release notes: 6.3.0 — add workload identity support

[vvnpn-nv]

Description

PR #508 (merged Feb 24, 2026, before the 6.3.0 tag on Apr 27) added cloud-neutral workload-identity support to the service chart but never landed in the 6.3.0 release notes. This PR backfills two entries:

• Highlights: a one-line bullet calling out workload identity for core services on Azure (AKS WI / Arc) and AWS (EKS IRSA / Pod Identity).
• Helm Charts: a detailed entry naming the new top-level serviceAccount block (create, name, annotations) and per-component extraPodLabels on agent, api, worker, logger, router, and delayedJobMonitor. Includes the exact annotations/labels each CSP's webhook expects, and an explicit caveat that GCS/Swift/TOS backends still require static credentials (those backends NotImplementedError on DefaultDataCredential in backends.py).

The chart hooks themselves are cloud-neutral — the per-CSP differences (Azure needs both an SA annotation and a pod label; AWS only needs the SA annotation; the storage-backend side needs DefaultAzureCredential for Azure but boto3's default credential chain handles IRSA on S3 without code changes) are documented as concrete examples rather than buried in prose.

Doc-only change — no code or tests touched.

Issue #None

Checklist

• I am familiar with the Contributing Guidelines.
• New or existing tests cover these changes.
• The documentation is up to date with these changes.

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features
  • Workload identity support enables services to run with cloud-issued federated identities
  • New service account configuration with annotation support for federated identities
  • Per-component extra pod label options for finer control
  • Guidance for Azure (AKS/Arc) and AWS (IRSA/Pod Identity) setups, including token usage for storage backends

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 2c599b5b-632e-4612-8eba-6c7713079f6d

📥 Commits

Reviewing files that changed from the base of the PR and between 65f9384 and 255d1f7.

📒 Files selected for processing (1)

• releases/6.3.0.md

💤 Files with no reviewable changes (1)

• releases/6.3.0.md

---

📝 Walkthrough

Walkthrough

Adds 6.3.0 release notes announcing workload identity support: a cloud-neutral serviceAccount block plus per-component extraPodLabels, with Azure AKS/Arc and AWS IRSA/Pod Identity examples; notes storage backends' credential behavior.

Changes

Workload Identity Release Notes

Layer / File(s)	Summary
Workload identity feature documentation releases/6.3.0.md	Release notes add a highlights entry and the “Cloud workload identity” Helm chart docs: new top-level serviceAccount block (create, name, annotations) and extraPodLabels for components, plus Azure and AWS annotation/label examples and storage credential notes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• NVIDIA/OSMO#1032: Related release-notes changes discussing identity/token/serviceAccount topics.

Suggested labels

external

Suggested reviewers

• RyaliNvidia
• cypres

Poem

🐰 I hopped through notes to spread the word,
New service accounts — not a thing absurd,
Azure and AWS wear matching tags,
Pods get tokens, no more credential drags,
A tiny carrot for cloud-native cheer.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title directly and clearly summarizes the main change: adding workload identity support documentation to the 6.3.0 release notes.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch vivianp/release-notes-6.3.0-workload-identity

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}