Introduce support for OIDC workload identity federation (#3711)

* feat(oidc): introduce support for OIDC workload identity federation Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): add e2e test for bearer OIDC and a kind cluster Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): make OIDC workload identity federation its own feature Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): move errors to the errors package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): fix race in cel package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): compile cel expressions Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> --------- Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2026-06-17 12:58:02 +08:00 · 2026-01-25 05:03:53 +00:00
parent ba3436c57e
commit bf619c570e
25 changed files with 5151 additions and 52 deletions
@@ -44,6 +44,9 @@ jobs:
          # skip-build-cache: true
        env:
          GOEXPERIMENT: jsonv2
+      - name: Check go.mod and go.sum are up to date
+        run: |
+          make modcheck
      - name: Run linter from make target
        run: |
          make check
@@ -202,6 +202,32 @@ jobs:
            sudo ./scripts/enable_userns.sh
            ./examples/kind/kind-ci.sh

+  oidc-workload-identity:
+    name: OIDC Workload Identity E2E
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version: 1.25.x
+      - name: Install dependencies
+        run: |
+          cd $GITHUB_WORKSPACE
+          make check-blackbox-prerequisites
+          go mod download
+          sudo apt-get update
+          sudo apt-get install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config rpm uidmap jq
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+      - name: Run OIDC workload identity tests
+        run: |
+            sudo ./scripts/enable_userns.sh
+            ./examples/kind/kind-oidc-workload-identity.sh
+
  cloud-scale-out:
    name: s3+dynamodb scale-out
    runs-on: oracle-vm-16cpu-64gb-x86-64