Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authenticate Requests from ApiServerSources #7452

Merged
merged 73 commits into from
Dec 18, 2023
Merged

Authenticate Requests from ApiServerSources #7452

Show file tree
Hide file tree
Changes from 5 commits
Commits
Show all changes
73 commits
Select commit Hold shift + click to select a range
e2092b0
Add the task planning toughts to the PR
Leo6Leo Nov 15, 2023
2369d50
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Nov 15, 2023
48c349f
add the auth header to all the send and request to the adapter
Leo6Leo Nov 15, 2023
0e83dbc
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Nov 17, 2023
e7b38a8
Adding the env var for K_AUDIENCE
Leo6Leo Nov 20, 2023
8efcee8
Adding the rekt test
Leo6Leo Nov 20, 2023
aea806a
Merge the upstream main branch
Leo6Leo Nov 23, 2023
e11c5e9
Adding the rolebinding for create_oidc
Leo6Leo Nov 24, 2023
8b4463c
Adding the rolebinding for create_oidc
Leo6Leo Nov 24, 2023
ef855c8
Update the env variable
Leo6Leo Nov 24, 2023
5c134b3
Revert the automated change to the file
Leo6Leo Nov 24, 2023
4d3caec
Update pkg/adapter/apiserver/delegate.go
Leo6Leo Nov 24, 2023
0cab4e5
Apply suggestions from code review
Leo6Leo Nov 24, 2023
c6a9d54
Merge the upstream main branch
Leo6Leo Nov 29, 2023
7190e7e
Save the working progress - 2
Leo6Leo Dec 4, 2023
8863654
Save the work progress, as everything is working right now. Next, wil…
Leo6Leo Dec 4, 2023
5b9fbc2
Fix the format issue (wrong indentation) the yaml file
Leo6Leo Dec 5, 2023
f49c7fc
Refactored and test passed
Leo6Leo Dec 5, 2023
012dece
Refactored and test passed
Leo6Leo Dec 5, 2023
fb01dde
Remove all the logs
Leo6Leo Dec 5, 2023
08780d4
Go imports
Leo6Leo Dec 5, 2023
31756fd
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 5, 2023
72735a3
revert the wrong format change during the merging
Leo6Leo Dec 5, 2023
8bfb205
Self sanity check before requesting review
Leo6Leo Dec 5, 2023
d125209
Fix the failed unit test
Leo6Leo Dec 5, 2023
34f0f2c
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 5, 2023
55e5c30
Fix the review comments
Leo6Leo Dec 5, 2023
a3c9ca8
Update test/auth/features/oidc/apiserversource.go
Leo6Leo Dec 5, 2023
a924341
Apply suggestions from code review
Leo6Leo Dec 5, 2023
751deaa
Fix the nit error
Leo6Leo Dec 5, 2023
37e41a8
Move the MakeOIDCRoleBinding() and MakeOIDCRole() to a separate file
Leo6Leo Dec 5, 2023
6861c83
Handle the role and rolebinding update
Leo6Leo Dec 6, 2023
610ba92
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 6, 2023
af5e3c0
Fix the typo
Leo6Leo Dec 6, 2023
dcc0dd0
Update pkg/adapter/v2/cloudevents.go
Leo6Leo Dec 6, 2023
8474dbe
Update pkg/adapter/v2/cloudevents.go
Leo6Leo Dec 6, 2023
be9f52d
Update pkg/adapter/v2/config.go
Leo6Leo Dec 6, 2023
12cbf55
Update pkg/reconciler/apiserversource/resources/oidc_rolebinding.go
Leo6Leo Dec 6, 2023
43dbcfb
Update pkg/reconciler/apiserversource/resources/receive_adapter.go
Leo6Leo Dec 6, 2023
2e3191c
Update pkg/adapter/v2/config.go
Leo6Leo Dec 6, 2023
d8a8b53
Update pkg/adapter/v2/config.go
Leo6Leo Dec 6, 2023
a746850
Update pkg/reconciler/apiserversource/resources/oidc_rolebinding.go
Leo6Leo Dec 6, 2023
0630d3a
Fix the majority of the review comments except for the role lister.
Leo6Leo Dec 6, 2023
8961e96
Fix the majority of the review comments except for the role lister.
Leo6Leo Dec 7, 2023
6821cd0
Gofmt and goimports
Leo6Leo Dec 7, 2023
7b87e70
Update the injection dependency
Leo6Leo Dec 7, 2023
4a68425
Use roleLister and roleBindingLister
Leo6Leo Dec 7, 2023
13cc267
Apply suggestions from code review
Leo6Leo Dec 11, 2023
36e70be
Update the nit function name change
Leo6Leo Dec 11, 2023
277af48
Fix the failed unit test by adding the OIDC component, and add the ne…
Leo6Leo Dec 11, 2023
c1248ea
Pass in the fake kubeclinet to apiserversource
Leo6Leo Dec 11, 2023
da14390
Apply suggestions from code review
Leo6Leo Dec 11, 2023
3f0265d
nit fix
Leo6Leo Dec 11, 2023
d599e64
nit fix
Leo6Leo Dec 11, 2023
d0b400e
Fix the failed unit test: no audience is passed in
Leo6Leo Dec 11, 2023
f67e906
nit: boilerplate format
Leo6Leo Dec 11, 2023
a9ec39e
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 11, 2023
bf4c727
Change the comment and re-order the code according to the review comment
Leo6Leo Dec 12, 2023
81b54c4
Merge the main branch and resolve the merge conflict
Leo6Leo Dec 12, 2023
479aa7f
Change to use the filtered informer, and add the informer eventhandle…
Leo6Leo Dec 13, 2023
35c43b6
Change to use the filtered informer, and add the informer eventhandle…
Leo6Leo Dec 13, 2023
757880e
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 14, 2023
c8254e5
Inject the oidcSelector in the main.go
Leo6Leo Dec 14, 2023
30b7d22
Add the owner reference to the role and rolebinding
Leo6Leo Dec 14, 2023
72b37ed
Update the tests
Leo6Leo Dec 14, 2023
55c1724
Update the tests
Leo6Leo Dec 15, 2023
0d053b3
nit fix
Leo6Leo Dec 15, 2023
c082ede
register the selectors
Leo6Leo Dec 15, 2023
62fe570
nit: fix the go imports
Leo6Leo Dec 15, 2023
a8de8b8
Merge branch 'main' into authenticate-request-from-apiserversource
Leo6Leo Dec 18, 2023
f8b4795
nit: renaming the variables and only filter on the labelKey (e.g. by …
Leo6Leo Dec 18, 2023
a73a26b
nit: renaming the variables and only filter on the labelKey (e.g. by …
Leo6Leo Dec 18, 2023
8890c5d
nit: fix the naming and add - to the create-oidc-token
Leo6Leo Dec 18, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions cmd/controller/main.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
"os"
"time"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/signals"

