to fetch anonymous token: unexpected status: 401 Unauthorized

(on a side note, if I enable admin user and create argocd repo with --username XXX --password XXX options, everything works as expected)

What am I missing? Is it possible to achieve this? Or do I need to enable admin user on ACR (or use tokens?)

CodePudding user response：

When you say AKS identity and mean the user managed identity then its wrong in this case.

For accessing the ACR you need to assign the kubelet identity of your AKS the AcrPull Role as the kubelet is responsible for pulling images:

export KUBE_ID=$(az aks show -g <resource group> -n <aks cluster name> --query identityProfile.kubeletidentity.objectId -o tsv)
export ACR_ID=$(az acr show -g <resource group> -n <acr name> --query id -o tsv)
az role assignment create --assignee $KUBE_ID --role "AcrPull" --scope $ACR_ID

But this is only the part where Kubernetes is pulling the images. I dont think that ArgoCD out-of-the-box leverages the Azure Identites to connect to your repo.

So maybe you need to specify username and password in order that ArgoCD can connect to the helm repo:

argocd repo add myACR.azurecr.io --type helm --name helm --enable-oci --username <username> --password <password>