Use Google Identity Server to Generate JWT for Ambient Credentials

CHANGELOG.md

@@ -42,3 +42,9 @@
 
 ## Fixes
 - Bug fix in Helm chart release action
+
+# v2.1.0
+
+## Fixes
+- Updated library golang.org/x/crypto to version v0.33.0 to address authorization bypass vulnerability (https://github.com/advisories/GHSA-v778-237x-gjrc)
+- Bug fix for Google ambient credentials

README.md

@@ -289,6 +289,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     | certificateAuthorityLogicalName | The logical name of the Certificate Authority to use in Command. For example, `Sub-CA`                                                              |
     | certificateAuthorityHostname   | (optional) The hostname of the Certificate Authority specified by `certificateAuthorityLogicalName`. This field is usually only required if the CA in Command is a DCOM (MSCA-like) CA.                                                                     |
     | certificateTemplate     | The Short Name of the Certificate Template to use when this Issuer/ClusterIssuer enrolls CSRs.                                                                        |
+    | scopes     | (Optional) If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable.   |
+     | audience     | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`.  |
 
     > If a different combination of hostname/certificate authority/certificate template is required, a new Issuer or ClusterIssuer resource must be created. Each resource instantiation represents a single configuration.
 
@@ -314,6 +316,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
           certificateAuthorityLogicalName: "$COMMAND_CA_LOGICAL_NAME"
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME"
+          # scopes: "openid email https://example.com/.default" # Uncomment if desired
+          # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
 
         kubectl -n default apply -f issuer.yaml
@@ -338,6 +342,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
           certificateAuthorityLogicalName: "$COMMAND_CA_LOGICAL_NAME"
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME"
+          # scopes: "openid email https://example.com/.default" # Uncomment if desired
+          # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
 
         kubectl apply -f clusterissuer.yaml

api/v1alpha1/issuer_types.go

@@ -81,6 +81,14 @@ type IssuerSpec struct {
 	// effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
 	// +optional
 	Scopes string `json:"scopes,omitempty"`
+
+	// The audience value used when requesting a Bearer token from an ambient token provider implied
+	// by the environment, rather than by commandSecretName. For example, could be set to
+	// https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+	// the URL of your Command environment.Has no effect on OAuth 2.0 Client Credential configuration - please specify
+	// the audience for this method in an Opaque secret.
+	// +optional
+	Audience string `json:"audience,omitempty"`
 }
 
 func (i *Issuer) GetStatus() *IssuerStatus {

config/crd/bases/command-issuer.keyfactor.com_clusterissuers.yaml

@@ -44,6 +44,14 @@ spec:
                 description: APIPath is the base path of the Command API. KeyfactorAPI
                   by default
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment.Has no effect on OAuth 2.0 Client Credential configuration - please specify
+                  the audience for this method in an Opaque secret.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying

config/crd/bases/command-issuer.keyfactor.com_issuers.yaml

@@ -44,6 +44,14 @@ spec:
                 description: APIPath is the base path of the Command API. KeyfactorAPI
                   by default
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment.Has no effect on OAuth 2.0 Client Credential configuration - please specify
+                  the audience for this method in an Opaque secret.
+                type: string
               caSecretName:
                 description: |-
                   The name of the secret containing the CA bundle to use when verifying

deploy/charts/command-cert-manager-issuer/templates/crds/clusterissuers.yaml

@@ -87,6 +87,14 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify 
+                  the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

deploy/charts/command-cert-manager-issuer/templates/crds/issuers.yaml

@@ -87,6 +87,14 @@ spec:
                   api://{tenant ID}/.default when requesting an access token for Entra ID (DefaultAzureCredential). Has no
                   effect on OAuth 2.0 Client Credential configuration - please specify the scopes for this method in an Opaque secret.
                 type: string
+              audience:
+                description: |-
+                  The audience value used when requesting a Bearer token from an ambient token provider implied
+                  by the environment, rather than by commandSecretName. For example, could be set to
+                  https://example.com when requesting an access token from Google's identity token provider. Ideally, this should be
+                  the URL of your Command environment. Has no effect on OAuth 2.0 Client Credential configuration - please specify 
+                  the audience for this method in an Opaque secret.
+                type: string
             type: object
           status:
             description: IssuerStatus defines the observed state of Issuer

