Added EventPolicy Webhook

Signed-off-by: Dharmjit Singh <dharmjit.bti@gmail.com>
knative · Jul 10, 2024 · 7c4c759 · 7c4c759
1 parent 57b52ea
commit 7c4c759
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 2 deletions.
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -26,6 +26,7 @@ import (
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
 
+	eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
 	eventingv1beta3 "knative.dev/eventing/pkg/apis/eventing/v1beta3"
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/apis/sinks"
@@ -75,6 +76,8 @@ func init() {
 
 var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
 	// For group eventing.knative.dev.
+	// v1alpha1
+	eventingv1alpha1.SchemeGroupVersion.WithKind("EventPolicy"): &eventingv1alpha1.EventPolicy{},
 	// v1beta1
 	eventingv1beta1.SchemeGroupVersion.WithKind("EventType"): &eventingv1beta1.EventType{},
 	// v1beta2

diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"strings"
 
+	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/pkg/apis"
 )
 
@@ -28,6 +29,9 @@ func (ep *EventPolicy) Validate(ctx context.Context) *apis.FieldError {
 }
 
 func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError {
+	if !feature.FromContext(ctx).IsOIDCAuthentication() {
+		return apis.ErrGeneric("oidc-authentication feature not enabled")
+	}
 	var err *apis.FieldError
 	for i, f := range ets.From {
 		if f.Ref == nil && (f.Sub == nil || *f.Sub == "") {

diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
@@ -21,11 +21,55 @@ import (
 	"testing"
 
 	"github.com/google/go-cmp/cmp"
+	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/pkg/apis"
 	"knative.dev/pkg/ptr"
 )
 
-func TestEventPolicySpecValidation(t *testing.T) {
+func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagDisabled(t *testing.T) {
+	tests := []struct {
+		name string
+		ep   *EventPolicy
+		want *apis.FieldError
+	}{
+		{
+			name: "valid, from.sub exactly '*'",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{
+						Sub: ptr.String("*"),
+					}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return apis.ErrGeneric("oidc-authentication feature not enabled")
+			}(),
+		},
+		{
+			name: "invalid, missing from.ref and from.sub",
+			ep: &EventPolicy{
+				Spec: EventPolicySpec{
+					From: []EventPolicySpecFrom{{}},
+				},
+			},
+			want: func() *apis.FieldError {
+				return apis.ErrGeneric("oidc-authentication feature not enabled")
+			}(),
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			ctx := feature.ToContext(context.TODO(), feature.Flags{
+				feature.OIDCAuthentication: feature.Disabled,
+			})
+			got := test.ep.Validate(ctx)
+			if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
+				t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
+			}
+		})
+	}
+}
+func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagEnabled(t *testing.T) {
 	tests := []struct {
 		name string
 		ep   *EventPolicy
@@ -252,7 +296,10 @@ func TestEventPolicySpecValidation(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			got := test.ep.Validate(context.TODO())
+			ctx := feature.ToContext(context.TODO(), feature.Flags{
+				feature.OIDCAuthentication: feature.Enabled,
+			})
+			got := test.ep.Validate(ctx)
 			if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
 				t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
 			}