@@ -121,6 +121,9 @@ static credentials are used for authentication, either with
121121` spec.secretRef` or `spec.serviceAccountName`.
122122If you do not specify `.spec.provider`, it defaults to `generic`.
123123
124+ For a complete guide on how to set up authentication for cloud providers,
125+ see the integration [docs](/flux/integrations/).
126+
124127# ### AWS
125128
126129The `aws` provider can be used to authenticate automatically using the EKS
@@ -267,12 +270,22 @@ kubectl create secret docker-registry ...
267270
268271# ## Service Account reference
269272
270- ` .spec.serviceAccountName` is an optional field to specify a name reference to a
271- Service Account in the same namespace as the OCIRepository. The controller will
272- fetch the image pull secrets attached to the service account and use them for authentication.
273+ ` .spec.serviceAccountName` is an optional field to specify a Service Account
274+ in the same namespace as OCIRepository with purpose depending on the value of
275+ the `.spec.provider` field :
276+
277+ - When `.spec.provider` is set to `generic`, the controller will fetch the image
278+ pull secrets attached to the Service Account and use them for authentication.
279+ - When `.spec.provider` is set to `aws`, `azure`, or `gcp`, the Service Account
280+ will be used for Workload Identity authentication. In this case, the controller
281+ feature gate `ObjectLevelWorkloadIdentity` must be enabled, otherwise the
282+ controller will error out.
283+
284+ **Note:** that for a publicly accessible image repository, you don't need to
285+ provide a `secretRef` nor `serviceAccountName`.
273286
274- **Note:** that for a publicly accessible image repository, you don't need to provide a `secretRef`
275- nor `serviceAccountName` .
287+ For a complete guide on how to set up authentication for cloud providers,
288+ see the integration [docs](/flux/integrations/) .
276289
277290# ## Cert secret reference
278291
0 commit comments