Merge branch 'main' into feat/certs

.github/workflows/check-actions.yml

@@ -16,7 +16,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
       - name: Ensure SHA pinned actions
-        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@f32435541e24cd6a4700a7f52bb2ec59e80603b1 # v2.1.4
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@b1b635d24259e8a047a6ce7d6501ea432aa7a830 # v3.0.2
         with:
           # slsa-github-generator requires using a semver tag for reusable workflows. 
           # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators

.github/workflows/docker-publish.yml

@@ -36,7 +36,7 @@ jobs:
           output: 'trivy-results.sarif'
           severity: 'CRITICAL,HIGH'
       - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
       - name: Publish Capsule
         id: publish-capsule
         uses: peak-scale/github-actions/make-ko-publish@38322faabccd75abfa581c435e367d446b6d2c3b # v0.1.0

.github/workflows/helm-publish.yml

@@ -43,7 +43,7 @@ jobs:
       chart-digest: ${{ steps.helm_publish.outputs.digest }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+      - uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
       - name: "Extract Version"
         id: extract_version
         run: |

.github/workflows/releaser.yml

@@ -26,9 +26,9 @@ jobs:
         timeout-minutes: 5
         continue-on-error: true
       - uses: creekorful/goreportcard-action@1f35ced8cdac2cba28c9a2f2288a16aacfd507f9 # v1.0
-      - uses: anchore/sbom-action/download-syft@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1
+      - uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df
       - name: Install Cosign
-        uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # v3.1.2
+        uses: sigstore/cosign-installer@1fc5bd396d372bee37d608f955b336615edf79c8 # v3.2.0
       - name: Run GoReleaser
         uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0
         with:

internal/request/http.go

@@ -10,6 +10,7 @@ import (
 
 	authenticationv1 "k8s.io/api/authentication/v1"
 	authorizationv1 "k8s.io/api/authorization/v1"
+	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -97,6 +98,15 @@ func (h http) GetUserAndGroups() (username string, groups []string, err error) {
 		defer func() {
 			username = impersonateUser
 			groups = nil
+
+			// If the user is of a service account, replicate the work of the built-in service account token authenticator
+			// by appending the expected service account groups:
+			// - system:serviceaccounts:<namespace>
+			// - system:serviceaccounts
+			if namespace, _, err := serviceaccount.SplitUsername(username); err == nil {
+				groups = append(groups, serviceaccount.AllServiceAccountsGroup)
+				groups = append(groups, fmt.Sprintf("%s%s", serviceaccount.ServiceAccountGroupPrefix, namespace))
+			}
 		}()
 	}
 
@@ -114,6 +124,10 @@ func (h http) processBearerToken() (username string, groups []string, err error)
 		return "", nil, fmt.Errorf("cannot create TokenReview")
 	}
 
+	if !tr.Status.Authenticated {
+		return "", nil, fmt.Errorf("cannot verify the token due to error")
+	}
+
 	if statusErr := tr.Status.Error; len(statusErr) > 0 {
 		return "", nil, fmt.Errorf("cannot verify the token due to error")
 	}