Introduce support for OIDC workload identity federation (#3711)

* feat(oidc): introduce support for OIDC workload identity federation Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): add e2e test for bearer OIDC and a kind cluster Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): make OIDC workload identity federation its own feature Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): move errors to the errors package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): fix race in cel package Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> * feat(oidc): compile cel expressions Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com> --------- Signed-off-by: Matheus Pimenta <matheuscscp@gmail.com>
2026-06-17 12:58:02 +08:00 · 2026-01-25 05:03:53 +00:00
parent ba3436c57e
commit bf619c570e
25 changed files with 5151 additions and 52 deletions
@@ -717,7 +717,7 @@ func validateAuthzPolicies(config *config.Config, logger zlog.Logger) error {

 	logger.Info().Msg("checking if anonymous authorization is the only type of authorization policy configured")

-	if !authConfig.IsBasicAuthnEnabled() && !config.IsMTLSAuthEnabled() &&
+	if !authConfig.IsBasicAuthnEnabled() && !config.IsMTLSAuthEnabled() && !authConfig.IsBearerAuthEnabled() &&
 		!accessControlConfig.ContainsOnlyAnonymousPolicy() {
 		msg := "access control config requires one of htpasswd, ldap, openid or mTLS authentication " +
 			"or using only 'anonymousPolicy' policies"