chore(backport release-1.9): fix(controller): fix bug that wrongly judges workload identity to be available (#5653)

akuitybot · krancour · web-flow · commit 01c14ef16cd6 · 2026-01-28T13:37:42.000-05:00
Signed-off-by: Kent Rancourt &lt;kent.rancourt@gmail.com&gt;
Co-authored-by: Kent Rancourt &lt;kent.rancourt@gmail.com&gt;
diff --git a/pkg/credentials/acr/workload_identity.go b/pkg/credentials/acr/workload_identity.go
@@ -60,7 +60,7 @@ func NewWorkloadIdentityProvider(ctx context.Context) credentials.Provider {
 	logger := logging.LoggerFromContext(ctx)
 
 	// Try to create a DefaultAzureCredential which supports workload identity
-	credential, err := azidentity.NewDefaultAzureCredential(nil)
+	credential, err := azidentity.NewWorkloadIdentityCredential(nil)
 	if err != nil {
 		logger.Info("Azure workload identity not available", "error", err.Error())
 		return nil
diff --git a/pkg/credentials/acr/workload_identity_test.go b/pkg/credentials/acr/workload_identity_test.go
@@ -3,6 +3,7 @@ package acr
 import (
 	"context"
 	"errors"
+	"os"
 	"testing"
 	"time"
 
@@ -15,6 +16,31 @@ import (
 	"github.com/akuity/kargo/pkg/credentials"
 )
 
+func TestNewWorkloadIdentityProvider(t *testing.T) {
+	const azFederatedTokenFile = "AZURE_FEDERATED_TOKEN_FILE"
+	const azClientID = "AZURE_CLIENT_ID"
+	const azTenantID = "AZURE_TENANT_ID"
+	t.Run("workload identity not available", func(t *testing.T) {
+		// Make it look unavailable by ensuring key env vars are unset
+		t.Setenv(azFederatedTokenFile, "") // Ensures cleanup
+		os.Unsetenv(azFederatedTokenFile)  // Actually unsets
+		t.Setenv(azClientID, "")           // Ensures cleanup
+		os.Unsetenv(azClientID)            // Actually unsets
+		t.Setenv(azTenantID, "")           // Ensures cleanup
+		os.Unsetenv(azTenantID)            // Actually unsets
+		require.Nil(t, NewWorkloadIdentityProvider(t.Context()))
+	})
+	t.Run("workload identity available", func(t *testing.T) {
+		// Make it look available by ensuring key env vars are set, albeit with
+		// nonsense values.
+		const nonsense = "nonsense"
+		t.Setenv(azFederatedTokenFile, nonsense)
+		t.Setenv(azClientID, nonsense)
+		t.Setenv(azTenantID, nonsense)
+		require.NotNil(t, NewWorkloadIdentityProvider(t.Context()))
+	})
+}
+
 func TestWorkloadIdentityProvider_Supports(t *testing.T) {
 	const testOCIRepoURL = "myregistry.azurecr.io/my-repo"
 	const testHTTPSRepoURL = "https://myregistry.azurecr.io/my-repo"
