Trust-manager integration

[pierDipi]

Add support for trust-manager.

This will allow administrators to add trusted CA bundles to Eventing components by creating ConfigMaps labeled networking.knative.dev/trust-bundle=true in the knative-eventing namespace.

For now, the rotation is not yet implemented, for that we would need to re-create clients when trusted bundles change

TODO:

• bundle certs rotation in in-use clients

Fixes #

Proposed Changes

• Trust-manager integration
• Allow administrators to add CA trust bundle to all Eventing components

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Add trust-manager integration, Knative Eventing components will add to the trusted Certificate Authorities (CAs) any PEM-encoded CA certificates in any `ConfigMap` in the `knative-eventing` namespace labeled with `networking.knative.dev/trust-bundle=true`

Docs

• Issue Documenent Eventing trust-manager integration docs#5815

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pierDipi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [pierDipi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Attention: 236 lines in your changes are missing coverage. Please review.

Comparison is base (36b3115) 75.57% compared to head (b1bc237) 74.54%.
Report is 2 commits behind head on main.

Files	Patch %	Lines
pkg/eventingtls/trust_bundle.go	1.87%	156 Missing and 1 partial ⚠️
pkg/adapter/v2/main.go	19.35%	24 Missing and 1 partial ⚠️
pkg/eventingtls/eventingtls.go	29.62%	18 Missing and 1 partial ⚠️
pkg/apis/sources/v1/sinkbinding_lifecycle.go	87.50%	5 Missing and 3 partials ⚠️
cmd/webhook/main.go	0.00%	6 Missing ⚠️
pkg/reconciler/apiserversource/apiserversource.go	62.50%	4 Missing and 2 partials ⚠️
pkg/reconciler/containersource/containersource.go	57.14%	2 Missing and 1 partial ⚠️
pkg/broker/filter/filter_handler.go	75.00%	2 Missing ⚠️
pkg/broker/ingress/ingress_handler.go	75.00%	2 Missing ⚠️
pkg/kncloudevents/http_client.go	81.81%	2 Missing ⚠️
... and 3 more

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7532      +/-   ##
==========================================
- Coverage   75.57%   74.54%   -1.03%     
==========================================
  Files         261      262       +1     
  Lines       14668    14954     +286     
==========================================
+ Hits        11085    11148      +63     
- Misses       3004     3218     +214     
- Partials      579      588       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pierDipi]

/test conformance-tests

[pierDipi]

@creydr can you please take a look again?

[creydr]

Looking good. Only one nit. Thanks for addressing this!
/lgtm

/hold
Holding in case you want more reviews or want to address the nit. Feel free to unhold otherwise.

[pierDipi]

@creydr I will address the nit in the follow up PR when implementing "bundle certs rotation in in-use clients"

/unhold

[Leo6Leo]

helm with version earlier than v3.13 has some bugs, as it cannot detect the right kubernetes version.

Error: chart requires kubeVersion: >= 1.22.0-0 which is incompatible with Kubernetes v1.20.0

@pierDipi

[creydr]

@Leo6Leo where did you see it? In CI we don't have this problem (as we use always the latest helm 3 version): https://github.com/knative-extensions/knobots/actions/runs/7719799980/job/21043681810
When it's locally, can up update?

[pierDipi]

helm template doesn't run against a cluster, it's just rendering the template

[Leo6Leo]

@creydr It has the problem locally. Added the requirement to the development guide in this #7643