From 183b9a7ee013a76109fef59b2906298f35a8cf84 Mon Sep 17 00:00:00 2001
From: Stefan Prodan <stefan.prodan@gmail.com>
Date: Fri, 1 Apr 2022 11:12:26 +0300
Subject: [PATCH] Add auto-login feature

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
---
 rfcs/kubernetes-oci/README.md | 38 +++++++++++++++++++++++++++--------
 1 file changed, 30 insertions(+), 8 deletions(-)

diff --git a/rfcs/kubernetes-oci/README.md b/rfcs/kubernetes-oci/README.md
index d528fa1f..12db4e85 100644
--- a/rfcs/kubernetes-oci/README.md
+++ b/rfcs/kubernetes-oci/README.md
@@ -83,7 +83,23 @@ spec:
     semver: "6.0.x"
 ```
 
-For private repositories, the credentials can be supplied with:
+To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with:
+
+```yaml
+spec:
+  verify:
+    provider: cosign
+    secretRef:
+      name: cosign-key
+```
+
+### Pull artifacts from private repositories
+
+For authentication purposes, Flux users can choose between supplying static credentials with Kubernetes secrets
+and cloud-based OIDC using an IAM role binding to the source-controller Kubernetes service account.
+
+For private repositories hosted on DockerHub, GitHub, Quay, self-hosted Docker Registry and others,
+the credentials can be supplied with:
 
 ```yaml
 spec:
@@ -94,16 +110,22 @@ spec:
 The `secretRef` points to a Kubernetes secret in the same namespace as the `OCIRepository`,
 the secret type must be `kubernetes.io/dockerconfigjson`.
 
-To verify the authenticity of an artifact, the Sigstore cosign public key can be supplied with:
+When Flux runs on EKS or GKE, an IAM role (that grants read-only access to ACR, ECR or GCR)
+can be used to bind the `source-controller` to the IAM role.
 
-```yaml
-spec:
-  verify:
-    provider: cosign
-    secretRef:
-      name: cosign-key
+Similar to image-reflector-controller
+[auto-login feature](https://fluxcd.io/docs/guides/image-update/#imagerepository-cloud-providers-authentication),
+source-controller will expose dedicated flags for each cloud provider:
+
+```sh
+--aws-autologin-for-ecr
+--azure-autologin-for-acr
+--gcp-autologin-for-gcr
 ```
 
+We should extract the flags and the AWS, Azure and GCP auth implementations from image-reflector-controller into 
+`fluxcd/pkg/oci/auth` to reuses the code in source-controller.
+
 ### Reconcile artifacts
 
 The `OCIRepository` can be used as a drop-in replacement for `GitRepository` and `Bucket` sources.
-- 
GitLab