fix: lazily create and cache OIDC Issuer for Kubernetes token support

SequeI · SequeI · commit 95c86d068252 · 2026-01-29T18:59:47.000Z
Issuer was created eagerly in __init__, fetching OIDC discovery config.
Kubernetes OIDC providers lack authorization_endpoint/token_endpoint,
causing failures even when identity_token was provided directly.

Now Issuer is lazily created and cached when OAuth flow is needed.

Signed-off-by: SequeI &lt;asiek@redhat.com&gt;
diff --git a/src/model_signing/_signing/sign_sigstore.py b/src/model_signing/_signing/sign_sigstore.py
@@ -126,7 +126,8 @@ def __init__(
         if not oidc_issuer:
             oidc_issuer = trust_config.signing_config.get_oidc_url()
 
-        self._issuer = sigstore_oidc.Issuer(oidc_issuer)
+        self._oidc_issuer = oidc_issuer
+        self._issuer: sigstore_oidc.Issuer | None = None
         self._signing_context = (
             sigstore_signer.SigningContext.from_trust_config(trust_config)
         )
@@ -153,6 +154,9 @@ def _get_identity_token(self) -> sigstore_oidc.IdentityToken:
             if token:
                 return sigstore_oidc.IdentityToken(token, self._client_id)
 
+        if self._issuer is None:
+            self._issuer = sigstore_oidc.Issuer(self._oidc_issuer)
+
         return self._issuer.identity_token(
             force_oob=self._force_oob,
             client_id=self._client_id,