docsource/content.md

@@ -256,6 +256,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
     | certificateAuthorityLogicalName | The logical name of the Certificate Authority to use in Command. For example, `Sub-CA`                                                              |
     | certificateAuthorityHostname   | (optional) The hostname of the Certificate Authority specified by `certificateAuthorityLogicalName`. This field is usually only required if the CA in Command is a DCOM (MSCA-like) CA.                                                                     |
     | certificateTemplate     | The Short Name of the Certificate Template to use when this Issuer/ClusterIssuer enrolls CSRs.                                                                        |
+    | scopes     | (Optional) If using ambient credentials, these scopes will be put on the access token generated by the ambient credentials' token provider, if applicable.   |
+     | audience     | (Optional) If using ambient credentials, this audience will be put on the access token generated by the ambient credentials' token provider, if applicable. Google's ambient credential token provider generates an OIDC ID Token. If this value is not provided, it will default to `command`.  |
 
     > If a different combination of hostname/certificate authority/certificate template is required, a new Issuer or ClusterIssuer resource must be created. Each resource instantiation represents a single configuration.
 
@@ -281,6 +283,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
           certificateAuthorityLogicalName: "$COMMAND_CA_LOGICAL_NAME"
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME"
+          # scopes: "openid email https://example.com/.default" # Uncomment if desired
+          # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
 
         kubectl -n default apply -f issuer.yaml
@@ -305,6 +309,8 @@ For example, ClusterIssuer resources can be used to issue certificates for resou
           # certificateAuthorityHostname: "$COMMAND_CA_HOSTNAME" # Uncomment if required
           certificateAuthorityLogicalName: "$COMMAND_CA_LOGICAL_NAME"
           certificateTemplate: "$CERTIFICATE_TEMPLATE_SHORT_NAME"
+          # scopes: "openid email https://example.com/.default" # Uncomment if desired
+          # audience: "https://your-command-url.com" # Uncomment if desired
         EOF
 
         kubectl apply -f clusterissuer.yaml

go.mod

@@ -8,7 +8,7 @@ require (
 	github.com/cert-manager/cert-manager v1.16.2
 	github.com/go-logr/logr v1.4.2
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/oauth2 v0.26.0
 	k8s.io/api v0.31.1
 	k8s.io/apimachinery v0.31.1
 	k8s.io/client-go v0.31.1
@@ -17,7 +17,24 @@ require (
 )
 
 require (
-	cloud.google.com/go/compute/metadata v0.5.1 // indirect
+	cloud.google.com/go/auth v0.15.0 // indirect
+	cloud.google.com/go/auth/oauth2adapt v0.2.7 // indirect
+	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/google/s2a-go v0.1.9 // indirect
+	github.com/googleapis/enterprise-certificate-proxy v0.3.4 // indirect
+	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
+	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.59.0 // indirect
+	go.opentelemetry.io/otel v1.34.0 // indirect
+	go.opentelemetry.io/otel/metric v1.34.0 // indirect
+	go.opentelemetry.io/otel/trace v1.34.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250219182151-9fdb1cabc7b2 // indirect
+	google.golang.org/grpc v1.70.0 // indirect
+)
+
+require (
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
@@ -45,7 +62,7 @@ require (
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
-	github.com/google/go-cmp v0.6.0 // indirect
+	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/hashicorp/go-hclog v1.5.0 // indirect
@@ -76,15 +93,16 @@ require (
 	go.mozilla.org/pkcs7 v0.9.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
 	go.uber.org/zap v1.27.0 // indirect
-	golang.org/x/crypto v0.30.0 // indirect
+	golang.org/x/crypto v0.33.0 // indirect
 	golang.org/x/exp v0.0.0-20240719175910-8a7402abbf56 // indirect
-	golang.org/x/net v0.32.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
-	golang.org/x/term v0.27.0 // indirect
-	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/net v0.35.0 // indirect
+	golang.org/x/sys v0.30.0 // indirect
+	golang.org/x/term v0.29.0 // indirect
+	golang.org/x/text v0.22.0 // indirect
+	golang.org/x/time v0.10.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.34.2 // indirect
+	google.golang.org/api v0.223.0
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect