Loading...

XML

Word

Printable

Type: Feature Request
Resolution: Won't Do
Priority: Major
Fix Version/s: None
Affects Version/s: quay, quay-3.13, quay-3.14
Component/s: Quay
Labels:
- quay
- quay-3.13
- quay-3.14

Target Version:
None
Activity Type:
Future Sustainability
Status Summary:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Products:
None
Hierarchy Progress Bar:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Review Complete:
None
PX Impact Score:
PX Impact Range:
None
PX Priority Data:
None
PX Technical Impact:
None
PX Technical Impact Notes:
None
PX Scheduling Request:
None

1. Proposed title of this feature request

Keyless authentication in Quay requires setting up Robot Federation for all namespaces using individual namespaces in a cluster instead of *

2. What is the nature and description of the request?

We are using `QuayAccessToken` and an `ExternalSecret` to enable keyless authentication for images to pull from our Quay registry.

3. Why does the customer need this?

To integrate keyless authentication with a Robot account using Robo Federation, we need to set the subject & issuer. When integrating for a single namespace, it works as follows:
```
system:serviceaccount:testframework:pipeline
```
However, we want to avoid setting this for each namespace in the cluster. Instead, we aim to use a wildcard (`*`) to apply it to all namespaces in the Robo Federation subject value:
```
system:serviceaccount:*:pipeline
```
Unfortunately, this approach is not working as expected.

4. List any affected packages or components.

quay

Assignee:: Daniel Messer

Reporter:: Dan S

Need Info From:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2025/05/28 6:03 PM

Updated:: 2025/09/13 3:56 AM

Resolved:: 2025/07/11 10:30 AM

Target start:: None

Target end:: None

Details

Description

Attachments

Easy Agile Planning Poker

Activity

People

Dates