Uploaded image for project: 'Red Hat Advanced Cluster Security'
  1. Red Hat Advanced Cluster Security
  2. ROX-29279

Enabling Quay registry keyless authentication via External Secret in RHACS

XMLWordPrintable

    • Icon: Feature Feature
    • Resolution: Done
    • Icon: Critical Critical
    • 4.8.0
    • None
    • None
    • Product / Portfolio Work
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • Hide
      In our latest RHACS release we bring you the ability to use keyless authentication to Quay when RHACS has delegated scanning enabled for the Secured cluster. This is possible with the use of Quayaccesstoken that is stored in a secret managed by External Secrets Operator. External Secrets Operator on the Secured cluster will manage rotation of the credential in the secret and RHACS APIs can use this credential to authenticate to Quay Image registry while doing image scan and check in a particular namespace.
      Show
      In our latest RHACS release we bring you the ability to use keyless authentication to Quay when RHACS has delegated scanning enabled for the Secured cluster. This is possible with the use of Quayaccesstoken that is stored in a secret managed by External Secrets Operator. External Secrets Operator on the Secured cluster will manage rotation of the credential in the secret and RHACS APIs can use this credential to authenticate to Quay Image registry while doing image scan and check in a particular namespace.
    • Feature
    • Yes

      Goal Summary:

      RedHat Quay has enabled Keyless Authentication that enables use of short-lived OIDC credentials for authentication. When using RHACS APIs, security minded customers would like to opt-in for keyless authentication to Quay. 
      h3. Goals and expected user outcomes:

      External Secrets Operator provides a way to use a generator called quayaccesstoken for creating an OIDC federation relationship with the Quay registry and managing the token via an external secret maintained on the K8s/OpenShift cluster. 

      Expected outcome: For images on Secured clusters, RHACS can leverage the external secret for authentication to Quay while validating images. 

      Scope: Delegated scan with roxctl image scan --namespace (Optional --secret) 

      Out of Scope: RHACS Central OIDC federation with Quay. 

      Acceptance Criteria:

      roxctl Image scan works with delegated scanning in a Secured cluster with keyless Quay integration.
      h3. Success Criteria or KPIs measured:

      _A list of specific, measurable criteria that will be used to determine if the feature is successful. Include key performance indicators (KPIs) or other metrics., etc.      _ Initial completion during Refinement status.

      <enter success criteria and/or KPIs here>

      Use Cases (Optional):

      Include use case diagrams, main success scenarios, alternative flow scenarios together with user type/persona. Initial completion during Refinement status.

      For this feature, we will need 

      Out of Scope (Optional):

      High-level list of items that are out of scope. Initial completion during Refinement status.

      <your text here>

              atelang@redhat.com Anjali Telang
              atelang@redhat.com Anjali Telang
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: