Is your feature request related to a problem? Please describe.
Hello! 👋
A Flux user has just requested support for SPIFFE mTLS client certs to authenticate with Zot: fluxcd/flux2#5679
While I do look forward to entertaining this idea, I also thought about another common secret-less authentication method for this integration, which we already have a lot of support for in CNCF Flux: https://github.com/fluxcd/flux2/tree/main/rfcs/0010-multi-tenant-workload-identity
OIDC can be supported also for workloads, and not just humans going through an OAuth2 authorization flow. This is how cloud providers implement those "workload identity" features. The Kubernetes cluster issues a Kubernetes ServiceAccount Token for the workload and exchanges that for an access token of the cloud provider that allows making API calls to the relevant service.
In Flux 2.7 we introduced support for managing remote Kubernetes clusters through this mechanism, since Kubernetes is also capable of mapping external OIDC identities into Kubernetes RBAC identities (in this case, the external OIDC issuer is the management cluster where Flux is running on. The hub-and-spoke model.).
I'd like to request support from Zot to authenticate OIDC tokens for workloads as well.
Describe the solution you'd like
The solution I'd like to see would be similar to Kubernetes' solution: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server
Zot would support a configuration where the claims of an OIDC ID token can be mapped to an identity that has permissions to perform operations in the Zot OCI API. Since Zot already supports OIDC for humans, supporting also for workloads is definitely not far.
I have a lot of experience with OIDC and volunteer myself to implement this feature 👋
Describe alternatives you've considered
No response
Additional context
No response
Is your feature request related to a problem? Please describe.
Hello! 👋
A Flux user has just requested support for SPIFFE mTLS client certs to authenticate with Zot: fluxcd/flux2#5679
While I do look forward to entertaining this idea, I also thought about another common secret-less authentication method for this integration, which we already have a lot of support for in CNCF Flux: https://github.com/fluxcd/flux2/tree/main/rfcs/0010-multi-tenant-workload-identity
OIDC can be supported also for workloads, and not just humans going through an OAuth2 authorization flow. This is how cloud providers implement those "workload identity" features. The Kubernetes cluster issues a Kubernetes ServiceAccount Token for the workload and exchanges that for an access token of the cloud provider that allows making API calls to the relevant service.
In Flux 2.7 we introduced support for managing remote Kubernetes clusters through this mechanism, since Kubernetes is also capable of mapping external OIDC identities into Kubernetes RBAC identities (in this case, the external OIDC issuer is the management cluster where Flux is running on. The hub-and-spoke model.).
I'd like to request support from Zot to authenticate OIDC tokens for workloads as well.
Describe the solution you'd like
The solution I'd like to see would be similar to Kubernetes' solution: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server
Zot would support a configuration where the claims of an OIDC ID token can be mapped to an identity that has permissions to perform operations in the Zot OCI API. Since Zot already supports OIDC for humans, supporting also for workloads is definitely not far.
I have a lot of experience with OIDC and volunteer myself to implement this feature 👋
Describe alternatives you've considered
No response
Additional context
No response