Add new oidc subtype for Kubernetes joining

[timothyb89]

This adds a new oidc subtype for the Kubernetes join method. This differs from static_jwks in that it fetches the /.well-known/openid-configuration endpoint at the issuer and subsequently fetches the JWKS keys from the configured URL. This works around a common issue with static_jwks on providers like EKS that rotate keys frequently, since we'll fetch the key set as needed.

Note that caching (#49213) was deferred for now but as it reuses our existing OIDC machinery, it should be trivial to swap in a caching HTTP client in a follow-up PR.

changelog: Add new oidc joining mode for Kubernetes delegated joining to support providers that can be configured to provide public OIDC endpoints, like EKS, AKS, and GKE.

Fixes #39170

---

To use, you'll need a Kubernetes cluster that issues OIDC tokens from an issuer with a public OpenID-compatible endpoint, like Amazon EKS. To check and resolve the right issuer value, run this command:

$ curl $(kubectl get --raw /.well-known/openid-configuration | jq -r '.issuer')/.well-known/openid-configuration | jq -r '.issuer'
https://oidc.eks.us-west-2.amazonaws.com/id/my-cluster

This attempts to resolve the issuer from your local machine; providers like EKS will return an OIDC config pointing to internal URLs when used on an internal network. If your provider's OIDC endpoint isn't available, the curl call will fail, in which case this method won't work.

Once you've determined the issuer, create a join token:

kind: token
metadata:
  name: kubernetes-oidc-example
spec:
  bot_name: kubernetes-oidc-example
  join_method: kubernetes
  kubernetes:
    allow:
    - service_account: default:example
    oidc:
      issuer: https://oidc.eks.us-west-2.amazonaws.com/id/my-cluster
    type: oidc
  roles:
  - Bot
version: v2

You'll need to configure your Kubernetes pod to project a token with the Teleport cluster name as the configured audience, in this case we'll assume example.teleport.sh.

To project an additional token, add this to your pod spec:

spec:
  containers:
  - name: example
    # ...
    volumeMounts:
    - mountPath: /var/run/secrets/teleport-token
      name: teleport-token
  volumes:
  - name: teleport-token
    projected:
      defaultMode: 420
      sources:
      - serviceAccountToken:
          audience: example.teleport.sh
          expirationSeconds: 600
          path: token

When joining a client (Teleport agent, tbot, etc) make sure KUBERNETES_TOKEN_PATH is set to the token in the projected mount path, e.g. /var/run/secrets/teleport-token/token.

[github-actions]

Amplify deployment status

Branch	Commit	Job ID	Status	Preview	Updated (UTC)
timothyb89/kubernetes-jwks-uri	c92abb4	6	✅SUCCEED	timothyb89-kubernetes-jwks-uri	2025-08-06 22:57:23

[backport-bot-workflows]

@timothyb89 See the table below for backport results.

Branch	Result
branch/v17	Failed
branch/v18	Failed