thpham · thpham · May 18, 2023
diff --git a/docs/tutorials/oracle.md b/docs/tutorials/oracle.md
@@ -68,6 +68,40 @@ the compartment containing the zone to be managed.
 For more information about OCI IAM instance principals, see the documentation [here][2].
 For more information about OCI IAM policy details for the DNS service, see the documentation [here][3].
 
+### OCI OKE Workloads Identity Principal
+
+A workload running on a Kubernetes cluster is considered a resource in its own right.
+A workload resource is identified by the unique combination of cluster, namespace, and service account.
+This unique combination is referred to as the workload identity.
+You can use the workload identity when defining IAM policies to grant fine-grained access to other OCI resources.
+
+First, you'll also need to add the `--oci-auth-workload-principal` flag to enable
+this type of authentication. Finally, you'll need to set the following environment variables
+in the deployment.
+
+For example, here are the Helm values to override:
+
+```yaml
+provider: oci
+extraArgs:
+- '--oci-auth-workload-principal'
+- '--oci-compartment-ocid=ocid1.compartment.oc1...'
+env:
+- name: OCI_RESOURCE_PRINCIPAL_VERSION
+  value: '2.2'
+- name: OCI_RESOURCE_PRINCIPAL_REGION
+  value: 'eu-zurich-1'
+```
+
+
+The following is an example of policy statement:
+
+```txt
+Allow any-user to manage dns in compartment id <compartment_ocid> where all { request.principal.type = 'workload', request.principal.namespace = 'external-dns', request.principal.service_account = 'external-dns', request.principal.cluster_id = 'ocid1.cluster.oc1...' }
+```
+
+For more information about OCI OKE workload identity principal, see the documentation [here][4].
+
 ## Manifest (for clusters with RBAC enabled)
 
 Apply the following manifest to deploy ExternalDNS.
@@ -192,4 +226,5 @@ $ kubectl apply -f nginx.yaml
 [1]: https://docs.cloud.oracle.com/iaas/Content/DNS/Concepts/dnszonemanagement.htm
 [2]: https://docs.cloud.oracle.com/iaas/Content/Identity/Reference/dnspolicyreference.htm
 [3]: https://docs.cloud.oracle.com/iaas/Content/Identity/Tasks/callingservicesfrominstances.htm
+[4]: https://docs.cloud.oracle.com/iaas/Content/ContEng/Tasks/contenggrantingworkloadaccesstoresources.htm
 
diff --git a/go.mod b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/onsi/ginkgo v1.16.5
 	github.com/openshift/api v0.0.0-20210315202829-4b79815405ec
 	github.com/openshift/client-go v0.0.0-20210112165513-ebc401615f47
-	github.com/oracle/oci-go-sdk/v65 v65.35.0
+	github.com/oracle/oci-go-sdk/v65 v65.38.0
 	github.com/ovh/go-ovh v1.1.0
 	github.com/pkg/errors v0.9.1
 	github.com/pluralsh/gqlclient v1.1.6

diff --git a/go.sum b/go.sum
@@ -945,8 +945,8 @@ github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxS
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
-github.com/oracle/oci-go-sdk/v65 v65.35.0 h1:zvDsEuGs0qf6hPZVbrDnnfPJYQP7CwAgidTr4Pch6E4=
-github.com/oracle/oci-go-sdk/v65 v65.35.0/go.mod h1:MXMLMzHnnd9wlpgadPkdlkZ9YrwQmCOmbX5kjVEJodw=
+github.com/oracle/oci-go-sdk/v65 v65.38.0 h1:2ITYVHRa3A8DhN6SlG16W3FLJF1xTYDQkHFxYuPlIjg=
+github.com/oracle/oci-go-sdk/v65 v65.38.0/go.mod h1:MXMLMzHnnd9wlpgadPkdlkZ9YrwQmCOmbX5kjVEJodw=
 github.com/ovh/go-ovh v1.1.0 h1:bHXZmw8nTgZin4Nv7JuaLs0KG5x54EQR7migYTd1zrk=
 github.com/ovh/go-ovh v1.1.0/go.mod h1:AxitLZ5HBRPyUd+Zl60Ajaag+rNTdVXWIkzfrVuTXWA=
 github.com/oxtoacart/bpool v0.0.0-20150712133111-4e1c5567d7c2 h1:CXwSGu/LYmbjEab5aMCs5usQRVBGThelUKBNnoSOuso=

