Add Draft of "Machine Identity" Decision Record

[joshmue]

Signed-off-by: Joshua Mühlfort [email protected]

[joshmue]

@JuanPTM @reqa Would you mind to take a look? We could further discuss in the next ops/iam meetings.

[JuanPTM]

Looks good to me.

[joshmue]

@horazont I adjusted this document to #143, please feel free to give feedback.

(I also "fixed" the need to spell out SPIFFE by omitting it)

[mbuechse]

Is this still relevant? I will close this PR if nothing happens by July 31st.

[joshmue]

It's still very relevant to the cloud's user experience and general security as outlined in the document itself.

Whether it's feasible for the SCS project to achieve in the short/medium term, is uncertain.

Two factors that could make it more easy:

1. K8s clusters offer OIDC federation of ServiceAccounts
2. The "Central API" may be configured to accept tokens from a central IdP

[mbuechse]

So the topic is relevant, but what I meant was this PR. Can it be salvaged and merged, or do we expect it to lie dormant for the next months? In the latter case, it should probably be closed. Unfortunately, it doesn't mention any issue.

[joshmue]

The content is not outdated in some way, as it is very high level. So, it is ok to be discussed and merged, IMHO.
I cannot say anything about prioritization/planning across weeks/months/years/project-phases, though.