Aligns the Argo CD GitOps integration with the Azure-managed Argo CD k8s extension#2131
Merged
Merged
Conversation
Tatsinnit
requested review from
bosesuneha,
Copilot,
davidgamero,
gambtho and
tejhan
Tatsinnit
added
the
enhancement 🚀
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the AKS Tools Argo CD GitOps integration to better align with the Azure-managed Argo CD Kubernetes extension (Microsoft.ArgoCD) by detecting managed installs, surfacing Workload Identity Federation guidance for Azure repo sources, and updating the user docs accordingly.
Changes:
- Added runtime detection of the Azure-managed Argo CD extension via a
managed-bypod label and surfaced this in AKS: Check Argo CD Status output. - Added repo-host classification to show a post-apply action that links to Workload Identity Federation guidance for ACR / Azure DevOps sources.
- Rewrote the Argo CD GitOps integration docs to describe both install tracks and updated post-apply/action guidance.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| src/commands/aksArgoCD/argoCDInstall.ts | Adds managed-extension detection and prints install method in the Argo CD status output. |
| src/commands/aksArgoCD/argoCDApplyApp.ts | Adds Azure host classification and a new post-apply QuickPick item linking to WIF guidance. |
| docs/book/src/features/argocd-gitops-integration.md | Documents installation options, WIF guidance, and production topology notes for managed vs upstream installs. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Tatsinnit
added a commit
to Tatsinnit/vscode-aks-tools
that referenced
this pull request
May 11, 2026
…n and WIF gating Addresses Copilot review comments on Azure#2131. Code - argoCDInstall: detectManagedArgoCDExtension is now tri-state (ArgoCDInstallMethod = "managed" | "upstream" | "unknown") and treats non-zero kubectl exit codes or non-empty stderr as "unknown" instead of silently classifying the install as upstream. Docblock rewritten to enumerate the helpers two actual callers. - argoCDInstall: showArgoCDStatus prints three explicit branches, including a "could not determine "\u2014" RBAC or connection issue?" line so a failing label query is not reported as an upstream install. - argoCDApplyApp: classifyAzureRepoHost now also recognises Azure DevOps SSH hosts (ssh.dev.azure.com, vs-ssh.visualstudio.com) so the Workload Identity hint shows for git@ssh.dev.azure.com:v3/... style URLs. - argoCDApplyApp: the "Configure Workload Identity for Azure" action is now gated on positive signal that the cluster can use the linked flow \u2014 installMethod === "managed" OR authMode === "sso". Detection is threaded through both the apply-flow path and the standalone palette-invoked path of argoCDPostApplyActions. Docs - argocd-gitops-integration.md: rewrote the install-detection paragraph to describe two orthogonal probes "\u2014" install-method (managed-by label, tri-state) and auth-mode (argocd-cm OIDC config) "\u2014" instead of conflating them. - "Configure Workload Identity for Azure" section now lists both conditions required to show the action, and includes the SSH host variants alongside the HTTPS ones. - "Check Argo CD Status" section notes the tri-state install line, including the "could not determine" case. No new commands, no change to scaffolded application.yaml output. Feature flag aks.argoCDEnabled continues to gate everything. Type-check clean. Signed-off-by: Tatsat Mishra <tamishra@microsoft.com>
…rface WIF in post-apply UX Aligns the Argo CD GitOps integration with the Azure-managed Argo CD k8s extension (Microsoft.ArgoCD, public preview Mar 2026) on AKS and Azure Arc-enabled Kubernetes clusters. Code - argoCDInstall: add detectManagedArgoCDExtension() helper that probes the argocd namespace for the `app.kubernetes.io/managed-by=Microsoft.ArgoCD` pod label. - argoCDInstall: showArgoCDStatus() now logs whether the Azure-managed extension is detected vs. an upstream install, so users can tell at a glance which install path their cluster is on. - argoCDApplyApp: add classifyAzureRepoHost() that recognises ACR (*.azurecr.io) and Azure DevOps (dev.azure.com / *.visualstudio.com) source URLs. - argoCDApplyApp: post-apply QuickPick gains a "Configure Workload Identity for ACR / Azure DevOps" action when the applied Applications spec.source.repoURL points at an Azure source. The action opens the Microsoft Learn tutorial so users can federate