Expand Down Expand Up @@ -73,6 +74,9 @@ func main() {
}
}()

oidcSelector := "role=oidc-token-creator"
creydr marked this conversation as resolved.
Show resolved Hide resolved
ctx = filteredFactory.WithSelectors(ctx, oidcSelector)

sharedmain.MainWithContext(ctx, "controller",
// Messaging
channel.NewController,
Expand Down
44 changes: 44 additions & 0 deletions pkg/reconciler/apiserversource/apiserversource_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import (
"fmt"
"testing"

"knative.dev/pkg/kmeta"

rbacv1 "k8s.io/api/rbac/v1"

"github.com/stretchr/testify/require"
Expand Down Expand Up @@ -1337,13 +1339,34 @@ func makeSubjectAccessReview(resource, verb, sa string) *authorizationv1.Subject
}

func makeOIDCRole() *rbacv1.Role {
src := rttestingv1.NewApiServerSource(sourceName, testNS,
rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
Resources: []sourcesv1.APIVersionKindSelector{{
APIVersion: "v1",
Kind: "Namespace",
}},
EventMode: sourcesv1.ResourceMode,
SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
}),
rttestingv1.WithApiServerSourceUID(sourceUID),
// Status Update:
rttestingv1.WithInitApiServerSourceConditions,
rttestingv1.WithApiServerSourceDeployed,
rttestingv1.WithApiServerSourceSink(sinkURI),
creydr marked this conversation as resolved.
Show resolved Hide resolved
)
return &rbacv1.Role{
ObjectMeta: metav1.ObjectMeta{
Name: resources.GetOIDCTokenRoleName(sourceName),
Namespace: testNS,
Annotations: map[string]string{
"description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", sourceName),
},
Labels: map[string]string{
"role": "oidc-token-creator",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(src),
},
},
Rules: []rbacv1.PolicyRule{
{
Expand All @@ -1358,13 +1381,34 @@ func makeOIDCRole() *rbacv1.Role {
}

