Test UTC

configs/terraform/environments/prod/image-builder.tf

@@ -1,6 +1,6 @@
 # Secure access to signify dev and prod secrets over k8s API.
 # Only external-secrets controller need access to these secrets over k8s API.
-# Prowjobs access these secrets as env vars or mounted files. This is controlled by OPA Gatekeeper.
+# Prowjobs access these secrets as env vars or mounted files. This is contrlled by OPA Gatekeeper.
 
 resource "kubernetes_cluster_role" "access_signify_secrets_trusted_workloads" {
   provider = kubernetes.trusted_workload_k8s_cluster

configs/terraform/environments/prod/provider.tf

@@ -43,6 +43,12 @@ provider "google" {
   region  = var.kyma_project_gcp_region
 }
 
+provider "google" {
+  alias   = "workloads"
+  project = var.workloads_project_id
+  region  = var.gcp_region
+}
+
 provider "google-beta" {
   project = var.gcp_project_id
   region  = var.gcp_region

configs/terraform/environments/prod/variables.tf

@@ -16,6 +16,12 @@ variable "gcp_project_id" {
   description = "Google Cloud project to create resources."
 }
 
+variable "workloads_project_id" {
+  type        = string
+  default     = "sap-kyma-prow-workloads"
+  description = "Additional Google Cloud project ID."
+}
+
 variable "gatekeeper_manifest_path" {
   type        = string
   default     = "../../../../opa/gatekeeper/deployments/gatekeeper.yaml"

pkg/oidc/oidc.go

@@ -7,6 +7,7 @@ package oidc
 import (
 	"errors"
 	"fmt"
+	"time"
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-jose/go-jose/v4"
@@ -169,6 +170,10 @@ func NewVerifierConfig(logger LoggerInterface, clientID string, options ...Verif
 	verifierConfig.InsecureSkipSignatureCheck = false
 	verifierConfig.SupportedSigningAlgs = SupportedSigningAlgorithms
 
+	verifierConfig.Now = func() time.Time {
+		return time.Now().UTC()
+	}
+
 	logger.Debugw("Created Verifier config with default values",
 		"clientID", clientID,
 		"SkipClientIDCheck", verifierConfig.SkipClientIDCheck,