Workload ID: JWT SVID custom claim injection

[strideynet]

Today, we support injecting custom RDNs into the Subject of an issued X509 SVID e.g

kind: workload_identity
version: v1
metadata:
  name: my-workload
spec:
  spiffe:
    id: /foo/bar/{{ join.kubernetes.pod.name }}/{{ join.kubernetes.service_account.name }}
    x509:
      subject_template:
        common_name: my-common-name
        organization: my-organization
        organizational_unit: {{ join.kubernetes.service_account.name }}

This allows encoding information that is not suitable for the SPIFFE ID into the resulting workload identity credential. This may be used by consumers for authorization or auditing.

We should support a similar ability for JWT-SVIDs, and allow custom claims to be injected into the resulting JWT. JWT-SVIDs offer even more flexible customisation compared to X509 SVIDs.

Consider compatibility with https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_adding-assume-role-idp (Nested or Flattened) for passing information from attestation into AWS.

It'll be worth exploring a few different implementation options in this ticket and asking customers for feedback before proceeding to implementation.

As an example, it may look something like:

kind: workload_identity
version: v1
metadata:
  name: my-workload
spec:
  spiffe:
    id: /foo/bar/{{ join.kubernetes.pod.name }}/{{ join.kubernetes.service_account.name }}
    jwt:
      extra_claims:
        "my-claim": {{ join.kubernetes.pod.name }}
        "my-fixed-claim": some-fixed-value

We'll probably want to decide on:

• Whether or not to support non-string claims. It seems like this would introduce a lot of additional complexity.
• Whether or not to support "nested" claims. It seems like this would introduce a lot of additional complexity, but, could offer additional flexibility.