Add Workload Identity as an auth mechanism

Author: balkrishna93

GettingStarted.md

@@ -11,6 +11,7 @@ The provider is a gRPC server accessible via the Unix domain socket. It's interf
       * [Authentication & Authorization](#authn-authz)
          * [User Principal](#auth-user-principal)
          * [Instance Princiapl](#auth-instance-principal)
+         * [Workload Identity](#auth-workload-identity)
          * [Access Policies](#access-policies)
    * [Deployment](#deployment)
       * [Helm](#helm-deployment)
@@ -49,9 +50,10 @@ This section describes steps to deploy and test solution.
 
 <a name="authn-authz"></a>
 ### Authentication and Authorization
-Currently, two modes of authentication is supported. Some AuthN modes are applicable only for a particular variant of cluster.
+Currently, three modes of authentication is supported. Some AuthN modes are applicable only for a particular variant of cluster.
 * [User Principal](#auth-user-principal)
 * [Instance Principal](#auth-instance-principal)
+* [Workload Identity](#auth-workload-identity)
 
 <a name="auth-user-principal"></a>
 ### User Principal
@@ -73,6 +75,15 @@ kubectl create secret generic oci-config \
 ### Instance Principal
 Instance principal would work only on OKE cluster.
 Access should be granted using Access Policies(See [Access Policies](#access-polices) section).
+
+<a name="auth-workload-identity"></a>
+### Workload Identity
+Workload Identity works only in OKE Enhanced clusters.
+
+Access should be granted using Access Policies(See [Access Policies for Workloads](#access-policies-workloads) section).
+
+Worklaod Identity uses a Resource Principal auth, which requires settings a couple ENV variables on the pod, including the region where the cluster is deployed. To achieve this, make sure to specify the `provider.oci.auth.types.workloadIdentity.enabled=true` and `provider.oci.auth.types.workloadIdentity.region=<region>` parameters in the `values.yaml` for the Helm chart deployment, or as an inline parameters.
+
 <a name="access-policies"></a>
 ### Access Policies
 Access to the vault and secrets should be explicity granted using Policies in case of Instance principal authencation or other users(non owner of vault) or groups of tenancy in case of user principal authentication.
@@ -103,6 +114,13 @@ It involves two steps
 
    More information on [Policy](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm)
 
+<a name="access-policies-workload"></a>
+### Access Policies for Workloads
+
+With Workload Identity authentication, only a policy is required, which defines the kubernetes workload the policy works for:
+
+`allow any-user to use secret-family in compartment <compartment-name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'oci-secrets-store-csi-driver-provider-sa', request.principal.cluster_id = 'ocid1.cluster.oc1....'}`
+
 <a name="deployment"></a>
 ### Deployment
 Provider and Driver would be deployed as Daemonset. `kube-system` namespace is preferred, but not restricted.
@@ -132,7 +150,7 @@ Default values are provided in `charts/oci-secrets-store-csi-driver-provider/val
    kubectl apply -f deploy/provider.daemonset.yaml
    kubectl apply -f deploy/provider.serviceaccount.yaml
 
-   # if user authention principal is required
+   # if user authentication principal is required
    kubectl apply -f deploy/provider.roles.yaml
    ```
 <a name="provider-verification"></a>

charts/oci-secrets-store-csi-driver-provider/templates/provider.daemonset.yaml

@@ -42,6 +42,13 @@ spec:
               name: health-port
             - containerPort: {{ .Values.provider.metricsPort }}
               name: metrics-port
+          {{ if .Values.provider.oci.auth.types.workload.enabled }}    
+          env:
+            - name: OCI_RESOURCE_PRINCIPAL_VERSION
+              value: {{ .Values.provider.oci.auth.types.workload.resourcePrincipalVersion | quote }}
+            - name: OCI_RESOURCE_PRINCIPAL_REGION
+              value: {{ .Values.provider.oci.auth.types.workload.resourcePrincipalRegion }}
+          {{ end }}     
           resources:
             {{- toYaml .Values.provider.resources | nindent 12 }}
           # Container should run as root to mount the hostPath volume and create Unix Domain Socket in that volume.

charts/oci-secrets-store-csi-driver-provider/templates/provider.roles.yaml

@@ -27,4 +27,29 @@ subjects:
 - kind: ServiceAccount
   name: {{ .Chart.Name }}-sa
   namespace: {{ .Release.Namespace }}
-{{ end }}  
+{{ end }}  
+
+{{ if .Values.provider.oci.auth.types.workload.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-workload-identity-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-workload-identity-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-workload-identity-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-sa
+  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/oci-secrets-store-csi-driver-provider/values.schema.json

@@ -104,6 +104,24 @@
                         }
                       }
                     },
+                    "workload": {
+                      "description": "Settings for OCI Workload authentication",
+                      "type": "object",
+                      "properties": {
+                        "enabled": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "boolean"
+                        },
+                        "resourcePrincipalVersion": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "string"
+                        },
+                        "resourcePrincipalRegion": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "string"
+                        }
+                      }
+                    },
                     "additionalProperties": false
                  }
               },

charts/oci-secrets-store-csi-driver-provider/values.yaml

@@ -35,6 +35,11 @@ provider:
           enabled: true
         user:
           enabled: true
+        workload:
+          enabled: true
+          resourcePrincipalVersion: "2.2"
+          resourcePrincipalRegion: "sa-bogota-1"
+
 
   # socket endpoint for connections
   endpoint: "unix:///opt/provider/sockets/oci.sock"

deploy/example/app.deployment.yaml

@@ -23,6 +23,8 @@ spec:
       labels:
         app: nginx
     spec:
+      # serviceAccountName: workload-serviceaccount
+      # automountServiceAccountToken: true
       containers:
         - name: nginx
           image: nginx:1.21.4-alpine

deploy/example/secret-provider-class.yaml

@@ -34,5 +34,5 @@ spec:
         versionNumber: 1
         fileName: src-db-password
     vaultId: ocid1.vault.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-    authType: instance # possible values are: user, instance
+    authType: instance # possible values are: user, instance, workload
     authSecretName: oci-config # required if authType is user and this value refers secret name contains user credentials for auth against vault    

deploy/provider.daemonset.yaml

@@ -36,6 +36,11 @@ spec:
             - --metrics-port=8198
             - --enable-pprof=true
             - --pprof-port=6060
+          env:
+            - name: OCI_RESOURCE_PRINCIPAL_VERSION
+              value: "2.2"
+            - name: OCI_RESOURCE_PRINCIPAL_REGION
+              value: "us-ashburn-1" 
           resources:
             requests:
               cpu: 50m

deploy/provider.roles.yaml

@@ -13,6 +13,9 @@ rules:
 - apiGroups: [""]
   resources: ["secrets"]
   verbs: ["get"]
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]  
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

go.mod

@@ -3,7 +3,7 @@ module github.com/oracle-samples/oci-secrets-store-csi-driver-provider
 go 1.19
 
 require (
-	github.com/oracle/oci-go-sdk/v65 v65.3.0
+	github.com/oracle/oci-go-sdk/v65 v65.61.1
 	github.com/pkg/errors v0.9.1
 	github.com/rs/zerolog v1.26.1
 	go.opentelemetry.io/otel v0.20.0
@@ -51,7 +51,7 @@ require (
 	go.opentelemetry.io/otel/trace v0.20.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
 	golang.org/x/oauth2 v0.4.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
+	golang.org/x/sys v0.8.0 // indirect
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
 	golang.org/x/time v0.0.0-20220609170525-579cf78fd858 // indirect