Support validate claims with CEL expr for SSO

[mustard-mh]

Description

Related Issue(s)

Relates ENT-561

How to test

Current CEL expression in preview env is 'gitpod-team' in claims.groups_direct || (claims.email_verified && claims.email.endsWith("@gitpod.io"))

• Log into preview env with GitLab.com x SSO, conditions below depends whether you could login successfully:
  • If your validated email is ends with @gitpod.io, you should be able to login
  • If your are a member of group gitpod-team, you should be able to login

Setup Preview envs with Self-hosted / SaaS GitLab

Note

Test should follow https://github.com/gitpod-io/website/pull/4789

• Re trigger GHA if preview env is deleted, (or delete preview env when needed)
• Login with OIDC setup

previewctl admin credentials create
kubectl rollout restart deploy/server

• Setup OIDC with gitlab.com and Self-Hosted gitlab
• Play with CEL expression

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - hw-oidc-cel
• 🔗 URL - hw-oidc-cel.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - hw-oidc-cel-gha.27820
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[geropl]

Going to configure the preview env now 👀

[geropl]

And it works nicely! 🥳

[geropl]

Code LGTM, tested and works! ✔️

There are two nits I have (alignment and a trim() we could sprinkle in) but let's do those separately.

Nice work @mustard-mh !

[geropl]

/unblock

[geropl]

/unhold