add bearer_token_format and idp_access_token_allowed_audiences (#1103)

* add bearer_token_format and idp_access_token_allowed_audiences

* use main commit

* fix bootstrap failing

apis/ingress/v1/pomerium_types.go

@@ -289,6 +289,17 @@ type PomeriumSpec struct {
 	// +kubebuilder:validation:Optional
 	// +kubebuilder:validation:Enum=auto;http1;http2;http3
 	CodecType *string `json:"codecType,omitempty"`
+
+	// BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer Token Format</a>.
+	//
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=default;idp_access_token;idp_identity_token
+	BearerTokenFormat *string `json:"bearerTokenFormat,omitempty"`
+
+	// IDPAccessTokenAllowedAudiences specifies the
+	// <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+	// list.
+	IDPAccessTokenAllowedAudiences *[]string `json:"idpAccessTokenAllowedAudiences,omitempty"`
 }
 
 // Timeouts allows to configure global timeouts for all routes.

config/crd/bases/ingress.pomerium.io_pomerium.yaml

@@ -83,6 +83,14 @@ spec:
                 items:
                   type: string
                 type: array
+              bearerTokenFormat:
+                description: BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer
+                  Token Format</a>.
+                enum:
+                - default
+                - idp_access_token
+                - idp_identity_token
+                type: string
               caSecrets:
                 description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
                   containing a CA certificate.
@@ -222,6 +230,14 @@ spec:
                 - provider
                 - secret
                 type: object
+              idpAccessTokenAllowedAudiences:
+                description: |-
+                  IDPAccessTokenAllowedAudiences specifies the
+                  <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+                  list.
+                items:
+                  type: string
+                type: array
               jwtClaimHeaders:
                 additionalProperties:
                   type: string

config/gen_secrets/role.yaml

@@ -10,3 +10,4 @@ rules:
       - secrets
     verbs:
       - create
+      - get

deployment.yaml

@@ -225,6 +225,14 @@ spec:
                 items:
                   type: string
                 type: array
+              bearerTokenFormat:
+                description: BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer
+                  Token Format</a>.
+                enum:
+                - default
+                - idp_access_token
+                - idp_identity_token
+                type: string
               caSecrets:
                 description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
                   containing a CA certificate.
@@ -364,6 +372,14 @@ spec:
                 - provider
                 - secret
                 type: object
+              idpAccessTokenAllowedAudiences:
+                description: |-
+                  IDPAccessTokenAllowedAudiences specifies the
+                  <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+                  list.
+                items:
+                  type: string
+                type: array
               jwtClaimHeaders:
                 additionalProperties:
                   type: string
@@ -655,6 +671,7 @@ rules:
   - secrets
   verbs:
   - create
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/martinlindhe/base36 v1.1.1
 	github.com/open-policy-agent/opa v1.1.0
 	github.com/pomerium/csrf v1.7.0
-	github.com/pomerium/pomerium v0.28.1-0.20250204182906-81a52db74940
+	github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2
 	github.com/rs/zerolog v1.33.0
 	github.com/sergi/go-diff v1.3.1
 	github.com/spf13/cobra v1.8.1

go.sum

@@ -541,8 +541,8 @@ github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb5
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
 github.com/pomerium/envoy-custom v1.32.4-0.20250114182541-6f6d2147bea6 h1:QLVgpx23jcbgR9qJzIicJ+uXGjQXO0GAy55SCo0Jd9o=
 github.com/pomerium/envoy-custom v1.32.4-0.20250114182541-6f6d2147bea6/go.mod h1:afbaKE6YfshVUOrYc6XWUWfZcXencWmi1jTc00ki0Oo=
-github.com/pomerium/pomerium v0.28.1-0.20250204182906-81a52db74940 h1:Gi6ZFj2KUoI71thjzNKH4y13ip4LPLjABTQN+33P9IY=
-github.com/pomerium/pomerium v0.28.1-0.20250204182906-81a52db74940/go.mod h1:8Uf1ya/wSjJyeUo5X4TqctlrYxbc5iPfFG18x1t0Deo=
+github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2 h1:UtyGKmmFs/DVuvhOUeFowruCv+xObqAbqNmPqhMZ88o=
+github.com/pomerium/pomerium v0.28.1-0.20250218200206-b9fd926618e2/go.mod h1:8Uf1ya/wSjJyeUo5X4TqctlrYxbc5iPfFG18x1t0Deo=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 h1:NRTg8JOXCxcIA1lAgD74iYud0rbshbWOB3Ou4+Huil8=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46/go.mod h1:QqZmx6ZgPxz18va7kqoT4t/0yJtP7YFIDiT/W2n2fZ4=
 github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 h1:TqoPqRgXSHpn+tEJq6H72iCS5pv66j3rPprThUEZg0E=

