[X] I've pasted the output of argocd version: 2.11.0
Describe the bug
I'm using https://github.com/argoproj/argo-cd/issues/17279 to authenticate to Google Artifact Registry as a helm registry using workload identity. Unlike https://github.com/argoproj/argo-cd/issues/10218, the other solution does not require installing ESO. This works in general since helm template can get creds via the $HOME/.docker/config.json. However, if you need to use targetRevision: * with your application, this ends up using the oras-go client here which is only configured for static credentials.
Checklist:
argocd version
:2.11.0
Describe the bug
I'm using https://github.com/argoproj/argo-cd/issues/17279 to authenticate to Google Artifact Registry as a helm registry using workload identity. Unlike https://github.com/argoproj/argo-cd/issues/10218, the other solution does not require installing ESO. This works in general since helm template can get creds via the $HOME/.docker/config.json. However, if you need to use
targetRevision: *
with your application, this ends up using the oras-go client here which is only configured for static credentials.To Reproduce
targetRevision: *
. This should result in a permission denied.Expected behavior
oras-go uses the same creds as helm