Add Workload Identity as an auth mechanism

Author: balkrishna93

GettingStarted.md

@@ -11,6 +11,7 @@ The provider is a gRPC server accessible via the Unix domain socket. It's interf
       * [Authentication & Authorization](#authn-authz)
          * [User Principal](#auth-user-principal)
          * [Instance Princiapl](#auth-instance-principal)
+         * [Workload Identity](#auth-workload-identity)
          * [Access Policies](#access-policies)
    * [Deployment](#deployment)
       * [Helm](#helm-deployment)
@@ -49,9 +50,10 @@ This section describes steps to deploy and test solution.
 
 <a name="authn-authz"></a>
 ### Authentication and Authorization
-Currently, two modes of authentication is supported. Some AuthN modes are applicable only for a particular variant of cluster.
+Currently, three modes of authentication is supported. Some AuthN modes are applicable only for a particular variant of cluster.
 * [User Principal](#auth-user-principal)
 * [Instance Principal](#auth-instance-principal)
+* [Workload Identity](#auth-workload-identity)
 
 <a name="auth-user-principal"></a>
 ### User Principal
@@ -73,6 +75,15 @@ kubectl create secret generic oci-config \
 ### Instance Principal
 Instance principal would work only on OKE cluster.
 Access should be granted using Access Policies(See [Access Policies](#access-polices) section).
+
+<a name="auth-workload-identity"></a>
+### Workload Identity
+Workload Identity works only in OKE Enhanced clusters.
+
+Access should be granted using Access Policies(See [Access Policies for Workloads](#access-policies-workloads) section).
+
+Workload Identity uses a Resource Principal auth, which requires settings a couple of ENV variables on the provider pod, including the region where the cluster is deployed. To achieve this, make sure to specify the `provider.oci.auth.types.workload.resourcePrincipalVersion=<version>` and `provider.oci.auth.types.workload.resourcePrincipalRegion=<region>` parameters in the `values.yaml` for the Helm chart deployment, or as inline parameters.
+
 <a name="access-policies"></a>
 ### Access Policies
 Access to the vault and secrets should be explicity granted using Policies in case of Instance principal authencation or other users(non owner of vault) or groups of tenancy in case of user principal authentication.
@@ -103,6 +114,13 @@ It involves two steps
 
    More information on [Policy](https://docs.oracle.com/en-us/iaas/Content/Identity/Concepts/policysyntax.htm)
 
+<a name="access-policies-workload"></a>
+### Access Policies for Workloads
+
+With Workload Identity authentication, only a policy is required, which defines the kubernetes workload the policy works for:
+
+`allow any-user to use secret-family in compartment <compartment-name> where ALL {request.principal.type='workload', request.principal.namespace ='<namespace>', request.principal.service_account = 'oci-secrets-store-csi-driver-provider-sa', request.principal.cluster_id = 'ocid1.cluster.oc1....'}`
+
 <a name="deployment"></a>
 ### Deployment
 Provider and Driver would be deployed as Daemonset. `kube-system` namespace is preferred, but not restricted.
@@ -132,7 +150,7 @@ Default values are provided in `charts/oci-secrets-store-csi-driver-provider/val
    kubectl apply -f deploy/provider.daemonset.yaml
    kubectl apply -f deploy/provider.serviceaccount.yaml
 
-   # if user authention principal is required
+   # if user authentication principal is required
    kubectl apply -f deploy/provider.roles.yaml
    ```
 <a name="provider-verification"></a>

charts/oci-secrets-store-csi-driver-provider/templates/provider.daemonset.yaml

@@ -42,6 +42,13 @@ spec:
               name: health-port
             - containerPort: {{ .Values.provider.metricsPort }}
               name: metrics-port
+          {{ if .Values.provider.oci.auth.types.workload.enabled }}    
+          env:
+            - name: OCI_RESOURCE_PRINCIPAL_VERSION
+              value: {{ .Values.provider.oci.auth.types.workload.resourcePrincipalVersion | quote }}
+            - name: OCI_RESOURCE_PRINCIPAL_REGION
+              value: {{ .Values.provider.oci.auth.types.workload.resourcePrincipalRegion }}
+          {{ end }}     
           resources:
             {{- toYaml .Values.provider.resources | nindent 12 }}
           # Container should run as root to mount the hostPath volume and create Unix Domain Socket in that volume.

