Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide volume with OIDC token in SinkBinding #7444

Merged
merged 20 commits into from
Nov 20, 2023
Merged

Provide volume with OIDC token in SinkBinding #7444

merged 20 commits into from
Nov 20, 2023

Conversation

creydr
Copy link
Member

@creydr creydr commented Nov 13, 2023
edited
Loading

Fixes #7323

Proposed Changes

  • 🎁 Provide OIDC token in SinkBinding as mountpoint under /oidc/token

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

How to verify change

  • Install a broker: kn broker create my-broker --class MTChannelBasedBroker
  • Install a container source (will add a sinkbinding under the hood and makes it easy to verify the binding through its deployment): kn source container create my-container-source --image gcr.io/knative-nightly/knative.dev/eventing/cmd/heartbeats:latest --env POD_NAME=pod-name --env POD_NAMESPACE=default --sink broker:my-broker
  • Verify the container source deplyment has the volume with the token: kubectl get deploy my-container-source-deployment -o yaml
  • Additionally you can check if the mounted secret contains a JWT: kubectl get secret oidc-token-my-container-source-sinkbinding -ojsonpath='{.data.token}' | base64 -d

Release Note

Provide OIDC token in SinkBinding under /oidc/token path.

@knative-prow knative-prow bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 13, 2023
@knative-prow knative-prow bot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 13, 2023
@creydr creydr force-pushed the provide-oidc-token-in-sinkbinding branch from 828cde6 to e038171 Compare November 14, 2023 07:38
@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. and removed size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Nov 14, 2023
@codecov Codecov
Copy link

codecov bot commented Nov 14, 2023
edited
Loading

Codecov Report

Attention: 17 lines in your changes are missing coverage. Please review.

Comparison is base (9431ce9) 76.76% compared to head (1a9cc48) 76.79%.
Report is 15 commits behind head on main.

Files Patch % Lines
pkg/auth/utils.go 53.84% 4 Missing and 2 partials ⚠️
pkg/auth/token_provider.go 0.00% 5 Missing ⚠️
pkg/apis/sources/v1/sinkbinding_lifecycle.go 93.54% 4 Missing ⚠️
cmd/webhook/main.go 0.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7444      +/-   ##
==========================================
+ Coverage   76.76%   76.79%   +0.02%     
==========================================
  Files         253      253              
  Lines       13916    14098     +182     
==========================================
+ Hits        10683    10826     +143     
- Misses       2700     2732      +32     
- Partials      533      540       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@creydr creydr changed the title [WIP] Provide volume with OIDC token in SinkBinding Provide volume with OIDC token in SinkBinding Nov 16, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 16, 2023
@creydr creydr requested a review from pierDipi November 16, 2023 09:16
pierDipi
pierDipi reviewed Nov 17, 2023
View reviewed changes
pkg/reconciler/sinkbinding/controller.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/sinkbinding.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/sinkbinding.go Outdated Show resolved Hide resolved
@knative-prow knative-prow bot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Nov 17, 2023
@creydr creydr requested a review from pierDipi November 17, 2023 13:33
@creydr creydr force-pushed the provide-oidc-token-in-sinkbinding branch from 0c149ac to fb1a053 Compare November 17, 2023 14:29
@creydr creydr requested a review from pierDipi November 17, 2023 14:38
@creydr
Copy link
Member Author

creydr commented Nov 17, 2023

/retest

@creydr
Copy link
Member Author

creydr commented Nov 20, 2023

@pierDipi could you recheck?

pierDipi
pierDipi reviewed Nov 20, 2023
View reviewed changes
pkg/reconciler/sinkbinding/sinkbinding.go Outdated

func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context.Context, sb *v1.SinkBinding) error {
logger := logging.FromContext(ctx)
secretName := fmt.Sprintf("oidc-token-%s", sb.Name)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is potentially longer than the max characters count, can we just use the SB name?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 updated to use kmeta.ChildName()

pkg/reconciler/sinkbinding/sinkbinding.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/sinkbinding.go Outdated Show resolved Hide resolved
@creydr creydr requested a review from pierDipi November 20, 2023 12:09
@creydr creydr requested a review from pierDipi November 20, 2023 17:30
pierDipi
pierDipi approved these changes Nov 20, 2023
View reviewed changes
Copy link
Member

@pierDipi pierDipi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm
/approve

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Nov 20, 2023
@knative-prow Knative Prow
Copy link

knative-prow bot commented Nov 20, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@creydr
Copy link
Member Author

creydr commented Nov 20, 2023

/retest

@knative-prow knative-prow bot merged commit 67f382d into knative:main Nov 20, 2023
39 of 41 checks passed
@creydr creydr linked an issue Nov 21, 2023 that may be closed by this pull request
Provide the OIDC token of the ContainerSource as a volume #7322
Closed
@creydr creydr mentioned this pull request Nov 21, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pierDipi pierDipi pierDipi approved these changes

@lionelvillard lionelvillard Awaiting requested review from lionelvillard

@odacremolbap odacremolbap Awaiting requested review from odacremolbap

Assignees

@pierDipi pierDipi

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
2 participants
@creydr @pierDipi