Description
Write an ADR for introducing a type-safe credential and consumer identity system for OCM.
This builds on the exploration in #979 and supersedes the earlier proposal in #704. It also incorporates typed consumer identity types from #800.
Scope
The ADR should cover decisions on:
- Typed credentials --
Resolver returns runtime.Typed instead of map[string]string, each binding owns its credential spec (e.g. OCICredentials/v1, RSACredentials/v1)
- Typed consumer identities -- central
ConsumerIdentityTypeScheme registry replacing scattered string constants, with alias normalization
- Credential and identity type registration -- both use
runtime.Scheme, registered per binding at init time
- Plugin contract -- plugins declare
ProducedCredentialType, validated at startup
DirectCredentials/v1 -- role as generic fallback during and after migration
Open Questions to Address
- Should
DirectCredentials/v1 always be convertible to any typed credential, or require an explicit type?
- How do we handle credential spec versioning (e.g.
OCICredentials/v1 -> v2) with old configs?
- Should K8s verification keys go through the credential graph instead of bypassing it?
- What should the error look like when a provider returns the wrong credential type?
- All plugins are currently builtin -- should the external plugin contract use
runtime.Typed from the start?
Timebox: 2 day(s)
Done Criteria
Description
Write an ADR for introducing a type-safe credential and consumer identity system for OCM.
This builds on the exploration in #979 and supersedes the earlier proposal in #704. It also incorporates typed consumer identity types from #800.
Scope
The ADR should cover decisions on:
Resolverreturnsruntime.Typedinstead ofmap[string]string, each binding owns its credential spec (e.g.OCICredentials/v1,RSACredentials/v1)ConsumerIdentityTypeSchemeregistry replacing scattered string constants, with alias normalizationruntime.Scheme, registered per binding at init timeProducedCredentialType, validated at startupDirectCredentials/v1-- role as generic fallback during and after migrationOpen Questions to Address
DirectCredentials/v1always be convertible to any typed credential, or require an explicit type?OCICredentials/v1->v2) with old configs?runtime.Typedfrom the start?Timebox: 2 day(s)
Done Criteria