List applying policies in Channels status

config/core/roles/controller-clusterroles.yaml

@@ -97,6 +97,8 @@ rules:
       - "triggers/status"
       - "eventtypes"
       - "eventtypes/status"
+      - "eventpolicies"
+      - "eventpolicies/status"
     verbs:
       - "get"
       - "list"

pkg/apis/messaging/v1/channel_lifecycle.go

@@ -29,6 +29,7 @@ var chCondSet = apis.NewLivingConditionSet(
 	ChannelConditionBackingChannelReady,
 	ChannelConditionAddressable,
 	ChannelConditionDeadLetterSinkResolved,
+	ChannelConditionEventPoliciesReady,
 )
 
 const (
@@ -45,6 +46,10 @@ const (
 	// ChannelConditionDeadLetterSinkResolved has status True when there is a Dead Letter Sink ref or URI
 	// defined in the Spec.Delivery, is a valid destination and its correctly resolved into a valid URI
 	ChannelConditionDeadLetterSinkResolved apis.ConditionType = "DeadLetterSinkResolved"
+
+	// ChannelConditionEventPoliciesReady has status True when all the EventPolicies which reference this
+	// Channel are Ready too.
+	ChannelConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady"
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -146,3 +151,19 @@ func (cs *ChannelStatus) MarkDeadLetterSinkResolvedFailed(reason, messageFormat
 	cs.DeliveryStatus = eventingduck.DeliveryStatus{}
 	chCondSet.Manage(cs).MarkFalse(ChannelConditionDeadLetterSinkResolved, reason, messageFormat, messageA...)
 }
+
+func (cs *ChannelStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) {
+	chCondSet.Manage(cs).MarkFalse(ChannelConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (cs *ChannelStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) {
+	chCondSet.Manage(cs).MarkUnknown(ChannelConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (cs *ChannelStatus) MarkEventPoliciesTrue() {
+	chCondSet.Manage(cs).MarkTrue(ChannelConditionEventPoliciesReady)
+}
+
+func (cs *ChannelStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) {
+	chCondSet.Manage(cs).MarkTrueWithReason(ChannelConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}

pkg/apis/messaging/v1/channel_lifecycle_test.go

@@ -108,6 +108,9 @@ func TestChannelInitializeConditions(t *testing.T) {
 					}, {
 						Type:   ChannelConditionDeadLetterSinkResolved,
 						Status: corev1.ConditionUnknown,
+					}, {
+						Type:   ChannelConditionEventPoliciesReady,
+						Status: corev1.ConditionUnknown,
 					}, {
 						Type:   ChannelConditionReady,
 						Status: corev1.ConditionUnknown,
@@ -139,6 +142,9 @@ func TestChannelInitializeConditions(t *testing.T) {
 					}, {
 						Type:   ChannelConditionDeadLetterSinkResolved,
 						Status: corev1.ConditionUnknown,
+					}, {
+						Type:   ChannelConditionEventPoliciesReady,
+						Status: corev1.ConditionUnknown,
 					}, {
 						Type:   ChannelConditionReady,
 						Status: corev1.ConditionUnknown,
@@ -170,6 +176,9 @@ func TestChannelInitializeConditions(t *testing.T) {
 					}, {
 						Type:   ChannelConditionDeadLetterSinkResolved,
 						Status: corev1.ConditionUnknown,
+					}, {
+						Type:   ChannelConditionEventPoliciesReady,
+						Status: corev1.ConditionUnknown,
 					}, {
 						Type:   ChannelConditionReady,
 						Status: corev1.ConditionUnknown,
@@ -198,33 +207,45 @@ func TestChannelConditionStatus(t *testing.T) {
 		address              *duckv1.Addressable
 		backingChannelStatus corev1.ConditionStatus
 		DLSResolved          corev1.ConditionStatus
+		eventPolicyStatus    corev1.ConditionStatus
 		wantConditionStatus  corev1.ConditionStatus
 	}{{
 		name:                 "all happy",
 		address:              validAddress,
 		backingChannelStatus: corev1.ConditionTrue,
 		DLSResolved:          corev1.ConditionTrue,
+		eventPolicyStatus:    corev1.ConditionTrue,
 		wantConditionStatus:  corev1.ConditionTrue,
 	}, {
 		name:                 "address not set",
 		address:              &duckv1.Addressable{},
 		backingChannelStatus: corev1.ConditionTrue,
+		eventPolicyStatus:    corev1.ConditionTrue,
 		wantConditionStatus:  corev1.ConditionFalse,
 	},
 		{
 			name:                 "nil address",
 			address:              nil,
 			backingChannelStatus: corev1.ConditionTrue,
+			eventPolicyStatus:    corev1.ConditionTrue,
 			wantConditionStatus:  corev1.ConditionFalse,
 		}, {
 			name:                 "backing channel with unknown status",
 			address:              validAddress,
 			backingChannelStatus: corev1.ConditionUnknown,
+			eventPolicyStatus:    corev1.ConditionTrue,
 			wantConditionStatus:  corev1.ConditionUnknown,
 		}, {
 			name:                 "backing channel with false status",
 			address:              validAddress,
 			backingChannelStatus: corev1.ConditionFalse,
+			eventPolicyStatus:    corev1.ConditionTrue,
+			wantConditionStatus:  corev1.ConditionFalse,
+		}, {
+			name:                 "EventPolicies not Ready",
+			address:              validAddress,
+			backingChannelStatus: corev1.ConditionTrue,
+			eventPolicyStatus:    corev1.ConditionFalse,
 			wantConditionStatus:  corev1.ConditionFalse,
 		}}
 	for _, test := range tests {
@@ -240,6 +261,14 @@ func TestChannelConditionStatus(t *testing.T) {
 				cs.MarkBackingChannelUnknown("ChannelUnknown", "testing")
 			}
 
