fix: enable Vault JWT auth without Spire for KMS signing

[infernus01]

Changes

Setting signers.kms.auth.oidc.path and signers.kms.auth.oidc.role in the Chains ConfigMap without Spire does nothing. The OIDC path and role are parsed correctly but never used — the code falls through to VAULT_TOKEN /~/.vault-token and fails:
error configuring kms signer with config {hashivault://supply-chain {http://vault.vault:8200/ {jwt tekton-chains} { }}}: read .vault-token file: open /home/nonroot/.vault-token: no such file or directory

Now with this PR, when OIDC path/role are configured and no Spire or static token is present, read the Kubernetes service account token from /var/run/secrets/kubernetes.io/serviceaccount/token and use it for Vault JWT auth. A new config key signers.kms.auth.oidc.token-path allows overriding the default path.
Priority order: Spire → static token → K8s SA token

fixes: #1479

Submitter Checklist

As the author of this PR, please check off the items in this checklist:

• Has Docs included if any changes are user facing
• Has Tests included if any functionality added or changed
• Follows the commit message standard
• Meets the Tekton contributor standards (including
  functionality, content, code)
• Release notes block below has been updated with any user facing changes (API changes, bug fixes, changes requiring upgrade notices or deprecation warnings)
• Release notes contains the string "action required" if the change requires additional action from users switching to the new release

Release Notes

Fix Vault KMS JWT auth (OIDC) to work without Spire by reading the Kubernetes service account token when signers.kms.auth.oidc.path and signers.kms.auth.oidc.role are configured. Added new optional config key signers.kms.auth.oidc.token-path to override the default token file path.

[infernus01]

/kind bug

[ab-ghosh]

Core fix looks good, the priority chain (Spire → static token → K8s SA JWT) preserves backward compatibility.
Tested the changes and it works and fixes the bug

/lgtm

[jkhelil]

Please add a release note

[tekton-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
To complete the pull request process, please assign jkhelil after the PR has been reviewed.
You can assign the PR to them by writing /assign @jkhelil in a comment when ready.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ab-ghosh]

can we reuse the existing getKMSAuthToken function here instead of calling os.ReadFile directly

[infernus01]

Ah yes that is intentional, since getKMSAuthToken uses TrimSuffix("\n") which only strips a single trailing newline. That's fine for static Vault tokens, but for the OIDC JWT path I used TrimSpace because for example if someone has a token file with just whitespaces like " \n \n", TrimSuffix would leave " \n " (looks non-empty, gets sent to Vault, confusing error), while TrimSpace correctly gives us "" which we then catch with the empty file check.

The empty file check itself is the other difference, since getKMSAuthToken might return "" without error, but here an empty token might cause the code to drop the entire OIDC config and fall back to VAULT_TOKEN, which is the exact bug this PR is fixing.

So same os.ReadFile, but different post-processing needs.

[ab-ghosh]

/lgtm