eventpolicy webhook validation for oidc feature will be called for cr…

…eate or spec updates
knative · Jul 13, 2024 · 5cb354f · 5cb354f
1 parent 7c4c759
commit 5cb354f
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 3 deletions.
diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
@@ -25,13 +25,17 @@ import (
 )
 
 func (ep *EventPolicy) Validate(ctx context.Context) *apis.FieldError {
+	// To not allow creation or spec updates of EventPolicy CRs
+	// if the oidc-authentication feature is not enabled
+	if apis.IsInCreate(ctx) || apis.IsInSpec(ctx) {
+		if !feature.FromContext(ctx).IsOIDCAuthentication() {
+			return apis.ErrGeneric("oidc-authentication feature not enabled")
+		}
+	}
 	return ep.Spec.Validate(ctx).ViaField("spec")
 }
 
 func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
-	if !feature.FromContext(ctx).IsOIDCAuthentication() {
-		return apis.ErrGeneric("oidc-authentication feature not enabled")
-	}
 	var err *apis.FieldError
 	for i, f := range ets.From {
 		if f.Ref == nil && (f.Sub == nil || *f.Sub == "") {

diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
@@ -62,13 +62,15 @@ func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagDisabled(t *t
 			ctx := feature.ToContext(context.TODO(), feature.Flags{
 				feature.OIDCAuthentication: feature.Disabled,
 			})
+			ctx = apis.WithinCreate(ctx)
 			got := test.ep.Validate(ctx)
 			if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
 				t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
 			}
 		})
 	}
 }
+
 func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagEnabled(t *testing.T) {
 	tests := []struct {
 		name string

diff --git a/pkg/reconciler/channel/channel_test.go b/pkg/reconciler/channel/channel_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
+	"knative.dev/eventing/pkg/apis/feature"
 
 	v1 "knative.dev/eventing/pkg/apis/messaging/v1"
 
@@ -576,6 +577,9 @@ func TestReconcile(t *testing.T) {
 	table.Test(t, MakeFactory(func(ctx context.Context, listers *Listers, cmw configmap.Watcher) controller.Reconciler {
 		ctx = channelable.WithDuck(ctx)
 		ctx = v1addr.WithDuck(ctx)
+		ctx = feature.ToContext(ctx, feature.Flags{
+			feature.OIDCAuthentication: feature.Enabled,
+		})
 		r := &Reconciler{
 			dynamicClientSet:   fakedynamicclient.Get(ctx),
 			channelLister:      listers.GetMessagingChannelLister(),