You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: examples/README-AWS-SECRETS-MANAGER-BEARER-AUTH.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -177,15 +177,19 @@ To rotate keys without downtime:
177
177
178
178
### With OIDC Workload Identity
179
179
180
-
AWS Secrets Manager bearer authentication can coexist with OIDC workload identity. If both are configured, Zot will try OIDC authentication first, then fall back to traditional bearer token authentication using keys from AWS Secrets Manager:
180
+
AWS Secrets Manager bearer authentication can coexist with OIDC workload identity. Direct bearer tokens are still verified using keys from AWS Secrets Manager after OIDC authentication fails. For challenge-based OCI username/password login, configure the optional `upstreamTokenEndpoint` object so Zot's OIDC token exchange endpoint can forward token requests that are not owned by local token backends to the existing traditional bearer token service. `upstreamTokenEndpoint.realm` must use HTTPS by default; plaintext HTTP requires the explicit `upstreamTokenEndpoint.allowInsecureHttp` opt-in and should only be used in controlled test environments:
@@ -49,6 +47,16 @@ Add OIDC workload identity configuration to your bearer authentication settings.
49
47
-**`audiences`** (required): List of acceptable audiences for the OIDC token. At least one must be specified.
50
48
- Example: `["zot", "https://zot.example.com"]`
51
49
50
+
-**`realm`** (required for challenge-based OCI username/password login flows): Absolute URL of the bearer token service advertised in `WWW-Authenticate` challenges. Set this to Zot token exchange endpoint, normally `https://<registry-host>/zot/auth/token`, when OCI clients should exchange an OIDC token password with Zot itself.
51
+
52
+
-**`service`** (recommended): Registry service name advertised in the bearer challenge. Use the registry host and port that clients connect to.
53
+
54
+
-**`upstreamTokenEndpoint.realm`** (optional; configure inside `upstreamTokenEndpoint` with `service`): HTTPS URL for an existing traditional bearer token service. Zot uses this only as a compatibility fallback when `/zot/auth/token` receives credentials that are not owned by any local token backend.
55
+
56
+
-**`upstreamTokenEndpoint.service`** (optional; configure inside `upstreamTokenEndpoint` with `realm`): Service value Zot sends to the upstream traditional bearer token service. Zot preserves the original token request method, headers, query parameters, and body, rewriting only `service` to this value.
57
+
58
+
-**`upstreamTokenEndpoint.allowInsecureHttp`** (optional; default `false`): Allows `upstreamTokenEndpoint.realm` to use plaintext HTTP. This can expose proxied credentials and should only be used in controlled test environments.
59
+
52
60
-**`claimMapping`** (optional): CEL-based configuration for validating and mapping OIDC claims.
53
61
-**`variables`**: List of variables to extract from claims using CEL expressions
54
62
-**`validations`**: List of validation rules with CEL expressions
@@ -87,6 +95,10 @@ In the example below, the username is mapped from both the issuer and subject
87
95
claims to uniquely identify Kubernetes ServiceAccounts across different clusters.
88
96
Note that `claims.iss + '/' + claims.sub` is the default username mapping if none
89
97
is specified (so the whole `claimMapping` section could be omitted in this example).
98
+
The example also advertises Zot token exchange endpoint for OCI username/password
99
+
login flows. If the same bearer configuration also uses traditional bearer
100
+
authentication, add `upstreamTokenEndpoint` as shown in the compatibility
101
+
section so non-OIDC token requests can fall back to the external token service.
90
102
91
103
```json
92
104
{
@@ -99,8 +111,8 @@ is specified (so the whole `claimMapping` section could be omitted in this examp
Zot also supports the OCI token service flow for clients that only know how to send registry credentials as username/password pairs. When `bearer.oidc` is configured, Zot exposes `GET` and `POST` on `/zot/auth/token`. For local OIDC workload login, the submitted credential must be an OIDC JWT trusted by one of the configured `bearer.oidc` providers.
