Introduce support for OIDC workload identity federation (#3711)

* feat(oidc): introduce support for OIDC workload identity federation

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): add e2e test for bearer OIDC and a kind cluster

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): make OIDC workload identity federation its own feature

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): move errors to the errors package

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): fix race in cel package

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

* feat(oidc): compile cel expressions

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

---------

Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>

pkg/cli/server/config_reloader_test.go

@@ -90,7 +90,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(initialData), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present in initial startup
 		verifyAuthenticationLogs(initialData, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": true,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -162,7 +163,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(data), ShouldContainSubstring, "\"Actions\":[\"read\",\"create\",\"update\",\"delete\"]")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": true,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -223,7 +225,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(initialData), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present in initial startup
 		verifyAuthenticationLogs(initialData, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -287,7 +290,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(data), ShouldNotContainSubstring, "\"Dedupe\":false")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -359,7 +363,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(initialData), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present in initial startup
 		verifyAuthenticationLogs(initialData, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -435,7 +440,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(data), ShouldContainSubstring, "\"Semver\":false")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -500,7 +506,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(initialData), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present in initial startup
 		verifyAuthenticationLogs(initialData, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,
@@ -566,7 +573,8 @@ func TestConfigReloader(t *testing.T) {
 		So(string(data), ShouldContainSubstring, "\"DBRepository\":\"another/unreachable/trivy/url2\"")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,

pkg/cli/server/root.go

@@ -717,7 +717,7 @@ func validateAuthzPolicies(config *config.Config, logger zlog.Logger) error {
 
 	logger.Info().Msg("checking if anonymous authorization is the only type of authorization policy configured")
 
-	if !authConfig.IsBasicAuthnEnabled() && !config.IsMTLSAuthEnabled() &&
+	if !authConfig.IsBasicAuthnEnabled() && !config.IsMTLSAuthEnabled() && !authConfig.IsBearerAuthEnabled() &&
 		!accessControlConfig.ContainsOnlyAnonymousPolicy() {
 		msg := "access control config requires one of htpasswd, ldap, openid or mTLS authentication " +
 			"or using only 'anonymousPolicy' policies"

pkg/cli/server/root_test.go

@@ -48,7 +48,8 @@ func checkAuthLogEntry(logData []byte, message string, expectedEnabled bool) boo
 // expectedAuth maps authentication method names to their expected enabled status (true/false).
 func verifyAuthenticationLogs(data []byte, expectedAuth map[string]bool) {
 	authMethods := []string{
-		"bearer authentication",
+		"jwt bearer authentication",
+		"oidc bearer authentication",
 		"basic authentication (htpasswd)",
 		"basic authentication (LDAP)",
 		"basic authentication (API key)",
@@ -2261,7 +2262,8 @@ func TestServeAPIKey(t *testing.T) {
 		So(string(data), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  true,
@@ -2298,7 +2300,8 @@ func TestServeAPIKey(t *testing.T) {
 		So(string(data), ShouldContainSubstring, "configuration settings")
 		// verify authentication methods status messages are present
 		verifyAuthenticationLogs(data, map[string]bool{
-			"bearer authentication":           false,
+			"jwt bearer authentication":       false,
+			"oidc bearer authentication":      false,
 			"basic authentication (htpasswd)": false,
 			"basic authentication (LDAP)":     false,
 			"basic authentication (API key)":  false,