OIDC with Namespace

See the general OIDC documentation before diving into the Namespace specific setup.

Namespace Specific Setup

  • Configure Namespace in your RWX Vault
  • Configure RWX as a Trusted Relationship in Namespace
  • Install and Authenticate with Namespace in an RWX task

Configure Namespace in RWX

RWX Vaults control which RWX runs can access which sensitive values. If you're building container images on feature branches, you can configure Namespace in the default vault. If you're building on a protected branch like main, then you may want to set up Namespace in a locked vault.

See the docs on vaults for more details on how to configure your vaults.

Conventionally, choose namespace for your token name. Set the audience to federation.namespaceapis.com

Configure RWX in Namespace

At the time of writing this, establishing a Trust Relationship on Namespace is not self service. However, this functionality is under active development. For now, you can reach out to Namespace support.

You'll be asked for your Namespace Workspace ID (found in your settings on Namespace) and the RWX OIDC subject (which is shown in the OIDC tab of your RWX vault).

See the Namespace docs on trust relationships for more details.

Install and Authenticate with Namespace in an RWX task

tasks:
  - key: namespace-cli
    call: namespace/install-cli 1.0.0

And you can now define a task which uses the CLI and namespace/login-hook package to authenticate via OIDC.

tasks:
  - key: namespace-cli
    call: namespace/install-cli 1.0.0

  - key: namespace-login
    call: namespace/login-hook 1.0.0
    with:
      workspace-id: my-namespace-workspace-id

  - key: build-image
    use: [namespace-cli, namespace-login]
    run: nsc build --name foo/bar .
    env:
      NAMESPACE_OIDC_TOKEN:
        value: ${{ vaults.your-vault.oidc.your-token-name-usually-namespace }}
        cache-key: excluded

cache-key: excluded will ensure that changes to the namespace token will not affect whether the build-image task can be a cache hit. For more details, see the docs on environment variables.

Support

That's it! If you have any questions, feel free to reach out to RWX support or Namespace support.