Provide volume with OIDC token in SinkBinding (#7444)

* Split Sinkbinding controller setup and reconciler * Provide volume with OIDC token in SinkBinding * Fix init container volume mounts * Add unit test * Add expiry annotation in token secret and update only if close to expiry * Update tokenProvider GetJWT to return token expiry too * Add owner reference to secret * Add periodic resync * Use secret lister to reduce API server calls to reconcile token secret * Request a new JWT (without using cache) * Add token expiry buffer as a constant * Revert "Update tokenProvider GetJWT to return token expiry too" This reverts commit 1f87397. * Get expiry from token itself * Use explicit token expiration duration * Update secret generation on update * Renew token if issues with parsing * Simplify token reconcilation a bit * Create token secret name via kmeta.ChildName function * Make sinkbinding_lifecycle independent from feature config * Remove token secret when oidc feature disabled
knative · Nov 20, 2023 · 67f382d · 67f382d
1 parent 3ec99b4
commit 67f382d
Show file tree

Hide file tree

Showing 23 changed files with 1,520 additions and 84 deletions.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -194,7 +194,7 @@ func NewConfigValidationController(ctx context.Context, _ configmap.Watcher) *co
 
 func NewSinkBindingWebhook(opts ...psbinding.ReconcilerOption) injection.ControllerConstructor {
 	return func(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
-		sbresolver := sinkbinding.WithContextFactory(ctx, func(types.NamespacedName) {})
+		withContext := sinkbinding.WithContextFactory(ctx, func(types.NamespacedName) {})
 
 		return psbinding.NewAdmissionController(ctx,
 
@@ -208,7 +208,7 @@ func NewSinkBindingWebhook(opts ...psbinding.ReconcilerOption) injection.Control
 			sinkbinding.ListAll,
 
 			// How to setup the context prior to invoking Do/Undo.
-			sbresolver,
+			withContext,
 			opts...,
 		)
 	}

diff --git a/config/core/resources/containersource.yaml b/config/core/resources/containersource.yaml
@@ -143,6 +143,9 @@ spec:
                 sinkCACerts:
                   description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
                   type: string
+                sinkAudience:
+                  description: Audience is the OIDC audience of the sink.
+                  type: string
       additionalPrinterColumns:
         - name: Sink
           type: string

diff --git a/config/core/resources/sinkbindings.yaml b/config/core/resources/sinkbindings.yaml
@@ -185,6 +185,12 @@ spec:
                 sinkCACerts:
                   description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
                   type: string
+                sinkAudience:
+                  description: Audience is the OIDC audience of the sink.
+                  type: string
+                oidcTokenSecretName:
+                  description: Name of the secret with the OIDC token for the sink.
+                  type: string
       additionalPrinterColumns:
         - name: Sink
           type: string

diff --git a/config/core/roles/webhook-clusterrole.yaml b/config/core/roles/webhook-clusterrole.yaml
@@ -109,12 +109,25 @@ rules:
       - "create"
       - "patch"
 
-# For the SinkBinding reconciler adding the OIDC identity service accounts
+  # For the SinkBinding reconciler adding the OIDC identity service accounts
   - apiGroups:
       - ""
     resources:
       - "serviceaccounts"
     verbs: *everything
+  # For the SinkBinding reconciler creating the sinkbinding token secret
+  - apiGroups:
+      - ""
+    resources:
+      - "serviceaccounts/token"
+    verbs:
+      - "create"
+  - apiGroups:
+      - ""
+    resources:
+      - "secrets"
+    verbs: *everything
+
   # Necessary for conversion webhook. These are copied from the serving
   # TODO: Do we really need all these permissions?
   - apiGroups: ["apiextensions.k8s.io"]

diff --git a/docs/eventing-api.md b/docs/eventing-api.md
@@ -5958,6 +5958,18 @@ state.
 Source.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>oidcTokenSecretName</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<p>OIDCTokenSecretName is the name of the secret containing the token for
+this SinkBindings OIDC authentication</p>
+</td>
+</tr>
 </tbody>
 </table>
 <hr/>

diff --git a/go.mod b/go.mod
@@ -9,6 +9,7 @@ require (
 	github.com/cloudevents/sdk-go/sql/v2 v2.13.0
 	github.com/cloudevents/sdk-go/v2 v2.13.0
 	github.com/coreos/go-oidc/v3 v3.6.0
+	github.com/go-jose/go-jose/v3 v3.0.0
 	github.com/golang/protobuf v1.5.3
 	github.com/google/go-cmp v0.6.0
 	github.com/google/gofuzz v1.2.0
@@ -71,7 +72,6 @@ require (
 	github.com/emicklei/go-restful/v3 v3.9.0 // indirect
 	github.com/evanphx/json-patch v4.12.0+incompatible // indirect
 	github.com/evanphx/json-patch/v5 v5.7.0 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.5.1 // indirect
 	github.com/go-logr/logr v1.2.4 // indirect

diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
@@ -33,9 +33,14 @@ import (
 	"knative.dev/pkg/tracker"
 )
 
