feat(blobmanager): add managed CAS backend via S3 Access Points

app/artifact-cas/cmd/wire.go

@@ -25,6 +25,7 @@ import (
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/server"
 	"github.com/chainloop-dev/chainloop/app/artifact-cas/internal/service"
 	"github.com/chainloop-dev/chainloop/pkg/blobmanager/loader"
+	"github.com/chainloop-dev/chainloop/pkg/blobmanager/s3accesspoint"
 	"github.com/chainloop-dev/chainloop/pkg/credentials"
 	"github.com/go-kratos/kratos/v2/log"
 	"github.com/google/wire"
@@ -37,13 +38,35 @@ func wireApp(*conf.Bootstrap, *conf.Server, *conf.Auth, credentials.Reader, log.
 			server.ProviderSet,
 			service.ProviderSet,
 			loader.LoadProviders,
+			newLoaderOptions,
+			wire.FieldsOf(new(*conf.Bootstrap), "ManagedCasBackends"),
 			newApp,
 			serviceOpts,
 			newProtoValidator,
 		),
 	)
 }
 
+// newLoaderOptions builds the loader.Options struct from the deployment
+// Bootstrap. When `managed_cas_backends.s3_access_point` is absent (the
+// common case for on-prem) S3AccessPoint stays nil and the provider is
+// not registered, leaving the binary's behaviour identical to the
+// pre-managed-CAS world.
+func newLoaderOptions(in *conf.ManagedCASBackends, l log.Logger) *loader.Options {
+	opts := &loader.Options{Logger: l}
+	if in == nil || in.GetS3AccessPoint() == nil {
+		return opts
+	}
+	ap := in.GetS3AccessPoint()
+	opts.S3AccessPoint = &s3accesspoint.Config{
+		BaseRoleARN:                  ap.GetBaseRoleArn(),
+		Region:                       ap.GetRegion(),
+		SessionDuration:              ap.GetSessionDuration().AsDuration(),
+		DevModeUseAmbientCredentials: ap.GetDevModeUseAmbientCredentials(),
+	}
+	return opts
+}
+
 func serviceOpts(l log.Logger) []service.NewOpt {
 	return []service.NewOpt{
 		service.WithLogger(l),

app/artifact-cas/configs/config.devel.yaml

@@ -39,3 +39,17 @@ observability:
 
 auth:
   public_key_path: ${PUBLIC_KEY_PATH:../../devel/devkeys/cas.pub}
+
+# Optional managed CAS provider (S3 Access Points). Mirrors the
+# controlplane's managed_cas_backends block — both binaries must agree
+# on the settings since each independently instantiates the provider.
+# Leave commented out for on-prem deployments that don't use managed CAS.
+# managed_cas_backends:
+#   s3_access_point:
+#     base_role_arn: arn:aws:iam::123456789012:role/chainloop-cas-tenant
+#     region: us-east-1
+#     session_duration: 1h
+#     # DEV ONLY: bypass sts:AssumeRole and use whatever AWS identity the
+#     # SDK default credential chain produces (env vars, ~/.aws/credentials,
+#     # IRSA, …). Skips per-tenant isolation; never enable in production.
+#     # dev_mode_use_ambient_credentials: true