diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 902e4e4bb22..e21ec0e9956 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -26,6 +26,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" + eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1" eventingv1beta3 "knative.dev/eventing/pkg/apis/eventing/v1beta3" "knative.dev/eventing/pkg/apis/feature" "knative.dev/eventing/pkg/apis/sinks" @@ -75,6 +76,8 @@ func init() { var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{ // For group eventing.knative.dev. + // v1alpha1 + eventingv1alpha1.SchemeGroupVersion.WithKind("EventPolicy"): &eventingv1alpha1.EventPolicy{}, // v1beta1 eventingv1beta1.SchemeGroupVersion.WithKind("EventType"): &eventingv1beta1.EventType{}, // v1beta2 diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go index 0c267b31968..756d5b50c0e 100644 --- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go +++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation.go @@ -20,6 +20,7 @@ import ( "context" "strings" + "knative.dev/eventing/pkg/apis/feature" "knative.dev/pkg/apis" ) @@ -28,6 +29,9 @@ func (ep *EventPolicy) Validate(ctx context.Context) *apis.FieldError { } func (ets *EventPolicySpec) Validate(ctx context.Context) *apis.FieldError { + if !feature.FromContext(ctx).IsOIDCAuthentication() { + return apis.ErrGeneric("oidc-authentication feature not enabled") + } var err *apis.FieldError for i, f := range ets.From { if f.Ref == nil && (f.Sub == nil || *f.Sub == "") { diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go index da103fd069f..708592736a7 100644 --- a/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go +++ b/pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go @@ -21,11 +21,55 @@ import ( "testing" "github.com/google/go-cmp/cmp" + "knative.dev/eventing/pkg/apis/feature" "knative.dev/pkg/apis" "knative.dev/pkg/ptr" ) -func TestEventPolicySpecValidation(t *testing.T) { +func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagDisabled(t *testing.T) { + tests := []struct { + name string + ep *EventPolicy + want *apis.FieldError + }{ + { + name: "valid, from.sub exactly '*'", + ep: &EventPolicy{ + Spec: EventPolicySpec{ + From: []EventPolicySpecFrom{{ + Sub: ptr.String("*"), + }}, + }, + }, + want: func() *apis.FieldError { + return apis.ErrGeneric("oidc-authentication feature not enabled") + }(), + }, + { + name: "invalid, missing from.ref and from.sub", + ep: &EventPolicy{ + Spec: EventPolicySpec{ + From: []EventPolicySpecFrom{{}}, + }, + }, + want: func() *apis.FieldError { + return apis.ErrGeneric("oidc-authentication feature not enabled") + }(), + }, + } + for _, test := range tests { + t.Run(test.name, func(t *testing.T) { + ctx := feature.ToContext(context.TODO(), feature.Flags{ + feature.OIDCAuthentication: feature.Disabled, + }) + got := test.ep.Validate(ctx) + if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" { + t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff) + } + }) + } +} +func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagEnabled(t *testing.T) { tests := []struct { name string ep *EventPolicy @@ -252,7 +296,10 @@ func TestEventPolicySpecValidation(t *testing.T) { for _, test := range tests { t.Run(test.name, func(t *testing.T) { - got := test.ep.Validate(context.TODO()) + ctx := feature.ToContext(context.TODO(), feature.Flags{ + feature.OIDCAuthentication: feature.Enabled, + }) + got := test.ep.Validate(ctx) if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" { t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff) }