+			if test.eventPolicyStatus == corev1.ConditionTrue {
+				cs.MarkEventPoliciesTrue()
+			} else if test.eventPolicyStatus == corev1.ConditionFalse {
+				cs.MarkEventPoliciesFailed("EventPolicyFailure", "testing")
+			} else {
+				cs.MarkEventPoliciesUnknown("EventPolicyFailure", "testing")
+			}
+
 			if test.DLSResolved == corev1.ConditionTrue {
 				cs.MarkDeadLetterSinkResolvedSucceeded(v1.DeliveryStatus{})
 			}
@@ -421,6 +450,7 @@ func TestChannelPropagateStatuses(t *testing.T) {
 			cs := &ChannelStatus{}
 			cs.PropagateStatuses(tc.channelableStatus)
 			cs.MarkDeadLetterSinkNotConfigured()
+			cs.MarkEventPoliciesTrue()
 			got := cs.GetTopLevelCondition().Status
 			if tc.wantConditionStatus != got {
 				t.Errorf("unexpected readiness: want %v, got %v", tc.wantConditionStatus, got)

pkg/reconciler/channel/channel.go

@@ -25,6 +25,8 @@ import (
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/client-go/dynamic"
+	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/pkg/kmeta"
 
 	duckapis "knative.dev/pkg/apis/duck"
@@ -35,6 +37,7 @@ import (
 	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
 	v1 "knative.dev/eventing/pkg/apis/messaging/v1"
 	channelreconciler "knative.dev/eventing/pkg/client/injection/reconciler/messaging/v1/channel"
+	eventingv1alpha1listers "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1"
 	listers "knative.dev/eventing/pkg/client/listers/messaging/v1"
 	ducklib "knative.dev/eventing/pkg/duck"
 	eventingduck "knative.dev/eventing/pkg/duck"
@@ -47,13 +50,17 @@ type Reconciler struct {
 
 	// dynamicClientSet allows us to configure pluggable Build objects
 	dynamicClientSet dynamic.Interface
+
+	eventPolicyLister eventingv1alpha1listers.EventPolicyLister
 }
 
 // Check that our Reconciler implements Interface
 var _ channelreconciler.Interface = (*Reconciler)(nil)
 
 // ReconcileKind implements Interface.ReconcileKind.
 func (r *Reconciler) ReconcileKind(ctx context.Context, c *v1.Channel) pkgreconciler.Event {
+	featureFlags := feature.FromContext(ctx)
+
 	// 1. Create the backing Channel CRD, if it doesn't exist.
 	// 2. Propagate the backing Channel CRD Status, Address, and SubscribableStatus into this Channel.
 