pomerium/config.go

@@ -132,6 +132,29 @@ func applySetOtherOptions(_ context.Context, p *pb.Config, c *model.Config) erro
 	} else {
 		p.Settings.PassIdentityHeaders = nil
 	}
+	if c.Spec.BearerTokenFormat != nil {
+		switch *c.Spec.BearerTokenFormat {
+		case "":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_UNKNOWN.Enum()
+		case "default":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_DEFAULT.Enum()
+		case "idp_access_token":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN.Enum()
+		case "idp_identity_token":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_IDENTITY_TOKEN.Enum()
+		default:
+			return fmt.Errorf("unknown bearerTokenFormat %s", *c.Spec.BearerTokenFormat)
+		}
+	} else {
+		p.Settings.BearerTokenFormat = nil
+	}
+	if c.Spec.IDPAccessTokenAllowedAudiences != nil {
+		p.Settings.IdpAccessTokenAllowedAudiences = &pb.Settings_StringList{
+			Values: *c.Spec.IDPAccessTokenAllowedAudiences,
+		}
+	} else {
+		p.Settings.IdpAccessTokenAllowedAudiences = nil
+	}
 	return nil
 }
 

pomerium/ingress_annotations.go

@@ -24,13 +24,15 @@ var (
 		"allow_public_unauthenticated_access",
 		"allow_spdy",
 		"allow_websockets",
+		"bearer_token_format",
 		"cors_allow_preflight",
 		"description",
 		"host_path_regex_rewrite_pattern",
 		"host_path_regex_rewrite_substitution",
 		"host_rewrite_header",
 		"host_rewrite",
 		"idle_timeout",
+		"idp_access_token_allowed_audiences",
 		"logo_url",
 		"pass_identity_headers",
 		"prefix_rewrite",

pomerium/ingress_annotations_test.go

@@ -45,6 +45,7 @@ func TestAnnotations(t *testing.T) {
 					"a/allowed_domains":                         `["a"]`,
 					"a/allowed_idp_claims":                      `key: ["val1", "val2"]`,
 					"a/allowed_users":                           `["a"]`,
+					"a/bearer_token_format":                     `idp_access_token`,
 					"a/cors_allow_preflight":                    "true",
 					"a/description":                             "DESCRIPTION",
 					"a/health_checks":                           `[{"timeout": "10s", "interval": "1m", "healthy_threshold": 1, "unhealthy_threshold": 2, "http_health_check": {"path": "/"}}]`,
@@ -53,6 +54,7 @@ func TestAnnotations(t *testing.T) {
 					"a/host_rewrite_header":                     "rewrite-header",
 					"a/host_rewrite":                            "rewrite",
 					"a/idle_timeout":                            `60s`,
+					"a/idp_access_token_allowed_audiences":      `["x","y","z"]`,
 					"a/kubernetes_service_account_token_secret": "k8s_token",
 					"a/lb_policy":                               "LEAST_REQUEST",
 					"a/logo_url":                                "LOGO_URL",
@@ -191,12 +193,15 @@ func TestAnnotations(t *testing.T) {
 			},
 			SourcePpl: proto.String(`{"allow":{"or":[{"domain":{"is":"pomerium.com"}}]}}`),
 		}},
-		TlsSkipVerify: true,
-		TlsServerName: "my.server.name",
-		Description:   "DESCRIPTION",
-		LogoUrl:       "LOGO_URL",
+		TlsSkipVerify:                  true,
+		TlsServerName:                  "my.server.name",
+		Description:                    "DESCRIPTION",
+		LogoUrl:                        "LOGO_URL",
+		BearerTokenFormat:              pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN.Enum(),
+		IdpAccessTokenAllowedAudiences: &pb.Route_StringList{Values: []string{"x", "y", "z"}},
 	}, cmpopts.IgnoreUnexported(
 		pb.Route{},
+		pb.Route_StringList{},
 		pb.RouteRewriteHeader{},
 		pb.Policy{},
 		structpb.ListValue{},

pomerium/proto.go

@@ -43,6 +43,10 @@ func preprocessAnnotationMessage(md protoreflect.MessageDescriptor, data any) an
 		if v, ok := data.(string); ok {
 			return goDurationStringToProtoJSONDurationString(v)
 		}
+	case "pomerium.config.Route.StringList":
+		if v, ok := data.([]any); ok {
+			return map[string]any{"values": v}
+		}
 	default:
 		// preprocess all the fields
 		if v, ok := data.(map[string]any); ok {
@@ -62,6 +66,20 @@ func preprocessAnnotationMessage(md protoreflect.MessageDescriptor, data any) an
 }
 
 func preprocessAnnotationField(fd protoreflect.FieldDescriptor, data any) any {
+	if fd.Enum() != nil && fd.Enum().FullName() == "pomerium.config.BearerTokenFormat" {
+		if v, ok := data.(string); ok {
+			switch v {
+			case "":
+				return "BEARER_TOKEN_FORMAT_UNKNOWN"
+			case "default":
+				return "BEARER_TOKEN_FORMAT_DEFAULT"
+			case "idp_access_token":
+				return "BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN"
+			case "idp_identity_token":
+				return "BEARER_TOKEN_FORMAT_IDP_IDENTITY_TOKEN"
+			}
+		}
+	}
 	// if this is a repeated field, handle each of the field values separately
 	if fd.IsList() {
 		vs, ok := data.([]any)