charts/oci-secrets-store-csi-driver-provider/templates/provider.roles.yaml

@@ -27,4 +27,29 @@ subjects:
 - kind: ServiceAccount
   name: {{ .Chart.Name }}-sa
   namespace: {{ .Release.Namespace }}
-{{ end }}  
+{{ end }}  
+
+{{ if .Values.provider.oci.auth.types.workload.enabled }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Chart.Name }}-workload-identity-cluster-role
+rules:
+- apiGroups: [""]
+  resources: ["serviceaccounts/token"]
+  verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .Chart.Name }}-workload-identity-cluster-rolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Chart.Name }}-workload-identity-cluster-role
+subjects:
+- kind: ServiceAccount
+  name: {{ .Chart.Name }}-sa
+  namespace: {{ .Release.Namespace }}
+{{ end }}

charts/oci-secrets-store-csi-driver-provider/values.schema.json

@@ -104,6 +104,24 @@
                         }
                       }
                     },
+                    "workload": {
+                      "description": "Settings for OCI Workload authentication",
+                      "type": "object",
+                      "properties": {
+                        "enabled": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "boolean"
+                        },
+                        "resourcePrincipalVersion": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "string"
+                        },
+                        "resourcePrincipalRegion": {
+                          "description": "Settings for OCI Workload authentication",
+                          "type": "string"
+                        }
+                      }
+                    },
                     "additionalProperties": false
                  }
               },

charts/oci-secrets-store-csi-driver-provider/values.yaml

@@ -35,6 +35,11 @@ provider:
           enabled: true
         user:
           enabled: true
+        workload:
+          enabled: true
+          resourcePrincipalVersion: "2.2"
+          resourcePrincipalRegion: "us-ashburn-1"
+
 
   # socket endpoint for connections
   endpoint: "unix:///opt/provider/sockets/oci.sock"

deploy/example/app.deployment.yaml

@@ -23,6 +23,8 @@ spec:
       labels:
         app: nginx
     spec:
+      # serviceAccountName: workload-serviceaccount
+      # automountServiceAccountToken: true
       containers:
         - name: nginx
           image: nginx:1.21.4-alpine

deploy/example/secret-provider-class.yaml

@@ -34,5 +34,5 @@ spec:
         versionNumber: 1
         fileName: src-db-password
     vaultId: ocid1.vault.oc1..aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
-    authType: instance # possible values are: user, instance
+    authType: instance # possible values are: user, instance, workload
     authSecretName: oci-config # required if authType is user and this value refers secret name contains user credentials for auth against vault    

deploy/example/workload/workload-app.deployment.yaml

@@ -0,0 +1,48 @@
+#
+# OCI Secrets Store CSI Driver Provider
+# 
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# This Deployment is used as a reference example of how to mount secrets into the pod
+# via Secrets Store CSI Driver and OCI Vault Provider.
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nginx
+  namespace: workload
+  labels:
+    app: nginx
+spec:
+  selector:
+    matchLabels:
+      app: nginx
+  template:
+    metadata:
+      labels:
+        app: nginx
+    spec:
+      serviceAccountName: workload-sa
+      automountServiceAccountToken: true
+      containers:
+        - name: nginx
+          image: nginx:1.21.4-alpine
+          ports:
+            - containerPort: 80
+          resources:
+            limits:
+              memory: 128Mi
+              cpu: 200m
+          volumeMounts:
+            - name: 'some-creds'
+              mountPath: '/mnt/secrets-store'  # here are mounted secrets
+              readOnly: true
+      volumes:
+        - name: some-creds
+          csi:
+            driver: 'secrets-store.csi.k8s.io'
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: 'test-oci-provider-class'  # here we reference particular SecretProviderClass

deploy/example/workload/workload-secret-provider-class.yaml

@@ -0,0 +1,39 @@
+#
+# OCI Secrets Store CSI Driver Provider
+# 
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+
+# SecretProviderClass is a custom resource to provide driver configurations and
+# provider-specific parameters to the CSI driver.
+#
+# On pod start and restart, the driver will communicate with the provider to retrieve the secret content
+# from the external Secrets Store you have specified in the SecretProviderClass resource.
+#
+# For more information check: https://secrets-store-csi-driver.sigs.k8s.io/getting-started/usage.html
+#
+# This SecretProviderClass is used as a reference example of how to configure the OCI Vault provider.
+# Each SecretProviderClass enumerates secrets to mount into the pod.
+# So, multiple SecretProviderClass resources could exist in a single Kubernetes cluster.
+
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: test-oci-provider-class  # SecretProviderClass name is referenced from pod definition
+  namespace: workload
+spec:
+  provider: oci # `provider` value is used as the provider socket name, must be constant
+  parameters:
+    # Each secret could be identified with `name` and either `stage` or `versionNumber`.
+    # If both `stage` and `versionNumber` are omitted, default stage CURRENT is used.
+    # Secret names could not be duplicated, since `name` field is used as a file name during the mounting.
+    secrets: |
+      - name: Secret-1
+        stage: CURRENT
+      - name: Secret-2
+        versionNumber: 1
+        fileName: src-db-password
+    vaultId: ocid1.vault.oc1.phx.efszzxxbaabz6.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
+    authType: workload # possible values are: user, instance, workload
+    authSecretName: oci-config # required if authType is user and this value refers secret name contains user credentials for auth against vault    

deploy/example/workload/workload.serviceaccount.yaml

@@ -0,0 +1,17 @@
+#
+# OCI Secrets Store CSI Driver Provider
+# 
+# Copyright (c) 2022 Oracle America, Inc. and its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+#
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: workload
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: workload-sa
+  namespace: workload