Introduce support for OIDC workload identity federation

.github/workflows/golangci-lint.yaml

@@ -44,6 +44,9 @@ jobs:
           # skip-build-cache: true
         env:
           GOEXPERIMENT: jsonv2
+      - name: Check go.mod and go.sum are up to date
+        run: |
+          make modcheck
       - name: Run linter from make target
         run: |
           make check

.github/workflows/nightly.yaml

@@ -202,6 +202,32 @@ jobs:
             sudo ./scripts/enable_userns.sh
             ./examples/kind/kind-ci.sh
 
+  oidc-workload-identity:
+    name: OIDC Workload Identity E2E
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - uses: actions/setup-go@v6
+        with:
+          go-version: 1.25.x
+      - name: Install dependencies
+        run: |
+          cd $GITHUB_WORKSPACE
+          make check-blackbox-prerequisites
+          go mod download
+          sudo apt-get update
+          sudo apt-get install libgpgme-dev libassuan-dev libbtrfs-dev libdevmapper-dev pkg-config rpm uidmap jq
+      - name: Log in to GitHub Docker Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+      - name: Run OIDC workload identity tests
+        run: |
+            sudo ./scripts/enable_userns.sh
+            ./examples/kind/kind-oidc-workload-identity.sh
+
   cloud-scale-out:
     name: s3+dynamodb scale-out
     runs-on: oracle-vm-16cpu-64gb-x86-64

Makefile

@@ -104,7 +104,7 @@ else
 endif
 
 .PHONY: all
-all: modcheck swaggercheck binary binary-minimal binary-debug cli bench exporter-minimal verify-config check check-gh-actions test covhtml
+all: swaggercheck binary binary-minimal binary-debug cli bench exporter-minimal verify-config check check-gh-actions test covhtml
 
 .PHONY: modtidy
 modtidy:
@@ -182,30 +182,30 @@ gen-protobuf: $(PROTOC)
 
 .PHONY: binary-minimal
 binary-minimal: EXTENSIONS=
-binary-minimal: modcheck build-metadata
+binary-minimal: build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zot-$(OS)-$(ARCH)-minimal$(BIN_EXT) $(BUILDMODE_FLAGS) -v -trimpath -ldflags "-X $(CONFIG_RELEASE_TAG)=${RELEASE_TAG} -X $(CONFIG_COMMIT)=${COMMIT} -X $(CONFIG_BINARY_TYPE)=minimal -X $(CONFIG_GO_VERSION)=${GO_VERSION} -s -w" ./cmd/zot
 
 .PHONY: binary
 binary: $(if $(findstring ui,$(BUILD_LABELS)), ui)
-binary: modcheck build-metadata
+binary: build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zot-$(OS)-$(ARCH)$(BIN_EXT) $(BUILDMODE_FLAGS) $(GO_CMD_TAGS) -v -trimpath -ldflags "-X $(CONFIG_RELEASE_TAG)=${RELEASE_TAG} -X $(CONFIG_COMMIT)=${COMMIT} -X $(CONFIG_BINARY_TYPE)=$(extended-name) -X $(CONFIG_GO_VERSION)=${GO_VERSION} -s -w" ./cmd/zot
 
 .PHONY: binary-debug
 binary-debug: $(if $(findstring ui,$(BUILD_LABELS)), ui)
-binary-debug: modcheck swaggercheck build-metadata
+binary-debug: swaggercheck build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zot-$(OS)-$(ARCH)-debug$(BIN_EXT) $(BUILDMODE_FLAGS) -tags $(BUILD_LABELS),debug -v -gcflags all='-N -l' -ldflags "-X $(CONFIG_RELEASE_TAG)=${RELEASE_TAG} -X $(CONFIG_COMMIT)=${COMMIT} -X $(CONFIG_BINARY_TYPE)=$(extended-name) -X $(CONFIG_GO_VERSION)=${GO_VERSION}" ./cmd/zot
 
 .PHONY: cli
-cli: modcheck build-metadata
+cli: build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zli-$(OS)-$(ARCH)$(BIN_EXT) $(BUILDMODE_FLAGS) -tags $(BUILD_LABELS),search -v -trimpath -ldflags "-X $(CONFIG_COMMIT)=${COMMIT} -X $(CONFIG_BINARY_TYPE)=$(extended-name) -X $(CONFIG_GO_VERSION)=${GO_VERSION} -s -w" ./cmd/zli
 
 .PHONY: bench
-bench: modcheck build-metadata
+bench: build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zb-$(OS)-$(ARCH)$(BIN_EXT) $(BUILDMODE_FLAGS) $(GO_CMD_TAGS) -v -trimpath -ldflags "-X $(CONFIG_COMMIT)=${COMMIT} -X $(CONFIG_BINARY_TYPE)=$(extended-name) -X $(CONFIG_GO_VERSION)=${GO_VERSION} -s -w" ./cmd/zb
 
 .PHONY: exporter-minimal
 exporter-minimal: EXTENSIONS=
-exporter-minimal: modcheck build-metadata
+exporter-minimal: build-metadata
 	env CGO_ENABLED=0 GOEXPERIMENT=jsonv2 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/zxp-$(OS)-$(ARCH)$(BIN_EXT) $(BUILDMODE_FLAGS) -v -trimpath ./cmd/zxp
 
 .PHONY: test-prereq

errors/errors.go

@@ -178,6 +178,7 @@ var (
 	ErrReceivedUnexpectedAuthHeader     = errors.New("received unexpected www-authenticate header")
 	ErrNoBearerToken                    = errors.New("no bearer token given")
 	ErrInvalidBearerToken               = errors.New("invalid bearer token given")
+	ErrInvalidOrUnreachableOIDCIssuer   = errors.New("invalid or unreachable oidc issuer")
 	ErrInsufficientScope                = errors.New("bearer token does not have sufficient scope")
 	ErrCouldNotLoadPublicKey            = errors.New("failed to load public key")
 	ErrEventTypeEmpty                   = errors.New("event type empty")
@@ -196,4 +197,11 @@ var (
 	ErrNoEmailSANFound                  = errors.New("no Email SAN found")
 	ErrEmailSANIndexOutOfRange          = errors.New("Email SAN index out of range")
 	ErrUnsupportedIdentityAttribute     = errors.New("unsupported identity attribute")
+	ErrOIDCNoAudiences                  = errors.New("at least one audience must be specified")
+	ErrOIDCInvalidAudiences             = errors.New("invalid audiences claim in token")
+	ErrOIDCEmptyAudience                = errors.New("audience is empty")
+	ErrOIDCEmptyVariableName            = errors.New("variable name is empty")
+	ErrOIDCEmptyValidationMsg           = errors.New("validation error message is empty")
+	ErrOIDCValidationFailed             = errors.New("OIDC claim validation failed")
+	ErrOIDCAudienceMismatch             = errors.New("token audience does not match any of the expected audiences")
 )