feat: MachineAccountKey Proxy Backend

cmd/milo/apiserver/config.go

@@ -45,6 +45,7 @@ import (
 
 	"go.miloapis.com/milo/internal/apiserver/admission/initializer"
 	eventsbackend "go.miloapis.com/milo/internal/apiserver/events"
+	machineaccountkeysbackend "go.miloapis.com/milo/internal/apiserver/identity/machineaccountkeys"
 	sessionsbackend "go.miloapis.com/milo/internal/apiserver/identity/sessions"
 	useridentitiesbackend "go.miloapis.com/milo/internal/apiserver/identity/useridentities"
 	identitystorage "go.miloapis.com/milo/internal/apiserver/storage/identity"
@@ -69,9 +70,10 @@ type Config struct {
 }
 
 type ExtraConfig struct {
-	SessionsProvider       SessionsProviderConfig
-	UserIdentitiesProvider UserIdentitiesProviderConfig
-	EventsProvider         EventsProviderConfig
+	SessionsProvider           SessionsProviderConfig
+	UserIdentitiesProvider     UserIdentitiesProviderConfig
+	MachineAccountKeysProvider MachineAccountKeysProviderConfig
+	EventsProvider             EventsProviderConfig
 }
 
 // SessionsProviderConfig groups configuration for the sessions backend provider
@@ -107,6 +109,17 @@ type EventsProviderConfig struct {
 	ForwardExtras  []string
 }
 
+// MachineAccountKeysProviderConfig groups configuration for the machineaccountkeys backend provider
+type MachineAccountKeysProviderConfig struct {
+	URL            string
+	CAFile         string
+	ClientCertFile string
+	ClientKeyFile  string
+	TimeoutSeconds int
+	Retries        int
+	ForwardExtras  []string
+}
+
 type completedConfig struct {
 	Options options.CompletedOptions
 
@@ -149,9 +162,7 @@ func (c *CompletedConfig) GenericStorageProviders(discovery discovery.DiscoveryI
 		discoveryrest.StorageProvider{},
 	}
 
-	if utilfeature.DefaultFeatureGate.Enabled(features.Sessions) || utilfeature.DefaultFeatureGate.Enabled(features.UserIdentities) {
-		providers = append(providers, newIdentityStorageProvider(c))
-	}
+	providers = append(providers, newIdentityStorageProvider(c))
 
 	if utilfeature.DefaultFeatureGate.Enabled(features.EventsProxy) {
 		providers = append(providers, newEventsV1StorageProvider(eventsBackend))
@@ -201,6 +212,25 @@ func newIdentityStorageProvider(c *CompletedConfig) controlplaneapiserver.RESTSt
 		provider.UserIdentities = backend
 	}
 
+	if utilfeature.DefaultFeatureGate.Enabled(features.MachineAccountKeys) {
+		allow := make(map[string]struct{}, len(c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras))
+		for _, k := range c.ExtraConfig.MachineAccountKeysProvider.ForwardExtras {
+			allow[k] = struct{}{}
+		}
+		cfg := machineaccountkeysbackend.Config{
+			BaseConfig:     c.ControlPlane.Generic.LoopbackClientConfig,
+			ProviderURL:    c.ExtraConfig.MachineAccountKeysProvider.URL,
+			CAFile:         c.ExtraConfig.MachineAccountKeysProvider.CAFile,
+			ClientCertFile: c.ExtraConfig.MachineAccountKeysProvider.ClientCertFile,
+			ClientKeyFile:  c.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile,
+			Timeout:        time.Duration(c.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds) * time.Second,
+			Retries:        c.ExtraConfig.MachineAccountKeysProvider.Retries,
+			ExtrasAllow:    allow,
+		}
+		backend, _ := machineaccountkeysbackend.NewDynamicProvider(cfg)
+		provider.MachineAccountKeys = backend
+	}
+
 	return provider
 }
 

