Define how the WFM manages OCI credentials within the Margo device.

[ajcraig]

Feature description

To enable deployment of applications defined via the WFM, the device needs credentials to access the workload artifacts (OCI Containers / Helm Charts / Compose Tars / other artifacts).

Category

• Trust
• App artifact repository

Provide adequate technical acceptance criteria(s) associated with this feature below:

• Define what standard authorization mechanisms Margo wants to support for the following artifacts:
  • Helm packages
  • container images
  • compose tar files
• Define how the WFM receives and manages the credentials from the tenant wanting to deploy the applications
• Define how the WFM prepares these credentials to be pulled via the Edge device
• Define how the edge device is required to store these credentials

Although not required, it is highly encouraged to provide feature use-cases below:

• Ensures secure access to application artifacts repositories
• Enables users to access applications regardless of device running the applications at the edge.
• Centrally manages the credentials through the WFM.

Additional information

Notes from minimum scope definition exercise:

• The specification doesn't specify how the device gets the credentials it needs to be able to pull the Helm chart, container images, or compose tar file if it's in a secure location. Unless the specification indicates how this should be provided, it will prevent interoperability from being achievable because no expectations are set.
• Indicating only registries with anonymous access are supported for GA1 is a security issue because it means all application vendors will either need to have their artifacts hosted in a public registry that anyone can access, or all customers would need to host their own OCI registry on site.