func makeOIDCRoleBinding() *rbacv1.RoleBinding {
src := rttestingv1.NewApiServerSource(sourceName, testNS,
rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
Resources: []sourcesv1.APIVersionKindSelector{{
APIVersion: "v1",
Kind: "Namespace",
}},
EventMode: sourcesv1.ResourceMode,
SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
}),
creydr marked this conversation as resolved.
Show resolved Hide resolved
rttestingv1.WithApiServerSourceUID(sourceUID),
// Status Update:
rttestingv1.WithInitApiServerSourceConditions,
rttestingv1.WithApiServerSourceDeployed,
rttestingv1.WithApiServerSourceSink(sinkURI),
)
return &rbacv1.RoleBinding{
ObjectMeta: metav1.ObjectMeta{
Name: resources.GetOIDCTokenRoleBindingName(sourceName),
Namespace: testNS,
Annotations: map[string]string{
"description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", sourceName),
},
Labels: map[string]string{
"role": "oidc-token-creator",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(src),
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Expand Down
9 changes: 3 additions & 6 deletions pkg/reconciler/apiserversource/controller.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,8 +19,6 @@ package apiserversource
import (
"context"

filtered "knative.dev/eventing/pkg/client/injection/informers/factory/filtered"

"knative.dev/eventing/pkg/apis/feature"

"github.com/kelseyhightower/envconfig"
Expand Down Expand Up @@ -64,10 +62,9 @@ func NewController(
serviceaccountInformer := serviceaccountinformer.Get(ctx)

// Create a selector string
selectorString := "role=oidc-token-creator"
ctx = filtered.WithSelectors(ctx, selectorString)
roleInformer := roleinformer.Get(ctx, selectorString)
rolebindingInformer := rolebindinginformer.Get(ctx, selectorString)
oidcSelectorString := "role=oidc-token-creator"
roleInformer := roleinformer.Get(ctx, oidcSelectorString)
rolebindingInformer := rolebindinginformer.Get(ctx, oidcSelectorString)

var globalResync func(obj interface{})

Expand Down
7 changes: 7 additions & 0 deletions pkg/reconciler/apiserversource/controller_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"os"
"testing"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"

creydr marked this conversation as resolved.
Show resolved Hide resolved
"knative.dev/eventing/pkg/apis/feature"

corev1 "k8s.io/api/core/v1"
Expand All @@ -42,8 +44,13 @@ import (

func TestNew(t *testing.T) {
ctx, _ := SetupFakeContext(t)

oidcSelector := "role=oidc-token-creator"
ctx = filteredFactory.WithSelectors(ctx, oidcSelector)
creydr marked this conversation as resolved.
Show resolved Hide resolved

ctx = withCfgHost(ctx, &rest.Config{Host: "unit_test"})
ctx = addressable.WithDuck(ctx)

os.Setenv("METRICS_DOMAIN", "knative.dev/eventing")
os.Setenv("APISERVER_RA_IMAGE", "knative.dev/example")
c := NewController(ctx, configmap.NewStaticWatcher(&corev1.ConfigMap{
Expand Down
6 changes: 6 additions & 0 deletions pkg/reconciler/apiserversource/resources/oidc_rolebinding.go
View file
Open in desktop
Leo6Leo marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,9 @@ func MakeOIDCRole(source *v1.ApiServerSource) (*rbacv1.Role, error) {
Labels: map[string]string{
"role": "oidc-token-creator",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(source),
},
},
Rules: []rbacv1.PolicyRule{
rbacv1.PolicyRule{
Expand Down Expand Up @@ -89,6 +92,9 @@ func MakeOIDCRoleBinding(source *v1.ApiServerSource) (*rbacv1.RoleBinding, error
Labels: map[string]string{
"role": "oidc-token-creator",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(source),
},
},
RoleRef: rbacv1.RoleRef{
APIGroup: "rbac.authorization.k8s.io",
Expand Down
Loading