[RFC-0010] Implementation

[matheuscscp]

This issue tracks the implementation of RFC-0010 (PR).

RFC patches:

• EKS Pod Identity: [RFC-0010] Remove EKS Pod Identity from the proposal #5309
• Feature gate: [RFC-0010] Update RFC to include opt-in feature gate #5354, [RFC-0010] Update RFC feature gate behavior #5355
• KubeConfig: [RFC-0010] Add workload identity support for remote clusters #5434
• KubeConfig generic provider: [RFC-0010] Add workload identity support for remote generic clusters #5452

RBAC:

• [RFC-0010] Add RBAC for creating service account tokens #5332

Libraries:

• Core library: [RFC-0010] Add core auth library pkg#906
• aws: [RFC-0010] Add aws auth library pkg#907
• azure: [RFC-0010] Add azure auth library pkg#909
• gcp: [RFC-0010] Add gcp auth library pkg#908
• Unit Tests: [RFC-0010] Add tests for auth providers pkg#917
• Integration Tests: [RFC-0010] Add integration tests for object-level workload identity pkg#924
• Delete old code: [RFC-0010] Validate artifact repository for all auth providers pkg#919
• Cross-cloud support: [RFC-0010] Support cross-cloud object-level workload identity pkg#925, [RFC-0010] Add provider audience to cache key and decouple packages pkg#928, [RFC-0010] Add integration test for GCP workload identity federation pkg#932
• Feature gate: [RFC-0010] Introduce feature gate for enabling object-level workload identity pkg#927
• KubeConfig: [RFC-0010] Introduce authentication for clusters pkg#960
• KubeConfig for all Azure clouds: [RFC-0010] auth/azure: Support all Azure clouds for remote clusters at the controller level pkg#988

CLI:

• OCI auth: Upgrade fluxcd/pkg auth, oci, git and git/gogit #5333

Controllers:

• kustomize-controller
  • SOPS Decryption: [RFC-0010] Introduce object-level workload identity for KMS decryption kustomize-controller#1426
  • KubeConfig: [RFC-0010] Introduce workload identity auth for remote clusters kustomize-controller#1476
  • KubeConfig for all Azure clouds: [RFC-0010] Support all Azure clouds for remote clusters at the controller level kustomize-controller#1488
  • Add docs for token cache controller flags: Add token cache flags for kustomize-controller website#2212
  • Feature gate: [RFC-0010] Introduce feature gate kustomize-controller#1449
• helm-controller
  • KubeConfig: [RFC-0010] Introduce workload identity auth for remote clusters helm-controller#1249
  • KubeConfig for all Azure clouds: [RFC-0010] Support all Azure clouds for remote clusters at the controller level helm-controller#1262
  • Add docs for token cache controller flags: [RFC-0010] Introduce workload identity auth for remote clusters website#2285
  • Feature gate: [RFC-0010] Introduce workload identity auth for remote clusters website#2285
• source-controller
  • GitRepository API (controller-level): Upgrade fluxcd/pkg cache, auth, git and gogit source-controller#1789
  • OCIRepository, HelmRepository and HelmChart APIs: [RFC-0010] Introduce object-level workload identity for OCIRepository source-controller#1790
  • GitRepository API (object-level): [RFC-0010] Add multi-tenant workload identity support for Azure GitRepository source-controller#1871
  • Bucket API - AWS: [RFC-0010] Add multi-tenant workload identity support for AWS Bucket source-controller#1868
  • Bucket API - Azure: [RFC-0010] Add multi-tenant workload identity support for Azure Blob Storage source-controller#1875
  • Bucket API - GCP: [RFC-0010] Add multi-tenant workload identity support for GCP Bucket source-controller#1862
  • Add docs for token cache controller flags: Token cache options documentation in controllers website#2181
  • Feature gate: [RFC-0010] Introduce feature gate source-controller#1802
• image-reflector-controller
  • ImageRepository API: [RFC-0010] Introduce object-level workload identity for ImageRepository image-reflector-controller#760
  • Add docs for token cache controller flags: Add token cache flags for image-reflector-controller website#2213
  • Feature gate: [RFC-0010] Introduce feature gate image-reflector-controller#762
• image-automation-controller
  • GitRepository API (controller-level): Update to Kubernetes 1.33.0 and Go 1.24.0 image-automation-controller#898
  • GitRepository API (object-level): [RFC-0010] Add multi-tenant workload identity support for ImageUpdateAutomation with Azure GitRepository image-automation-controller#951
  • Add docs for token cache controller flags: Token cache options documentation in controllers website#2181
  • Feature gate: [RFC-0010] Introduce feature gate image-automation-controller#907
• notification-controller
  • Azure Event Hubs: [RFC-0010] Implement managed identity support for Azure Event Hub provider notification-controller#1106
  • Azure Event Hubs new library: [RFC-0010] Azure OIDC integration updates for Azure DevOps and Azure EventHub notification-controller#1145
  • Azure DevOps: [RFC-0010] Azure OIDC integration updates for Azure DevOps and Azure EventHub notification-controller#1145
  • Google Pub/Sub: [RFC-0010] Add object-level workload identity support to Google Pub/Sub notifier notification-controller#1154
  • Add docs for token cache controller flags: Token cache options documentation in controllers website#2181
  • Feature gate: [RFC-0010] Introduce feature gate notification-controller#1116

Multi-tenancy lockdown PRs (#5465):

• pkg: [RFC-0010] auth: add lockdown support for multi-tenant workload identity pkg#1008
• image-automation-controller: [RFC-0010] Add default-service-account for lockdown image-automation-controller#952
• kustomize-controller: [RFC-0010] Add multi-tenancy lockdown for decryption and kubeconfig kustomize-controller#1495
• helm-controller: [RFC-0010] Add multi-tenancy lockdown for kubeconfig helm-controller#1284
• source-controller: [RFC-0010] Add default-service-account for lockdown source-controller#1872
• notification-controller: [RFC-0010] Add default-service-account for lockdown notification-controller#1161
• image-reflector-controller: [RFC-0010] Add default-service-account for lockdown image-reflector-controller#807
• website: [RFC-0010] Add default service account flags for lockdown website#2323

Website docs:

• [RFC-0010] Add section for integrations website#2225

Update/remove duplicated workload identity/secrets docs from controller repositories for Flux 2.6:

• source-controller: [RFC-0010] Link workload identity docs to complete guide source-controller#1811
• kustomize-controller: [RFC-0010] Link workload identity docs to complete guide kustomize-controller#1456
• notification-controller: [RFC-0010] Link workload identity docs to complete guide notification-controller#1120
• image-reflector-controller: [RFC-0010] Link workload identity docs to complete guide image-reflector-controller#766
• image-automation-controller: [RFC-0010] Link workload identity docs to complete guide image-automation-controller#913

Update website docs for 2.7:

• Remove list of Flux APIs supporting object-level workload identity because now all of them support it: [RFC-0010] Complete implementation website#2338
• Add docs for KubeConfig: [RFC-0010] Introduce workload identity auth for remote clusters website#2285

Update Context-Based Authorization docs:

• For Flux 2.6: [RFC-0010] Add section for integrations website#2225
• For Flux 2.7: [RFC-0010] Complete implementation website#2338