search

polyseam / cndi

Self-Host Cloud-Native Apps with the Ease of PaaS
https://cndi.dev
Apache License 2.0
180 stars 7 forks source link

[Enhancement]: OIDC Support (Passwordless Auth) #591

Open johnstonmatt opened 1 year ago

johnstonmatt commented 1 year ago

Version

cndi v1.15.1 kubeseal v0.21.0 terraform v1.5.5

Please provide a summary of the enhancement you are proposing:

With some up front work in a cloud console it is possible to have GitHub Actions (or another CI/CD provider) assume an identity set up for it. This means that AWS for example could know and trust any GitHub Action run from a specific repository, and grant that run the token to do the job just-in-time.

This is more secure than using API keys to write to the cloud, however the upfront work required (as far as I understand senseless to automate), does increase the friction of cluster deployment.

So should OIDC be an option for each cloud? Probably - there is work involved.

Please provide the motivation or use case for this enhancement:

Distributing API keys to write to the cloud is risky because they can be stolen, and they are falling out of favour pretty quickly.

How can we best workaround this issue so far?

No response

How would you approach solving this problem within CNDI?

Ask very early on in each template whether OIDC or API Keys should be used, and assist the user in either case. This dynamic Template behaviour is perhaps best suited to v2.

Code of Conduct

johnstonmatt commented 10 months ago

https://www.youtube.com/watch?v=Io5UFJlEJKc

johnstonmatt commented 10 months ago

https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect

johnstonmatt commented 6 months ago

we could maybe call this keyless to make an analogy to cars