actions/fluxcd-flux2
3
0
Fork 0
mirror of https://github.com/fluxcd/flux2.git synced 2026-02-19 06:01:47 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Merge pull request #5354 from fluxcd/rfc-0010-feature-gate

Browse source 
[RFC-0010] Update RFC to include opt-in feature gate
This commit is contained in:
Matheus Pimenta 2025-05-15 17:14:59 +01:00 committed by GitHub
commit 656d9d892d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
rfcs/0010-multi-tenant-workload-identity/README.md
View file

@ -565,7 +565,7 @@ the Flux APIs is to associate the Flux objects with Kubernetes `ServiceAccounts`
We propose building the `ServiceAccount` token creation and exchange logic into We propose building the `ServiceAccount` token creation and exchange logic into
the Flux controllers through a library in the `github.com/fluxcd/pkg` repository. the Flux controllers through a library in the `github.com/fluxcd/pkg` repository.
### API Changes ### API Changes and Feature Gates
For all the Flux APIs interacting with cloud providers (except `Kustomization`, For all the Flux APIs interacting with cloud providers (except `Kustomization`,
see the paragraph below), we propose introducing the field `spec.serviceAccountName` see the paragraph below), we propose introducing the field `spec.serviceAccountName`
@ -597,6 +597,16 @@ the cloud provider in the `Kustomization` API is detected by the SOPS SDK
itself while decrypting the secrets, so we don't need to introduce a new itself while decrypting the secrets, so we don't need to introduce a new
field for this purpose. field for this purpose.
To enable using the new `serviceAccountName` fields, we propose introducing
a feature gate called `ObjectLevelWorkloadIdentity` in the controllers that
would support the feature. In the first release we should make it opt-in so
cluster admins can consciously roll it out. If the feature gate is disabled
and users set the field in Flux APIs that use the field only for this feature,
a terminal error should be returned. If the feature gate is disabled and users
set the field in Flux APIs that use the field for other purposes, like in the
case of the `OCIRepository` and `ImageRepository` APIs, the controller should
just log a warning and ignore the field.
### Workload Identity Library ### Workload Identity Library
We propose using the Go package `github.com/fluxcd/pkg/auth` We propose using the Go package `github.com/fluxcd/pkg/auth`