ratify icon indicating copy to clipboard operation
ratify copied to clipboard

Published 20 hours ago verified publisher icon ratify-project

Change Config/CRD to support mulit-authproviders

Open akashsinghal opened this issue 1 year ago • 3 comments

What would you like to be added?

Ratify plans to add support for multiple auth providers the ORAS referrer store. Each auth provider will be selected via a regex/prefix matching scheme. A dictionary of auth providers will need to provided in the authProvider field instead. Even though functionality will not be added to support his until post v1.0, we should consider changing the config to accept a dictionary of providers now so there won't be a breaking change post v1.0.

Anything else you would like to add?

No response

Are you willing to submit PRs to contribute to this feature?

  • [X] Yes, I am willing to implement it.

akashsinghal avatar Aug 10 '23 20:08 akashsinghal

use #135 for tracking actual implementation work post v1.0

akashsinghal avatar Aug 10 '23 20:08 akashsinghal

Here are my thoughts so far:

To avoid breaking change post v1.0, we want to look into introducing/updating the existing authProvider field in the config to accept an array of auth provider config instead of a single config. The authProvider field is used in the ORAS store AND it's used in the verifier/store plugins for OCI plugin source support. Ideally we want to extend same funcitonality as ORAS store auth provider to OCI plugin auth provider.

  1. Edit existing field in ORAS store and OCI plugin source authProvider --> authProviders This involves editing all the configs for both targets which is feasible. However, there is an issue with CRD versioning for OCI Plugin source support. How would we update the existing CRD field? Would we need need new CRD version? If we use existing version, how does conversion API work?

  2. Add a new field called authProviders that sits alongside authProvider This would require side-by-side support for both fields. Requires updating our factory create methods of Auth Provider to take multiple configs. We will have to deprecate the old config eventually. Do we need a new CRD version for this anyways?

akashsinghal avatar Aug 14 '23 18:08 akashsinghal

Summarizing community meeting discussion from 8/16/23:

  • multi auth provider support must be backwards compatible with single auth provider configs in the Store and Verifier CRDs
  • add to v1.1 milestone along with full multi-auth provider backend support including (prefix/regex) matching

Brainstorm on implementation for CRD versioning support:

  • Update the unversioned (hub) API to have PluginSource accept a list of AuthProviders
  • Update the v1alpha1 and v1beta1 (spokes) APIs conversion functions for Store and Verifier Spec to unversioned to create an AuthProvider list with a single element.
  • release a new CRD version v1beta2 with auth providers list and bump controllers to use new API version for CRD spec.

akashsinghal avatar Aug 17 '23 17:08 akashsinghal