@@ -96,6 +103,11 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, c *v1.Channel) pkgreconc
 		c.Status.MarkDeadLetterSinkNotConfigured()
 	}
 
+	err = auth.UpdateStatusWithEventPolicies(featureFlags, &c.Status.AppliedEventPoliciesStatus, &c.Status, r.eventPolicyLister, v1.SchemeGroupVersion.WithKind("Channel"), c.ObjectMeta)
+	if err != nil {
+		return fmt.Errorf("could not update channel status with EventPolicies: %v", err)
+	}
+
 	return nil
 }
 

pkg/reconciler/channel/channel_test.go

@@ -319,6 +319,7 @@ func TestReconcile(t *testing.T) {
 			dynamicClientSet:   fakedynamicclient.Get(ctx),
 			channelLister:      listers.GetMessagingChannelLister(),
 			channelableTracker: &fakeListableTracker{duck.NewListableTrackerFromTracker(ctx, channelable.Get, tracker.New(func(types.NamespacedName) {}, 0))},
+			eventPolicyLister:  listers.GetEventPolicyLister(),
 		}
 		return channelreconciler.NewReconciler(ctx, logger,
 			fakeeventingclient.Get(ctx), listers.GetMessagingChannelLister(),

pkg/reconciler/channel/controller.go

@@ -19,11 +19,18 @@ package channel
 import (
 	"context"
 
+	messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1"
+	"knative.dev/eventing/pkg/auth"
+
+	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/pkg/logging"
+
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection/clients/dynamicclient"
 
 	"knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable"
+	"knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
 	channelinformer "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/channel"
 	channelreconciler "knative.dev/eventing/pkg/client/injection/reconciler/messaging/v1/channel"
 	"knative.dev/eventing/pkg/duck"
@@ -36,12 +43,14 @@ func NewController(
 	cmw configmap.Watcher,
 ) *controller.Impl {
 	channelInformer := channelinformer.Get(ctx)
+	eventPolicyInformer := eventpolicy.Get(ctx)
 
 	r := &Reconciler{
-		dynamicClientSet: dynamicclient.Get(ctx),
-		channelLister:    channelInformer.Lister(),
+		dynamicClientSet:  dynamicclient.Get(ctx),
+		channelLister:     channelInformer.Lister(),
+		eventPolicyLister: eventPolicyInformer.Lister(),
 	}
-	impl := channelreconciler.NewImpl(ctx, r)
+
 	var globalResync func()
 	featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
 		if globalResync != nil {
@@ -64,5 +73,11 @@ func NewController(
 
 	channelInformer.Informer().AddEventHandler(controller.HandleAll(impl.Enqueue))
 
+	channelGK := messagingv1.SchemeGroupVersion.WithKind("Channel").GroupKind()
+
+	// Enqueue the Channel, if we have an EventPolicy which was referencing
+	// or got updated and now is referencing the Channel
+	eventPolicyInformer.Informer().AddEventHandler(auth.EventPolicyEventHandler(channelInformer.Informer().GetIndexer(), channelGK, impl.EnqueueKey))
+
 	return impl
 }

pkg/reconciler/channel/controller_test.go

@@ -25,6 +25,7 @@ import (
 
 	// Fake injection informers
 	_ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake"
+	_ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake"
 	_ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/channel/fake"
 	_ "knative.dev/pkg/client/injection/kube/client/fake"
 	_ "knative.dev/pkg/injection/clients/dynamicclient/fake"

pkg/reconciler/subscription/subscription_test.go

@@ -1487,6 +1487,7 @@ func TestAllCases(t *testing.T) {
 					WithBackingChannelReady,
 					WithChannelAddress(sink),
 					WithChannelDLSUnknown(),
+					WithChannelEventPoliciesReady(),
 				),
 				NewInMemoryChannel(channelName, testNS,
 					WithInitInMemoryChannelConditions,

pkg/reconciler/testing/v1/channel.go

@@ -159,6 +159,12 @@ func WithChannelDLSUnknown() ChannelOption {
 	}
 }
 
+func WithChannelEventPoliciesReady() ChannelOption {
+	return func(c *eventingv1.Channel) {
+		c.Status.MarkEventPoliciesTrue()
+	}
+}
+
 func WithChannelDLSResolvedFailed() ChannelOption {
 	return func(c *eventingv1.Channel) {
 		c.Status.MarkDeadLetterSinkResolvedFailed(