cmd/milo/apiserver/server.go

@@ -56,25 +56,29 @@ func init() {
 }
 
 var (
-	SystemNamespace                  string
-	sessionsProviderURL              string
-	sessionsProviderCAFile           string
-	sessionsProviderClientCert       string
-	sessionsProviderClientKey        string
-	providerTimeoutSeconds           int
-	providerRetries                  int
-	forwardExtras                    []string
-	userIdentitiesProviderURL        string
-	userIdentitiesProviderCAFile     string
-	userIdentitiesProviderClientCert string
-	userIdentitiesProviderClientKey  string
-	eventsProviderURL                string
-	eventsProviderCAFile             string
-	eventsProviderClientCert         string
-	eventsProviderClientKey          string
-	eventsProviderTimeoutSeconds     int
-	eventsProviderRetries            int
-	eventsForwardExtras              []string
+	SystemNamespace                      string
+	sessionsProviderURL                  string
+	sessionsProviderCAFile               string
+	sessionsProviderClientCert           string
+	sessionsProviderClientKey            string
+	providerTimeoutSeconds               int
+	providerRetries                      int
+	forwardExtras                        []string
+	userIdentitiesProviderURL            string
+	userIdentitiesProviderCAFile         string
+	userIdentitiesProviderClientCert     string
+	userIdentitiesProviderClientKey      string
+	machineAccountKeysProviderURL        string
+	machineAccountKeysProviderCAFile     string
+	machineAccountKeysProviderClientCert string
+	machineAccountKeysProviderClientKey  string
+	eventsProviderURL                    string
+	eventsProviderCAFile                 string
+	eventsProviderClientCert             string
+	eventsProviderClientKey              string
+	eventsProviderTimeoutSeconds         int
+	eventsProviderRetries                int
+	eventsForwardExtras                  []string
 )
 
 // NewCommand creates a *cobra.Command object with default parameters
@@ -184,6 +188,10 @@ func NewCommand() *cobra.Command {
 	fs.StringVar(&userIdentitiesProviderCAFile, "useridentities-provider-ca-file", "", "Path to CA file to validate useridentities provider TLS")
 	fs.StringVar(&userIdentitiesProviderClientCert, "useridentities-provider-client-cert", "", "Client certificate for mTLS to useridentities provider")
 	fs.StringVar(&userIdentitiesProviderClientKey, "useridentities-provider-client-key", "", "Client private key for mTLS to useridentities provider")
+	fs.StringVar(&machineAccountKeysProviderURL, "machineaccountkeys-provider-url", "", "Direct provider base URL for machineaccountkeys (e.g., https://zitadel-apiserver:8443)")
+	fs.StringVar(&machineAccountKeysProviderCAFile, "machineaccountkeys-provider-ca-file", "", "Path to CA file to validate machineaccountkeys provider TLS")
+	fs.StringVar(&machineAccountKeysProviderClientCert, "machineaccountkeys-provider-client-cert", "", "Client certificate for mTLS to machineaccountkeys provider")
+	fs.StringVar(&machineAccountKeysProviderClientKey, "machineaccountkeys-provider-client-key", "", "Client private key for mTLS to machineaccountkeys provider")
 	fs.StringVar(&eventsProviderURL, "events-provider-url", "", "Activity API server URL for events storage (e.g., https://activity-apiserver.activity-system.svc:443)")
 	fs.StringVar(&eventsProviderCAFile, "events-provider-ca-file", "", "Path to CA file to validate Activity provider TLS")
 	fs.StringVar(&eventsProviderClientCert, "events-provider-client-cert", "", "Client certificate for mTLS to Activity provider")
@@ -253,6 +261,14 @@ func Run(ctx context.Context, opts options.CompletedOptions) error {
 	config.ExtraConfig.UserIdentitiesProvider.Retries = providerRetries
 	config.ExtraConfig.UserIdentitiesProvider.ForwardExtras = forwardExtras
 
+	config.ExtraConfig.MachineAccountKeysProvider.URL = machineAccountKeysProviderURL
+	config.ExtraConfig.MachineAccountKeysProvider.CAFile = machineAccountKeysProviderCAFile
+	config.ExtraConfig.MachineAccountKeysProvider.ClientCertFile = machineAccountKeysProviderClientCert
+	config.ExtraConfig.MachineAccountKeysProvider.ClientKeyFile = machineAccountKeysProviderClientKey
+	config.ExtraConfig.MachineAccountKeysProvider.TimeoutSeconds = providerTimeoutSeconds
+	config.ExtraConfig.MachineAccountKeysProvider.Retries = providerRetries
+	config.ExtraConfig.MachineAccountKeysProvider.ForwardExtras = forwardExtras
+
 	config.ExtraConfig.EventsProvider.URL = eventsProviderURL
 	config.ExtraConfig.EventsProvider.CAFile = eventsProviderCAFile
 	config.ExtraConfig.EventsProvider.ClientCertFile = eventsProviderClientCert

