Skip to content

[Feat]: Support OIDC authentication for workloads #3704

@matheuscscp

Description

@matheuscscp

Is your feature request related to a problem? Please describe.

Hello! 👋

A Flux user has just requested support for SPIFFE mTLS client certs to authenticate with Zot: fluxcd/flux2#5679

While I do look forward to entertaining this idea, I also thought about another common secret-less authentication method for this integration, which we already have a lot of support for in CNCF Flux: https://github.com/fluxcd/flux2/tree/main/rfcs/0010-multi-tenant-workload-identity

OIDC can be supported also for workloads, and not just humans going through an OAuth2 authorization flow. This is how cloud providers implement those "workload identity" features. The Kubernetes cluster issues a Kubernetes ServiceAccount Token for the workload and exchanges that for an access token of the cloud provider that allows making API calls to the relevant service.

In Flux 2.7 we introduced support for managing remote Kubernetes clusters through this mechanism, since Kubernetes is also capable of mapping external OIDC identities into Kubernetes RBAC identities (in this case, the external OIDC issuer is the management cluster where Flux is running on. The hub-and-spoke model.).

I'd like to request support from Zot to authenticate OIDC tokens for workloads as well.

Describe the solution you'd like

The solution I'd like to see would be similar to Kubernetes' solution: https://kubernetes.io/docs/reference/access-authn-authz/authentication/#configuring-the-api-server

Zot would support a configuration where the claims of an OIDC ID token can be mapped to an identity that has permissions to perform operations in the Zot OCI API. Since Zot already supports OIDC for humans, supporting also for workloads is definitely not far.

I have a lot of experience with OIDC and volunteer myself to implement this feature 👋

Describe alternatives you've considered

No response

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    featureNew feature or requestrm-externalRoadmap item submitted by non-maintainers

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions