[RFC-0010] Link workload identity docs to complete guide

matheuscscp · matheuscscp · commit c13d098c167a · 2025-05-26T23:26:24.000+01:00
Signed-off-by: Matheus Pimenta &lt;matheuscscp@gmail.com&gt;
diff --git a/docs/spec/v1/buckets.md b/docs/spec/v1/buckets.md
@@ -134,6 +134,9 @@ Supported options are:
 
 If you do not specify `.spec.provider`, it defaults to `generic`.
 
+For a complete guide on how to set up authentication for cloud providers,
+see the integration [docs](/flux/integrations/).
+
 #### Generic
 
 When a Bucket's `spec.provider` is set to `generic`, the controller will
diff --git a/docs/spec/v1/gitrepositories.md b/docs/spec/v1/gitrepositories.md
@@ -251,6 +251,9 @@ Supported options are:
 When provider is not specified, it defaults to `generic` indicating that
 mechanisms using `spec.secretRef` are used for authentication. 
 
+For a complete guide on how to set up authentication for cloud providers,
+see the integration [docs](/flux/integrations/).
+
 #### Azure
 
 The `azure` provider can be used to authenticate to Azure DevOps repositories
diff --git a/docs/spec/v1beta2/ocirepositories.md b/docs/spec/v1beta2/ocirepositories.md
@@ -121,6 +121,9 @@ static credentials are used for authentication, either with
 `spec.secretRef` or `spec.serviceAccountName`.
 If you do not specify `.spec.provider`, it defaults to `generic`.
 
+For a complete guide on how to set up authentication for cloud providers,
+see the integration [docs](/flux/integrations/).
+
 #### AWS
 
 The `aws` provider can be used to authenticate automatically using the EKS
@@ -267,12 +270,22 @@ kubectl create secret docker-registry ...
 
 ### Service Account reference
 
-`.spec.serviceAccountName` is an optional field to specify a name reference to a
-Service Account in the same namespace as the OCIRepository. The controller will
-fetch the image pull secrets attached to the service account and use them for authentication.
+`.spec.serviceAccountName` is an optional field to specify a Service Account
+in the same namespace as OCIRepository with purpose depending on the value of
+the `.spec.provider` field:
+
+- When `.spec.provider` is set to `generic`, the controller will fetch the image
+  pull secrets attached to the Service Account and use them for authentication.
+- When `.spec.provider` is set to `aws`, `azure`, or `gcp`, the Service Account
+  will be used for Workload Identity authentication. In this case, the controller
+  feature gate `ObjectLevelWorkloadIdentity` must be enabled, otherwise the
+  controller will error out.
+
+**Note:** that for a publicly accessible image repository, you don't need to
+provide a `secretRef` nor `serviceAccountName`.
 
-**Note:** that for a publicly accessible image repository, you don't need to provide a `secretRef`
-nor `serviceAccountName`.
+For a complete guide on how to set up authentication for cloud providers,
+see the integration [docs](/flux/integrations/).
 
 ### Cert secret reference
 
