Epic Goal

• Add support for federated credentials to an account in Quay

Why is this important?

• This is the first step towards integrating keyless authentication between Quay and OpenShift that will ultimately culminate in OpenShift users being able to leverage Quay for seamless pulling and pushing of images. By using OIDC, Quay and OpenShift will be able to identify a user and leverage short-lived tokens, that are regularly refreshed, to authenticate individual transactions.

Scenarios

1. A user is able to programatically request an oauth token that can be used by multiple authorized clusters and namespaces to push and pull images from Quay.
2. A cluster and namespace that is not authorized to push and pull from a target Quay organization is not able to use the oauth token to push and pull with Quay.

Acceptance Criteria

• An oauth token in Quay can be associated to multiple clusters and namespaces.
• The token can be programmatically created and destroyed
• A security assessment is performed and a review of authentication and authorization is completed

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>