Introduce support for OIDC workload identity federation (#3711)

* feat(oidc): introduce support for OIDC workload identity federation Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): add e2e test for bearer OIDC and a kind cluster Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): make OIDC workload identity federation its own feature Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): move errors to the errors package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): fix race in cel package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): compile cel expressions Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> --------- Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2026-06-17 21:17:58 +08:00 · 2026-01-25 05:03:53 +00:00
parent ba3436c57e
commit bf619c570e
25 changed files with 5151 additions and 52 deletions
@@ -178,6 +178,7 @@ var (
 	ErrReceivedUnexpectedAuthHeader     = errors.New("received unexpected www-authenticate header")
 	ErrNoBearerToken                    = errors.New("no bearer token given")
 	ErrInvalidBearerToken               = errors.New("invalid bearer token given")
+	ErrInvalidOrUnreachableOIDCIssuer   = errors.New("invalid or unreachable oidc issuer")
 	ErrInsufficientScope                = errors.New("bearer token does not have sufficient scope")
 	ErrCouldNotLoadPublicKey            = errors.New("failed to load public key")
 	ErrEventTypeEmpty                   = errors.New("event type empty")
@@ -196,4 +197,11 @@ var (
 	ErrNoEmailSANFound                  = errors.New("no Email SAN found")
 	ErrEmailSANIndexOutOfRange          = errors.New("Email SAN index out of range")
 	ErrUnsupportedIdentityAttribute     = errors.New("unsupported identity attribute")
+	ErrOIDCNoAudiences                  = errors.New("at least one audience must be specified")
+	ErrOIDCInvalidAudiences             = errors.New("invalid audiences claim in token")
+	ErrOIDCEmptyAudience                = errors.New("audience is empty")
+	ErrOIDCEmptyVariableName            = errors.New("variable name is empty")
+	ErrOIDCEmptyValidationMsg           = errors.New("validation error message is empty")
+	ErrOIDCValidationFailed             = errors.New("OIDC claim validation failed")
+	ErrOIDCAudienceMismatch             = errors.New("token audience does not match any of the expected audiences")
 )