release notes: 6.3.0 — add workload identity support

releases/6.3.0.md

@@ -8,6 +8,7 @@
 - **Dataset CLI and API deprecated** — `osmo dataset` commands and the `/datasets` API endpoints are deprecated and will be removed in 6.4. Migrate to workflow-managed dataset outputs.
 - **Rsync download support** — Pull files from running workflow tasks to your local machine with `osmo workflow rsync download`, complementing the existing upload capability.
 - **Visual transfer progress** — File sync operations now display a progress bar showing bytes transferred, percentage, rate, and ETA.
+- **Workload identity for core services** — Run OSMO services under a cloud-issued federated identity (Azure Workload Identity on AKS/Arc, AWS IRSA / EKS Pod Identity) via new cloud-neutral `serviceAccount` annotations and per-component `extraPodLabels` hooks, removing the need to mount cloud storage keys as Kubernetes Secrets.
 - **Privilege escalation fix** — Policies with empty resources lists no longer grant access to resource-scoped endpoints.
 
 ## Breaking Changes
@@ -24,6 +25,10 @@
 - **ConfigMap configuration mode**: Set `services.configs.enabled: true` to manage all service configs via Helm values. CLI/API writes return HTTP 409 when active. The chart ships with default roles, pod templates, resource validations, backend, and pool. (#822)
 - **ConfigMap mode for worker, agent, and logger**: The ConfigMapWatcher now runs in the worker, agent, and logger services. Previously only the API service watched the ConfigMap, so workflow pods built by the worker could be constructed from stale config. (#926)
 - **TLS termination at the gateway**: Configure a serving cert/key, optional HTTP-to-HTTPS redirect, and SAN list via `gateway.tls`. The gateway template generates the matching Envoy listener config. (#953)
+- **Cloud workload identity**: New top-level `serviceAccount` block (`create`, `name`, `annotations`) and per-component `extraPodLabels` on `agent`, `api`, `worker`, `logger`, `router`, and `delayedJobMonitor`. The hooks are cloud-neutral — set the annotations and labels your CSP's identity webhook expects:
+  - **Azure (AKS / Arc)**: annotate the SA with `azure.workload.identity/client-id: <uami-client-id>` and label pods with `azure.workload.identity/use: "true"`. The Azure storage backend falls back to `DefaultAzureCredential` when no static connection string is supplied.
+  - **AWS (EKS IRSA / Pod Identity)**: annotate the SA with `eks.amazonaws.com/role-arn: <iam-role-arn>`. The S3 backend picks up the federated token from boto3's default credential chain — no pod labels required.
+
 - **Gateway consolidation**: A unified gateway now handles load balancing for all service types (API, router, UI), simplifying ingress configuration. (#817, #799)
 - **Gateway extension hooks**: Inject custom Envoy filters and additive auth-skip paths via `gateway.envoy.extensions` and `gateway.envoy.authSkipPaths`, useful for sidecar integrations and bypassing authz on specific endpoints. (#1009)
 - **Default identity headers**: Minimal deployments can now inject default `x-osmo-user`, `x-osmo-roles`, and `x-osmo-allowed-pools` headers for unauthenticated browser requests via `gateway.envoy.defaultIdentity` values. (#902)