Argo CD to Azure instead of storing long-lived PATs/SSH keys as Kubernetes Secrets. Docs (docs/book/src/features/argocd-gitops-integration.md) - New "Installation options" section comparing the Azure-managed extension vs. upstream Argo CD, with links to the announcement blog and the Microsoft Learn tutorial. - Updated Prerequisites to reference both install tracks. - Rewrote post-apply subsections: dropped stale "Get Credentials" and HTTPS+SSH copy that no longer matches the code, added "Configure Workload Identity for Azure", scoped "Connect Private Repository" to GitHub. - New "Production topologies" section covering HA, hub-and-spoke, and ApplicationSet usage. - Refreshed Security Notes (WIF preference, Entra SSO replacing the admin-password flow). - Expanded Troubleshooting with Microsoft.ArgoCD provider registration, missing admin-password secret under SSO, and WIF-vs-PAT guidance. - Added Further Reading footer with announcement blog, Learn tutorial, and upstream Argo CD docs. No new commands, no behavior change for upstream Argo CD users, no change to the scaffolded application.yaml output. Feature flag `aks.argoCDEnabled` continues to gate everything. Refs: - https://techcommunity.microsoft.com/blog/azurearcblog/announcing-public-preview-of-argo-cd-extension-on-aks-and-azure-arc-enabled-kube/4504497 - https://learn.microsoft.com/en-us/azure/azure-arc/kubernetes/tutorial-use-gitops-argocd Signed-off-by: Tatsat Mishra <tamishra@microsoft.com>
…n and WIF gating Addresses Copilot review comments on Azure#2131. Code - argoCDInstall: detectManagedArgoCDExtension is now tri-state (ArgoCDInstallMethod = "managed" | "upstream" | "unknown") and treats non-zero kubectl exit codes or non-empty stderr as "unknown" instead of silently classifying the install as upstream. Docblock rewritten to enumerate the helpers two actual callers. - argoCDInstall: showArgoCDStatus prints three explicit branches, including a "could not determine "\u2014" RBAC or connection issue?" line so a failing label query is not reported as an upstream install. - argoCDApplyApp: classifyAzureRepoHost now also recognises Azure DevOps SSH hosts (ssh.dev.azure.com, vs-ssh.visualstudio.com) so the Workload Identity hint shows for git@ssh.dev.azure.com:v3/... style URLs. - argoCDApplyApp: the "Configure Workload Identity for Azure" action is now gated on positive signal that the cluster can use the linked flow \u2014 installMethod === "managed" OR authMode === "sso". Detection is threaded through both the apply-flow path and the standalone palette-invoked path of argoCDPostApplyActions. Docs - argocd-gitops-integration.md: rewrote the install-detection paragraph to describe two orthogonal probes "\u2014" install-method (managed-by label, tri-state) and auth-mode (argocd-cm OIDC config) "\u2014" instead of conflating them. - "Configure Workload Identity for Azure" section now lists both conditions required to show the action, and includes the SSH host variants alongside the HTTPS ones. - "Check Argo CD Status" section notes the tri-state install line, including the "could not determine" case. No new commands, no change to scaffolded application.yaml output. Feature flag aks.argoCDEnabled continues to gate everything. Type-check clean. Signed-off-by: Tatsat Mishra <tamishra@microsoft.com>
…ed installs
Replaces the "open Microsoft Learn tutorial" shortcut in the Argo CD
post-apply menu with an in-VS-Code guided flow when the Azure-managed
Argo CD extension is detected on the cluster. Upstream / SSO-only
installs still fall back to the Learn link.
Adds src/commands/aksArgoCD/argoCDWifBootstrap.ts:
- Auto-detects the Argo CD ServiceAccount in the argocd namespace
(tries argocd-repo-server, argocd-image-updater,
argocd-application-controller; falls back to user input).
- Reads any existing `azure.workload.identity/client-id` annotation
on the SA and the cluster OIDC issuer URL via
`kubectl get --raw /.well-known/openid-configuration`.
- QuickPick step menu:
Step 1 Show subject claim + issuer URL with one-click clipboard copy
Step 2 Open Azure Portal on Managed Identities (or App registrations)
Step 3 Print role-assignment + SA annotation + rollout-restart
guidance (branched ACR vs Azure DevOps)
Fallback link to the Microsoft Learn end-to-end tutorial
- Purely informational — no mutations to Azure or the cluster; all
output streams to the shared "Argo CD" output channel.