diff --git a/main.go b/main.go
@@ -325,6 +325,9 @@ func main() {
 				authConfig := oci.OCIAuthConfig{UseInstancePrincipal: true}
 				config = &oci.OCIConfig{Auth: authConfig, CompartmentID: cfg.OCICompartmentOCID}
 			}
+		} else if cfg.OCIAuthWorkloadPrincipal {
+			authConfig := oci.OCIAuthConfig{UseWorkloadPrincipal: true}
+			config = &oci.OCIConfig{Auth: authConfig, CompartmentID: cfg.OCICompartmentOCID}
 		} else {
 			config, err = oci.LoadOCIConfig(cfg.OCIConfigFile)
 		}

diff --git a/pkg/apis/externaldns/types.go b/pkg/apis/externaldns/types.go
@@ -134,6 +134,7 @@ type Config struct {
 	OCIConfigFile                      string
 	OCICompartmentOCID                 string
 	OCIAuthInstancePrincipal           bool
+	OCIAuthWorkloadPrincipal           bool
 	InMemoryZones                      []string
 	OVHEndpoint                        string
 	OVHApiRateLimit                    int
@@ -511,6 +512,7 @@ func (cfg *Config) ParseFlags(args []string) error {
 	app.Flag("oci-config-file", "When using the OCI provider, specify the OCI configuration file (required when --provider=oci").Default(defaultConfig.OCIConfigFile).StringVar(&cfg.OCIConfigFile)
 	app.Flag("oci-compartment-ocid", "When using the OCI provider, specify the OCID of the OCI compartment containing all managed zones and records.  Required when using OCI IAM instance principal authentication.").StringVar(&cfg.OCICompartmentOCID)
 	app.Flag("oci-auth-instance-principal", "When using the OCI provider, specify whether OCI IAM instance principal authentication should be used (instead of key-based auth via the OCI config file).").Default(strconv.FormatBool(defaultConfig.OCIAuthInstancePrincipal)).BoolVar(&cfg.OCIAuthInstancePrincipal)
+	app.Flag("oci-auth-workload-principal", "When using the OCI provider, specify whether OCI IAM workload principal authentication should be used (instead of key-based auth via the OCI config file).").Default(strconv.FormatBool(defaultConfig.OCIAuthWorkloadPrincipal)).BoolVar(&cfg.OCIAuthWorkloadPrincipal)
 	app.Flag("rcodezero-txt-encrypt", "When using the Rcodezero provider with txt registry option, set if TXT rrs are encrypted (default: false)").Default(strconv.FormatBool(defaultConfig.RcodezeroTXTEncrypt)).BoolVar(&cfg.RcodezeroTXTEncrypt)
 	app.Flag("inmemory-zone", "Provide a list of pre-configured zones for the inmemory provider; specify multiple times for multiple zones (optional)").Default("").StringsVar(&cfg.InMemoryZones)
 	app.Flag("ovh-endpoint", "When using the OVH provider, specify the endpoint (default: ovh-eu)").Default(defaultConfig.OVHEndpoint).StringVar(&cfg.OVHEndpoint)

diff --git a/provider/oci/oci.go b/provider/oci/oci.go
@@ -44,6 +44,7 @@ type OCIAuthConfig struct {
 	Fingerprint          string `yaml:"fingerprint"`
 	Passphrase           string `yaml:"passphrase"`
 	UseInstancePrincipal bool   `yaml:"useInstancePrincipal"`
+	UseWorkloadPrincipal bool   `yaml:"useWorkloadPrincipal"`
 }
 
 // OCIConfig holds the configuration for the OCI Provider.
@@ -96,6 +97,11 @@ func NewOCIProvider(cfg OCIConfig, domainFilter endpoint.DomainFilter, zoneIDFil
 		if err != nil {
 			return nil, errors.Wrap(err, "error creating OCI instance principal config provider")
 		}
+	} else if cfg.Auth.UseWorkloadPrincipal {
+		configProvider, err = auth.OkeWorkloadIdentityConfigurationProvider()
+		if err != nil {
+			return nil, errors.Wrap(err, "error creating OCI Workload identity principal config provider")
+		}
 	} else {
 		configProvider = common.NewRawConfigurationProvider(
 			cfg.Auth.TenancyID,