feat(charts): add identity-test for auth

charts/workflows-cluster/Chart.yaml

@@ -3,7 +3,7 @@ name: workflows-cluster
 description: A virtual cluster for Data Analysis workflows
 type: application
 
-version: 0.12.9
+version: 0.12.10
 dependencies:
   - name: common
     version: 2.23.0

charts/workflows-cluster/staging-values.yaml

@@ -155,3 +155,50 @@ authenticationConfiguration:
         message: 'username cannot use reserved system: prefix'
       - expression: "user.groups.all(group, !group.startsWith('system:'))"
         message: 'groups cannot use reserved system: prefix'
+    - issuer:
+        url: https://identity-test.diamond.ac.uk/realms/dls
+        audiences:
+          - workflows-cluster-staging
+          - graph
+        audienceMatchPolicy: MatchAny
+      claimMappings:
+        username:
+          expression: >
+            claims.?fedid.hasValue()
+            ? ('oidc:' + claims.fedid)
+            : ('oidc:' + claims.iss + '/' + claims.client_id)
+        uid:
+          expression: "claims.?fedid.orValue(claims.sub)"
+        groups:
+          claim: groups
+          prefix: "oidc:"
+        extra:
+        - key: 'workflows.diamond.ac.uk/posixuid'
+          valueExpression: "string(claims.?posix_uid.orValue(36055))" # use k8s-workflows uid
+        - key: 'workflows.diamond.ac.uk/is-service-account'
+          valueExpression: "claims.?fedid.hasValue() ? '' : 'true'"
+      claimValidationRules:
+      - expression: >
+          claims.?fedid.hasValue()
+          ||
+          claims.?client_id.hasValue()
+        message: "Invalid access token (no fedid or client_id). See: https://diamondlightsource.github.io/workflows/docs/how-tos/authentication/"
+      - expression: >
+          claims.?fedid.hasValue()
+          ||
+          claims.?preferred_username.orValue('').startsWith('service-account-')
+        message: "Invalid access token (service-account tokens must use service-account-* preferred_username). See: https://diamondlightsource.github.io/workflows/docs/how-tos/authentication/"
+      - expression: >
+          claims.?fedid.hasValue()
+          ||
+          (
+            claims.?client_id.hasValue()
+            &&
+            ['k6Operator'].exists(allowed, allowed == claims.client_id)
+          )
+        message: "Invalid access token (service account not on allowed-list). See: https://diamondlightsource.github.io/workflows/docs/how-tos/authentication/"
+      userValidationRules:
+      - expression: "!user.username.startsWith('system:')"
+        message: 'username cannot use reserved system: prefix'
+      - expression: "user.groups.all(group, !group.startsWith('system:'))"
+        message: 'groups cannot use reserved system: prefix'