Wires the helper into argoCDApplyApp.ts: the existing `azure_wif`
post-apply action now routes through runWifBootstrap() when
installMethod === "managed", and keeps the Learn link otherwise.
Updates docs/book/src/features/argocd-gitops-integration.md to describe
the new branched behavior under "Configure Workload Identity for Azure".
PR 3 (in-VS-Code "Install Azure-managed Argo CD Extension" command) is
intentionally not included here; this change focuses on the post-install
and deploy scenarios only.
Signed-off-by: Tatsat Mishra <tamishra@microsoft.com>
Tatsinnit
force-pushed
the
feat/enhance-argo-cd-experience
branch
from
977aa8b to
b6dab59
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aligns the Argo CD GitOps integration with the Azure-managed Argo CD k8s extension (
Microsoft.ArgoCD, public preview) on AKS and Azure Arc-enabled Kubernetes clusters. Adds runtime detection of the managed install, surfaces Workload Identity Federation as the preferred credential path for Azure source repos with a guided in-VS-Code bootstrap helper, and rewrites the docs to explain both install tracks clearly.No new commands. No behavior change for upstream Argo CD users. No change to scaffolded
application.yamloutput. Feature flagaks.argoCDEnabledcontinues to gate everything.Refs:
Why
The blog above announces public preview of an Azure-managed Argo CD extension with three pillars: Entra ID SSO + Workload Identity Federation (no long-lived PATs/SSH for ACR / Azure DevOps), Azure Linux–hardened images + opt-in patch channel, and upstream parity (HA, hub-and-spoke, ApplicationSet). Our extension already works against the managed install, but:
Changes
Code
argoCDInstall.ts — install-method detection
detectManagedArgoCDExtension()— probes theargocdnamespace for theapp.kubernetes.io/managed-by=Microsoft.ArgoCDpod label. Returns a tri-state (managed/upstream/unknown) so RBAC-forbidden / connection failures don't silently misclassify as upstream.showArgoCDStatus()now logs install method in three branches;unknownexplicitly mentions the failingkubectl get podscommand so RBAC issues are debuggable.argoCDApplyApp.ts — post-apply menu
classifyAzureRepoHost(repoUrl)— matches*.azurecr.io,(ssh.)?dev.azure.com, and legacy(vs-ssh.)?*.visualstudio.com.installMethodalongsideauthMode/repoVisibilityviaPromise.all.azureHost !== "other" && (installMethod === "managed" || authMode === "sso")— i.e. only shown when the linked flow actually applies to the user's install path.argoCDWifBootstrap.ts — new guided WIF helper (~280 LOC, no Azure or cluster mutations)
argocdnamespace (triesargocd-repo-server,argocd-image-updater,argocd-application-controller; falls back to user input).azure.workload.identity/client-idannotation on the SA and fetches the cluster OIDC issuer URL viakubectl get --raw /.well-known/openid-configuration.system:serviceaccount:argocd:<sa>), issuer URL, and audience (api://AzureADTokenExchange) with one-click clipboard copy.AcrPullfor ACR,Readerfor Azure DevOps), theazure.workload.identity/client-idannotation command, and thekubectl rollout restartto apply it.Docs
docs/book/src/features/argocd-gitops-integration.md
oidc.configreferencinglogin.microsoftonline.com) are independent signals, so a managed install without SSO and an upstream install wired to Entra ID by hand are both valid configurations.What this PR does not change
aks.argoCD*commands as before.application.yamlcontent fromaks.draftArgoCDDeployment.azCLI shell-outs. All Azure interactions remain via the existing session provider; cluster interactions remain viakubectl.upstream, WIF hint is hidden, existing flows (admin-password fetch, Open UI, Connect Private Repository) are unchanged.Testing
npx tsc --noEmitclean.argocd-cm.data["oidc.config"]and labelling pods withapp.kubernetes.io/managed-by=Microsoft.ArgoCD(see docs § "Two orthogonal probes" for the exact probe queries).Out of scope (planned follow-ups)
Microsoft.KubernetesConfigurationARM directly, noazCLI). Deferred to a separate PR — current PR focuses on post-install + deploy scenarios.