+const (
+	oidcTokenVolumeName = "oidc-token"
+)
+
 var sbCondSet = apis.NewLivingConditionSet(
 	SinkBindingConditionSinkProvided,
 	SinkBindingConditionOIDCIdentityCreated,
+	SinkBindingConditionOIDCTokenSecretCreated,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -90,6 +95,7 @@ func (sbs *SinkBindingStatus) MarkSink(addr *duckv1.Addressable) {
 	if addr != nil {
 		sbs.SinkURI = addr.URL
 		sbs.SinkCACerts = addr.CACerts
+		sbs.SinkAudience = addr.Audience
 		sbCondSet.Manage(sbs).MarkTrue(SinkBindingConditionSinkProvided)
 	} else {
 		sbCondSet.Manage(sbs).MarkFalse(SinkBindingConditionSinkProvided, "SinkEmpty", "Sink has resolved to empty.%s", "")
@@ -112,6 +118,22 @@ func (sbs *SinkBindingStatus) MarkOIDCIdentityCreatedUnknown(reason, messageForm
 	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
 
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedSuccceeded() {
+	sbCondSet.Manage(sbs).MarkTrue(SinkBindingConditionOIDCTokenSecretCreated)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedSuccceededWithReason(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkTrueWithReason(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedFailed(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkFalse(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
+func (sbs *SinkBindingStatus) MarkOIDCTokenSecretCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
+	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCTokenSecretCreated, reason, messageFormat, messageA...)
+}
+
 // Do implements psbinding.Bindable
 func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 	// First undo so that we can just unconditionally append below.
@@ -171,6 +193,38 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 			Value: ceOverrides,
 		})
 	}
+
+	if sb.Status.OIDCTokenSecretName != nil {
+		ps.Spec.Template.Spec.Volumes = append(ps.Spec.Template.Spec.Volumes, corev1.Volume{
+			Name: oidcTokenVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				Projected: &corev1.ProjectedVolumeSource{
+					Sources: []corev1.VolumeProjection{
+						{
+							Secret: &corev1.SecretProjection{
+								LocalObjectReference: corev1.LocalObjectReference{
+									Name: *sb.Status.OIDCTokenSecretName,
+								},
+							},
+						},
+					},
+				},
+			},
+		})
+
+		for i := range spec.Containers {
+			spec.Containers[i].VolumeMounts = append(spec.Containers[i].VolumeMounts, corev1.VolumeMount{
+				Name:      oidcTokenVolumeName,
+				MountPath: "/oidc",
+			})
+		}
+		for i := range spec.InitContainers {
+			spec.InitContainers[i].VolumeMounts = append(spec.InitContainers[i].VolumeMounts, corev1.VolumeMount{
+				Name:      oidcTokenVolumeName,
+				MountPath: "/oidc",
+			})
+		}
+	}
 }
 
 func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
@@ -189,6 +243,17 @@ func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
 			}
 		}
 		spec.InitContainers[i].Env = env
+
+		if len(spec.InitContainers[i].VolumeMounts) > 0 {
+			volumeMounts := make([]corev1.VolumeMount, 0, len(spec.InitContainers[i].VolumeMounts))
+			for j, vol := range c.VolumeMounts {
+				if vol.Name == oidcTokenVolumeName {
+					continue
+				}
+				volumeMounts = append(volumeMounts, spec.InitContainers[i].VolumeMounts[j])
+			}
+			spec.InitContainers[i].VolumeMounts = volumeMounts
+		}
 	}
 	for i, c := range spec.Containers {
 		if len(c.Env) == 0 {
@@ -204,5 +269,27 @@ func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) {
 			}
 		}
 		spec.Containers[i].Env = env
+
+		if len(spec.Containers[i].VolumeMounts) > 0 {
+			volumeMounts := make([]corev1.VolumeMount, 0, len(spec.Containers[i].VolumeMounts))
+			for j, vol := range c.VolumeMounts {
+				if vol.Name == oidcTokenVolumeName {
+					continue
+				}
+				volumeMounts = append(volumeMounts, spec.Containers[i].VolumeMounts[j])
+			}
+			spec.Containers[i].VolumeMounts = volumeMounts
+		}
+	}
+
+	if len(spec.Volumes) > 0 {
+		volumes := make([]corev1.Volume, 0, len(spec.Volumes))
+		for i, vol := range spec.Volumes {
+			if vol.Name == oidcTokenVolumeName {
+				continue
+			}
+			volumes = append(volumes, spec.Volumes[i])
+		}
+		ps.Spec.Template.Spec.Volumes = volumes
 	}
 }