Open zmarouf opened 1 year ago
Hi!
Thanks for opening this discussion!
I'd like to add some context to set the stage and make sure we are on the same page of the problem we want to solve :)
There are 3 touch points where an OCI registry is involved.
# add an material of type container_image
chainloop attestation add ...
This command will use your local docker keychain (.docker/config) to authenticate against the provided image reference OCI registry and retrieve the manifest => digest
# manual upload
chainloop artifact upload ...
# or add a material that requires upload, i.e artifact, SBOM, ...
chainloop attestation add ...
# or pushes the
In this case, it is the control plane the one that routes the attestation to the OCI registry.
The first touch point uses local docker environment (whatever the CI where the attestation is happening is logged in as).
The other 2 cases, are in fact routed through the artifact CAS and indeed requires stable, OCI credentials.
In other words, the clients (CLI or control-plane) do not talk to OCI directly (or will not soon #2), so the Artifact CAS is the one that will push the artifacts on their behalf.
The reasoning behind this decision are
With that out of the way, could you confirm @zmarouf:
If so, as you pointed out, setting up the target OCI registry requires a keypair which then gets stored in a secret backend (AWS secret manager or Hashicorp Vault)
$ chainloop config set-oci-repo \
# i.e ghcr.io/chainloop-dev/chainloop-cas
--repo ghcr.io/[username or org]/[my-repository] \
--username [username] \
--password [personal access token]
Ideally we'd prefer not to store any credentials at all indeed, so leveraging identity based authentication would be much, much better.
If the goal is to allow the artifact CAS to push to OCI but instead of leveraging static/long-lasting credentials short-lived based on OIDC/Identity how would you do it? Could you elaborate a little bit more on your proposed IRSSA
approach?
Thank you!!
The current flow requires an explicit username password pair.
I believe security could be enhanced with JIT credentials with short-expiry times. The easiest would be to leverage existing local .docker configuration or environment variables for OIDC setups like IRSSA and WorkloadIdentity.
Thoughts? :)