config/apiserver/deployment.yaml

@@ -70,6 +70,11 @@ spec:
           - --useridentities-provider-ca-file=$(USERIDENTITIES_PROVIDER_CA_FILE)
           - --useridentities-provider-client-cert=$(USERIDENTITIES_PROVIDER_CLIENT_CERT_FILE)
           - --useridentities-provider-client-key=$(USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE)
+          # MachineAccountKeys provider configuration
+          - --machineaccountkeys-provider-url=$(MACHINEACCOUNTKEYS_PROVIDER_URL)
+          - --machineaccountkeys-provider-ca-file=$(MACHINEACCOUNTKEYS_PROVIDER_CA_FILE)
+          - --machineaccountkeys-provider-client-cert=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE)
+          - --machineaccountkeys-provider-client-key=$(MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE)
           # Events proxy provider configuration (requires EventsProxy feature gate)
           - --events-provider-url=$(EVENTS_PROVIDER_URL)
           - --events-provider-ca-file=$(EVENTS_PROVIDER_CA_FILE)
@@ -156,6 +161,14 @@ spec:
             value: ""
           - name: USERIDENTITIES_PROVIDER_CLIENT_KEY_FILE
             value: ""
+          - name: MACHINEACCOUNTKEYS_PROVIDER_URL
+            value: ""
+          - name: MACHINEACCOUNTKEYS_PROVIDER_CA_FILE
+            value: ""
+          - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_CERT_FILE
+            value: ""
+          - name: MACHINEACCOUNTKEYS_PROVIDER_CLIENT_KEY_FILE
+            value: ""
           # Events proxy provider configuration (requires --feature-gates=EventsProxy=true)
           - name: EVENTS_PROVIDER_URL
             value: ""

config/components/apiserver-audit-logging/audit-policy-configmap.yaml

@@ -142,6 +142,14 @@ data:
         - group: "" # core API group
           resources: ["secrets", "configmaps"]
 
+      # Log MachineAccountKey at Metadata level to redact private key from audit logs
+      # The privateKey is only returned in the response body on creation, so we omit
+      # the response to prevent credential leakage in audit logs
+      - level: Metadata
+        resources:
+        - group: "identity.miloapis.com"
+          resources: ["machineaccountkeys"]
+
       # Log Milo API resources at RequestResponse level to capture full context
       - level: RequestResponse
         resources:

config/crd/bases/iam/iam.miloapis.com_machineaccounts.yaml

@@ -12,7 +12,7 @@ spec:
     listKind: MachineAccountList
     plural: machineaccounts
     singular: machineaccount
-  scope: Namespaced
+  scope: Cluster
   versions:
   - additionalPrinterColumns:
     - jsonPath: .status.email

config/crd/bases/iam/kustomization.yaml

@@ -5,10 +5,9 @@
 - iam.miloapis.com_machineaccounts.yaml
 - iam.miloapis.com_policybindings.yaml
 - iam.miloapis.com_protectedresources.yaml
 - iam.miloapis.com_users.yaml
 - iam.miloapis.com_userinvitations.yaml
-- iam.miloapis.com_machineaccountkeys.yaml
 - iam.miloapis.com_userpreferences.yaml
 - iam.miloapis.com_userdeactivations.yaml
 - iam.miloapis.com_platforminvitations.yaml
 - iam.miloapis.com_platformaccessapprovals.yaml

config/protected-resources/iam/kustomization.yaml

@@ -14,4 +14,5 @@ resources:
   - platformaccessapproval.yaml
   - platformaccessrejection.yaml
   - platforminvitation.yaml
+  - machineaccount.yaml
 

config/protected-resources/iam/machineaccount.yaml

@@ -0,0 +1,21 @@
+apiVersion: iam.miloapis.com/v1alpha1
+kind: ProtectedResource
+metadata:
+  name: iam.miloapis.com-machineaccount
+spec:
+  serviceRef:
+    name: "iam.miloapis.com"
+  kind: MachineAccount
+  plural: machineaccounts
+  singular: machineaccount
+  permissions:
+    - list
+    - get
+    - create
+    - update
+    - delete
+    - patch
+    - watch
+  parentResources:
+    - apiGroup: resourcemanager.miloapis.com
+      kind: Project

config/protected-resources/identity/kustomization.yaml

@@ -4,3 +4,4 @@ kind: Kustomization
 resources:
   - session.yaml
   - useridentity.yaml
+  - machineaccountkey.yaml