293
+
294
+
To make Docker, containerd, or kubelet discover Zot token exchange endpoint automatically, configure `bearer.realm` as an externally reachable URL for `/zot/auth/token` and set `bearer.service` to the registry host clients use. In mixed deployments with traditional bearer authentication, set `upstreamTokenEndpoint` so Zot can forward token requests that are not owned by local token backends to the existing traditional bearer token service. Browser `openid.providers` logins continue to use `/zot/auth/login`, not this token endpoint.
The response contains the same OIDC token in both `token` and `access_token`, plus `expires_in` and `issued_at` derived from the JWT claims, allowing OCI clients to retry the original registry request with `Authorization: Bearer <token>`.
echo"$TOKEN"| docker login -u zot --password-stdin zot.example.com
313
+
```
314
+
315
+
This requires the registry challenge to advertise `realm: "https://zot.example.com/zot/auth/token"` and a `service` value matching the registry host clients use.
316
+
317
+
### Kubernetes Image Pull Secrets
318
+
319
+
For kubelet image pulls, store a projected ServiceAccount token as the password in a `kubernetes.io/dockerconfigjson` Secret. The username can be any non-empty value.
320
+
321
+
```yaml
322
+
apiVersion: v1
323
+
kind: Secret
324
+
metadata:
325
+
name: zot-oidc-pull-secret
326
+
namespace: workloads
327
+
type: kubernetes.io/dockerconfigjson
328
+
stringData:
329
+
.dockerconfigjson: |
330
+
{
331
+
"auths": {
332
+
"zot.example.com": {
333
+
"username": "zot",
334
+
"password": "<kubernetes-service-account-token>"
335
+
}
336
+
}
337
+
}
338
+
```
339
+
340
+
Attach the Secret to the Pod or ServiceAccount that pulls from Zot:
341
+
342
+
```yaml
343
+
apiVersion: v1
344
+
kind: Pod
345
+
metadata:
346
+
name: zot-pull-test
347
+
namespace: workloads
348
+
spec:
349
+
imagePullSecrets:
350
+
- name: zot-oidc-pull-secret
351
+
containers:
352
+
- name: app
353
+
image: zot.example.com/app:v1
354
+
```
355
+
278
356
### Flux Integration
279
357
280
358
Flux can use Kubernetes ServiceAccount tokens to authenticate to Zot without secrets:
@@ -372,15 +450,21 @@ Use Zot's access control policies to grant permissions based on the OIDC identit
372
450
373
451
### Traditional Bearer Authentication
374
452
375
-
OIDC workload identity can coexist with traditional bearer authentication. If both are configured, Zot will try OIDC authentication first, then fall back to traditional bearer token authentication:
453
+
OIDC workload identity can coexist with traditional bearer authentication. If both are configured, Zot will try OIDC authentication first, then fall back to traditional bearer token authentication.
454
+
455
+
There is still only one `bearer.realm` value in the challenge, so mixed deployments should advertise Zot `/zot/auth/token` and configure the existing traditional bearer token service as a proxy fallback. Zot first checks whether the submitted credential is owned by a local token backend such as `bearer.oidc` or `openid.providers`. Locally owned credentials are never proxied: they either authenticate locally or fail with 401. If no local backend owns the credential, Zot proxies the token request to `upstreamTokenEndpoint.realm`, preserving the request shape and rewriting `service` to `upstreamTokenEndpoint.service`:
Copy file name to clipboardExpand all lines: examples/README.md
+2Lines changed: 2 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -375,6 +375,8 @@ NOTE: The separate file for storing DN and password credentials must be created.
375
375
}
376
376
```
377
377
378
+
When OIDC workload identity/federation uses Zot `/zot/auth/token` but the same deployment still needs this traditional bearer token service, configure the optional `upstreamTokenEndpoint` object. `upstreamTokenEndpoint.realm` points to the existing traditional bearer token service and `upstreamTokenEndpoint.service` is the upstream service value; Zot preserves the token request and rewrites only `service` before proxying requests that are not owned by local token backends. `upstreamTokenEndpoint.realm` must use HTTPS by default; plaintext HTTP requires `upstreamTokenEndpoint.allowInsecureHttp: true` and should only be used in controlled test environments.
0 commit comments