Test case:
Having configuration like this:
OIDCIssuers:
- ClientID: sigstore
Issuer: 'https://issuer1...' # simplified
IssuerURL: 'https://issuer1...' # simplified
Type: kubernetes
- ClientID: 'https://kubernetes.default.svc'
Issuer: 'https://issuer1...' # simplified
IssuerURL: 'https://issuer1' # simplified
Type: kubernetes
and setting identity token to kubernetes sa with audience set to "sigstore"
Result
cause fulcio to fail with
getting Fulcio signer: getting key from Fulcio: retrieving cert: POST https://fulcio-server-trusted-artifact-signer.....p1.openshiftapps.com/api/v1/signingCert returned 400 Bad Request: "{"code":3,"message":"There was an error processing the identity token","details":[]}"
because it tries to match the token with second issuer.
Expected result
Either it shouldn't be allowed to have two issuers with the same URL or fulcio should not fail
Test case:
Having configuration like this:
and setting identity token to kubernetes sa with audience set to "sigstore"
Result
cause fulcio to fail with
getting Fulcio signer: getting key from Fulcio: retrieving cert: POST https://fulcio-server-trusted-artifact-signer.....p1.openshiftapps.com/api/v1/signingCert returned 400 Bad Request: "{"code":3,"message":"There was an error processing the identity token","details":[]}"
because it tries to match the token with second issuer.
Expected result
Either it shouldn't be allowed to have two issuers with the same URL or fulcio should not fail