backport 1103 to 0-28-exp

apis/ingress/v1/pomerium_types.go

@@ -283,6 +283,17 @@ type PomeriumSpec struct {
 
 	// UseProxyProtocol enables <a href="https://www.pomerium.com/docs/reference/use-proxy-protocol">Proxy Protocol</a> support.
 	UseProxyProtocol *bool `json:"useProxyProtocol,omitempty"`
+
+	// BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer Token Format</a>.
+	//
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:validation:Enum=default;idp_access_token;idp_identity_token
+	BearerTokenFormat *string `json:"bearerTokenFormat,omitempty"`
+
+	// IDPAccessTokenAllowedAudiences specifies the
+	// <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+	// list.
+	IDPAccessTokenAllowedAudiences *[]string `json:"idpAccessTokenAllowedAudiences,omitempty"`
 }
 
 // Timeouts allows to configure global timeouts for all routes.

config/crd/bases/ingress.pomerium.io_pomerium.yaml

@@ -83,6 +83,14 @@ spec:
                 items:
                   type: string
                 type: array
+              bearerTokenFormat:
+                description: BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer
+                  Token Format</a>.
+                enum:
+                - default
+                - idp_access_token
+                - idp_identity_token
+                type: string
               caSecrets:
                 description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
                   containing a CA certificate.
@@ -213,6 +221,14 @@ spec:
                 - provider
                 - secret
                 type: object
+              idpAccessTokenAllowedAudiences:
+                description: |-
+                  IDPAccessTokenAllowedAudiences specifies the
+                  <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+                  list.
+                items:
+                  type: string
+                type: array
               jwtClaimHeaders:
                 additionalProperties:
                   type: string

config/gen_secrets/role.yaml

@@ -10,3 +10,4 @@ rules:
       - secrets
     verbs:
       - create
+      - get

deployment.yaml

@@ -225,6 +225,14 @@ spec:
                 items:
                   type: string
                 type: array
+              bearerTokenFormat:
+                description: BearerTokenFormat sets the <a href="https://www.pomerium.com/docs/reference/bearer-token-format">Bearer
+                  Token Format</a>.
+                enum:
+                - default
+                - idp_access_token
+                - idp_identity_token
+                type: string
               caSecrets:
                 description: CASecret should refer to k8s secrets with key <code>ca.crt</code>
                   containing a CA certificate.
@@ -355,6 +363,14 @@ spec:
                 - provider
                 - secret
                 type: object
+              idpAccessTokenAllowedAudiences:
+                description: |-
+                  IDPAccessTokenAllowedAudiences specifies the
+                  <a href="https://www.pomerium.com/docs/reference/idp-access-token-allowed-audiences">idp access token allowed audiences</a>
+                  list.
+                items:
+                  type: string
+                type: array
               jwtClaimHeaders:
                 additionalProperties:
                   type: string
@@ -646,6 +662,7 @@ rules:
   - secrets
   verbs:
   - create
+  - get
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding

go.mod

@@ -18,7 +18,7 @@ require (
 	github.com/martinlindhe/base36 v1.1.1
 	github.com/open-policy-agent/opa v0.70.0
 	github.com/pomerium/csrf v1.7.0
-	github.com/pomerium/pomerium v0.28.1-0.20250128224327-5e45fa4b0dfc
+	github.com/pomerium/pomerium v0.28.1-0.20250220152416-ad6cb49ad6d7
 	github.com/rs/zerolog v1.33.0
 	github.com/sergi/go-diff v1.3.1
 	github.com/spf13/cobra v1.8.1

go.sum

@@ -576,10 +576,8 @@ github.com/pomerium/csrf v1.7.0 h1:Qp4t6oyEod3svQtKfJZs589mdUTWKVf7q0PgCKYCshY=
 github.com/pomerium/csrf v1.7.0/go.mod h1:hAPZV47mEj2T9xFs+ysbum4l7SF1IdrryYaY6PdoIqw=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524 h1:3YQY1sb54tEEbr0L73rjHkpLB0IB6qh3zl1+XQbMLis=
 github.com/pomerium/datasource v0.18.2-0.20221108160055-c6134b5ed524/go.mod h1:7fGbUYJnU8RcxZJvUvhukOIBv1G7LWDAHMfDxAf5+Y0=
-github.com/pomerium/pomerium v0.28.1-0.20250122165117-ede82486070b h1:3vozFLtGiyJNazBiEe74jJQhbyXiwF7fVECL1utBrJg=
-github.com/pomerium/pomerium v0.28.1-0.20250122165117-ede82486070b/go.mod h1:uExZfmcP2ah4vXnjVFlDxPB3xDY5m5sO8iAWl39+XbA=
-github.com/pomerium/pomerium v0.28.1-0.20250128224327-5e45fa4b0dfc h1:kz/f0xs+cP4fq2b/V+7ZgH44bxq38Zi5jbq1iKWduNk=
-github.com/pomerium/pomerium v0.28.1-0.20250128224327-5e45fa4b0dfc/go.mod h1:uExZfmcP2ah4vXnjVFlDxPB3xDY5m5sO8iAWl39+XbA=
+github.com/pomerium/pomerium v0.28.1-0.20250220152416-ad6cb49ad6d7 h1:++FmUe7W98J+xjWvFYR+snSN73KRBqYrHusYgLAqwAg=
+github.com/pomerium/pomerium v0.28.1-0.20250220152416-ad6cb49ad6d7/go.mod h1:uExZfmcP2ah4vXnjVFlDxPB3xDY5m5sO8iAWl39+XbA=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46 h1:NRTg8JOXCxcIA1lAgD74iYud0rbshbWOB3Ou4+Huil8=
 github.com/pomerium/protoutil v0.0.0-20240813175624-47b7ac43ff46/go.mod h1:QqZmx6ZgPxz18va7kqoT4t/0yJtP7YFIDiT/W2n2fZ4=
 github.com/pomerium/webauthn v0.0.0-20240603205124-0428df511172 h1:TqoPqRgXSHpn+tEJq6H72iCS5pv66j3rPprThUEZg0E=

pomerium/config.go

@@ -118,6 +118,29 @@ func applySetOtherOptions(_ context.Context, p *pb.Config, c *model.Config) erro
 	} else {
 		p.Settings.PassIdentityHeaders = nil
 	}
+	if c.Spec.BearerTokenFormat != nil {
+		switch *c.Spec.BearerTokenFormat {
+		case "":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_UNKNOWN.Enum()
+		case "default":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_DEFAULT.Enum()
+		case "idp_access_token":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN.Enum()
+		case "idp_identity_token":
+			p.Settings.BearerTokenFormat = pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_IDENTITY_TOKEN.Enum()
+		default:
+			return fmt.Errorf("unknown bearerTokenFormat %s", *c.Spec.BearerTokenFormat)
+		}
+	} else {
+		p.Settings.BearerTokenFormat = nil
+	}
+	if c.Spec.IDPAccessTokenAllowedAudiences != nil {
+		p.Settings.IdpAccessTokenAllowedAudiences = &pb.Settings_StringList{
+			Values: *c.Spec.IDPAccessTokenAllowedAudiences,
+		}
+	} else {
+		p.Settings.IdpAccessTokenAllowedAudiences = nil
+	}
 	return nil
 }
 

pomerium/ingress_annotations.go

@@ -23,12 +23,14 @@ var (
 		"allow_public_unauthenticated_access",
 		"allow_spdy",
 		"allow_websockets",
+		"bearer_token_format",
 		"cors_allow_preflight",
 		"host_path_regex_rewrite_pattern",
 		"host_path_regex_rewrite_substitution",
 		"host_rewrite_header",
 		"host_rewrite",
 		"idle_timeout",
+		"idp_access_token_allowed_audiences",
 		"pass_identity_headers",
 		"prefix_rewrite",
 		"preserve_host_header",

pomerium/ingress_annotations_test.go

@@ -45,13 +45,15 @@ func TestAnnotations(t *testing.T) {
 					"a/allowed_domains":                         `["a"]`,
 					"a/allowed_idp_claims":                      `key: ["val1", "val2"]`,
 					"a/allowed_users":                           `["a"]`,
+					"a/bearer_token_format":                     `idp_access_token`,
 					"a/cors_allow_preflight":                    "true",
 					"a/health_checks":                           `[{"timeout": "10s", "interval": "1m", "healthy_threshold": 1, "unhealthy_threshold": 2, "http_health_check": {"path": "/"}}]`,
 					"a/host_path_regex_rewrite_pattern":         "rewrite-pattern",
 					"a/host_path_regex_rewrite_substitution":    "rewrite-sub",
 					"a/host_rewrite_header":                     "rewrite-header",
 					"a/host_rewrite":                            "rewrite",
 					"a/idle_timeout":                            `60s`,
+					"a/idp_access_token_allowed_audiences":      `["x","y","z"]`,
 					"a/kubernetes_service_account_token_secret": "k8s_token",
 					"a/lb_policy":                               "LEAST_REQUEST",
 					"a/least_request_lb_config":                 `{"choice_count":3,"active_request_bias":{"default_value":4,"runtime_key":"key"},"slow_start_config":{"slow_start_window":"3s","aggression":{"runtime_key":"key"}}}`,
@@ -188,10 +190,13 @@ func TestAnnotations(t *testing.T) {
 				"key": {Values: []*structpb.Value{structpb.NewStringValue("val1"), structpb.NewStringValue("val2")}},
 			},
 		}},
-		TlsSkipVerify: true,
-		TlsServerName: "my.server.name",
+		TlsSkipVerify:                  true,
+		TlsServerName:                  "my.server.name",
+		BearerTokenFormat:              pb.BearerTokenFormat_BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN.Enum(),
+		IdpAccessTokenAllowedAudiences: &pb.Route_StringList{Values: []string{"x", "y", "z"}},
 	}, cmpopts.IgnoreUnexported(
 		pb.Route{},
+		pb.Route_StringList{},
 		pb.RouteRewriteHeader{},
 		pb.Policy{},
 		structpb.ListValue{},

pomerium/proto.go

@@ -43,6 +43,10 @@ func preprocessAnnotationMessage(md protoreflect.MessageDescriptor, data any) an
 		if v, ok := data.(string); ok {
 			return goDurationStringToProtoJSONDurationString(v)
 		}
+	case "pomerium.config.Route.StringList":
+		if v, ok := data.([]any); ok {
+			return map[string]any{"values": v}
+		}
 	default:
 		// preprocess all the fields
 		if v, ok := data.(map[string]any); ok {
@@ -62,6 +66,20 @@ func preprocessAnnotationMessage(md protoreflect.MessageDescriptor, data any) an
 }
 
 func preprocessAnnotationField(fd protoreflect.FieldDescriptor, data any) any {
+	if fd.Enum() != nil && fd.Enum().FullName() == "pomerium.config.BearerTokenFormat" {
+		if v, ok := data.(string); ok {
+			switch v {
+			case "":
+				return "BEARER_TOKEN_FORMAT_UNKNOWN"
+			case "default":
+				return "BEARER_TOKEN_FORMAT_DEFAULT"
+			case "idp_access_token":
+				return "BEARER_TOKEN_FORMAT_IDP_ACCESS_TOKEN"
+			case "idp_identity_token":
+				return "BEARER_TOKEN_FORMAT_IDP_IDENTITY_TOKEN"
+			}
+		}
+	}
 	// if this is a repeated field, handle each of the field values separately
 	if fd.IsList() {
 		vs, ok := data.([]any)