From d3cc664fa2219d5ac6e7a724dbb755f27b08a2e6 Mon Sep 17 00:00:00 2001
From: Milos Gajdos <milosthegajdos@gmail.com>
Date: Sat, 6 Jul 2024 10:13:29 +0100
Subject: [PATCH] Update docs: JWKS credentials and AZ identity

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
---
 docs/content/about/configuration.md   | 21 ++++++++++++---------
 docs/content/storage-drivers/azure.md | 23 +++++++++++++++++++----
 2 files changed, 31 insertions(+), 13 deletions(-)

diff --git a/docs/content/about/configuration.md b/docs/content/about/configuration.md
index 942940f7a..88c4e8589 100644
--- a/docs/content/about/configuration.md
+++ b/docs/content/about/configuration.md
@@ -168,6 +168,7 @@ auth:
     service: token-service
     issuer: registry-token-issuer
     rootcertbundle: /root/certs/bundle
+    jwks: /path/to/jwks
     signingalgorithms:
         - EdDSA
         - HS256
@@ -584,6 +585,7 @@ auth:
     service: token-service
     issuer: registry-token-issuer
     rootcertbundle: /root/certs/bundle
+    jwks: /path/to/jwks
     signingalgorithms:
         - EdDSA
         - HS256
@@ -623,15 +625,16 @@ Token-based authentication allows you to decouple the authentication system from
 the registry. It is an established authentication paradigm with a high degree of
 security.
 
-| Parameter | Required | Description                                           |
-|-----------|----------|-------------------------------------------------------|
-| `realm`   | yes      | The realm in which the registry server authenticates. |
-| `service` | yes      | The service being authenticated.                      |
-| `issuer`  | yes      | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
-| `rootcertbundle` | yes | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
-| `autoredirect`   | no      | When set to `true`, `realm` will automatically be set using the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
-| `autoredirectpath`   | no      | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
-| `signingalgorithms`  | no      | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
+| Parameter            | Required | Description                                           |
+|----------------------|----------|-------------------------------------------------------|
+| `realm`              | yes      | The realm in which the registry server authenticates. |
+| `service`            | yes      | The service being authenticated.                      |
+| `issuer`             | yes      | The name of the token issuer. The issuer inserts this into the token so it must match the value configured for the issuer. |
+| `rootcertbundle`     | yes      | The absolute path to the root certificate bundle. This bundle contains the public part of the certificates used to sign authentication tokens. |
+| `autoredirect`       | no       | When set to `true`, `realm` will be set to the Host header of the request as the domain and a path of `/auth/token/`(or specified by `autoredirectpath`), the `realm` URL Scheme will use `X-Forwarded-Proto` header if set, otherwise it will be set to `https`. |
+| `autoredirectpath`   | no       | The path to redirect to if `autoredirect` is set to `true`, default: `/auth/token/`. |
+| `signingalgorithms`  | no       | A list of token signing algorithms to use for verifying token signatures. If left empty the default list of signing algorithms is used. Please see below for allowed values and default. |
+| `jwks`               | no       | The absolute path to the JSON Web Key Set (JWKS) file. The JWKS file contains the trusted keys used to verify the signature of authentication tokens. |
 
 Available `signingalgorithms`:
 - EdDSA
diff --git a/docs/content/storage-drivers/azure.md b/docs/content/storage-drivers/azure.md
index 50f03a2bb..d2b6c54c1 100644
--- a/docs/content/storage-drivers/azure.md
+++ b/docs/content/storage-drivers/azure.md
@@ -20,7 +20,22 @@ An implementation of the `storagedriver.StorageDriver` interface which uses [Mic
 
 ## Related information
 
-* To get information about
-[azure-blob-storage](https://azure.microsoft.com/en-us/services/storage/), visit
-the Microsoft website.
-* You can use Microsoft's [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
+* To get information about Azure blob storage [the offical docs](https://azure.microsoft.com/en-us/services/storage/).
+* You can use Azure [Blob Service REST API](https://docs.microsoft.com/en-us/rest/api/storageservices/Blob-Service-REST-API) to [create a storage container](https://docs.microsoft.com/en-us/rest/api/storageservices/Create-Container).
+
+## Azure identity
+
+In order to use managed identity to access Azure blob storage you can use [Microsoft Bicep](https://learn.microsoft.com/en-us/azure/templates/microsoft.app/managedenvironments/storages?pivots=deployment-language-bicep).
+
+The following will configure credentials that will be used by the Azure storage driver to construct AZ Identity that will be used to access the blob storage:
+```
+properties: {
+  azure: {
+    accountname: accountname
+    container: containername
+    credentials: {
+      type: default
+    }
+  }
+}
+```