Authenticate Requests from PingSources #7320
Assignees
Labels
help wanted
Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Comments
creydr
added
the
help wanted
|
/assign |
|
As the required issues are done, this is ready to be worked on |
|
Hey @rahulii are you still planning on working on this? |
|
@rahulii As we didn't hear anything on this since some time, I would unassign you from this to give other contributors a chance to work on this. |
|
/assign |
|
/assign |
|
Hello @Zazzscoot and @skyenam, |
|
Hey @creydr, |
Awesome. Thanks for the update! |
|
Hey @Zazzscoot and @skyenam, |
|
And feel free to ping me here or on CNCF slack if you guys need any help :) @Zazzscoot @skyenam |
|
Hey @Zazzscoot and @skyenam, |
|
Hey @creydr |
Zazzscoot
added a commit
to Zazzscoot/eventing
that referenced
this issue
Dec 24, 2023
5 tasks
This was referenced Jan 5, 2024
knative-prow bot
pushed a commit
that referenced
this issue
Jan 18, 2024
* #7320 WIP * added missing address attributes to unit tests * added serviceaccoutns/token to pingsource role * added rule for service accounts (token) * wrote e2e tests for pingsource OIDC * removed dynamic role adding * removed unnecessary packages * defined tokenprovider, set audience/OIDCServiceAcc * added check for source.Status.Auth * testing for pr * reran runner.go * added oidc * removed testing * added oidc in pingsource test * added audience nil check and specified destination in auth test * added duckv1 to imports for test file * ran goimports * removed dupe ceode from mtping/runner.go * ran goimportrs on test/auth/oidc_test.go * fixing boilerplate for test/auth/features/oidc/pingsource.go * removed format.sh * removed unnecessary comments --------- Co-authored-by: Yijie Wang <yijiewang0806@gmail.com>
knative-prow bot
pushed a commit
that referenced
this issue
Jan 30, 2024
* controller.go changed * #7320 WIP * WIP: Testing filtered informer (#7341) * unit test passed * Revert "Merge remote-tracking branch 'otherfork/main' into main" This reverts commit 94cd51b, reversing changes made to 0bf2982. * Removed comments * Changed to filtered informer for Subscription identity service account * Changed to filtered informer for Sequence service accounts * Changed to filtered informer for Parallel identity service accounts * Changed to filtered informer for APIServerSource identity service account * fixed unit tests * added label selector for mtchannel_broker * added filtered informer for sinkbinding identity service accounts * added OIDC label selector in webhook * added filtered informer for containersource service accounts * added filtered informer for pingsource service accounts * added OIDC label selector in apiserver ctx * added OIDC label selector in broker/filter * added OIDC label selector in broker/ingress * added OIDC label selector in in_memory/channel_dispatcher * added OIDC label selector in mtping * fixed unit test issues for pingsource * fixed unit test for container source * formatted files * updated service account informer in apiserversource * updated service account informers in other places * small typo fix * added actual value for OIDC label * added a valid value for OIDClabelkey * changed references of OIDCLabelKey * fixed import path problem * changed OIDCLabelSelector in all main.go files * changed instances of OIDCLabelSelector in controller and controller test files * deleted OIDC related labels from register.go * fixed formatting issues * Added value for OIDCLabelKey --------- Co-authored-by: Scott <scottprotoss@gmail.com>
creydr
pushed a commit
to creydr/knative-eventing
that referenced
this issue
Apr 24, 2024
* controller.go changed * knative#7320 WIP * WIP: Testing filtered informer (knative#7341) * unit test passed * Revert "Merge remote-tracking branch 'otherfork/main' into main" This reverts commit 94cd51b, reversing changes made to 0bf2982. * Removed comments * Changed to filtered informer for Subscription identity service account * Changed to filtered informer for Sequence service accounts * Changed to filtered informer for Parallel identity service accounts * Changed to filtered informer for APIServerSource identity service account * fixed unit tests * added label selector for mtchannel_broker * added filtered informer for sinkbinding identity service accounts * added OIDC label selector in webhook * added filtered informer for containersource service accounts * added filtered informer for pingsource service accounts * added OIDC label selector in apiserver ctx * added OIDC label selector in broker/filter * added OIDC label selector in broker/ingress * added OIDC label selector in in_memory/channel_dispatcher * added OIDC label selector in mtping * fixed unit test issues for pingsource * fixed unit test for container source * formatted files * updated service account informer in apiserversource * updated service account informers in other places * small typo fix * added actual value for OIDC label * added a valid value for OIDClabelkey * changed references of OIDCLabelKey * fixed import path problem * changed OIDCLabelSelector in all main.go files * changed instances of OIDCLabelSelector in controller and controller test files * deleted OIDC related labels from register.go * fixed formatting issues * Added value for OIDCLabelKey --------- Co-authored-by: Scott <scottprotoss@gmail.com>
openshift-merge-bot bot
pushed a commit
to openshift-knative/eventing
that referenced
this issue
Apr 24, 2024
…y, if SA references a trigger for correct broker class (#592) * Use filtered informer to watch OIDC service accounts (knative#7527) * controller.go changed * knative#7320 WIP * WIP: Testing filtered informer (knative#7341) * unit test passed * Revert "Merge remote-tracking branch 'otherfork/main' into main" This reverts commit 94cd51b, reversing changes made to 0bf2982. * Removed comments * Changed to filtered informer for Subscription identity service account * Changed to filtered informer for Sequence service accounts * Changed to filtered informer for Parallel identity service accounts * Changed to filtered informer for APIServerSource identity service account * fixed unit tests * added label selector for mtchannel_broker * added filtered informer for sinkbinding identity service accounts * added OIDC label selector in webhook * added filtered informer for containersource service accounts * added filtered informer for pingsource service accounts * added OIDC label selector in apiserver ctx * added OIDC label selector in broker/filter * added OIDC label selector in broker/ingress * added OIDC label selector in in_memory/channel_dispatcher * added OIDC label selector in mtping * fixed unit test issues for pingsource * fixed unit test for container source * formatted files * updated service account informer in apiserversource * updated service account informers in other places * small typo fix * added actual value for OIDC label * added a valid value for OIDClabelkey * changed references of OIDCLabelKey * fixed import path problem * changed OIDCLabelSelector in all main.go files * changed instances of OIDCLabelSelector in controller and controller test files * deleted OIDC related labels from register.go * fixed formatting issues * Added value for OIDCLabelKey --------- Co-authored-by: Scott <scottprotoss@gmail.com> * Reconcile trigger on OIDC service account changes only, if SA references a trigger for correct broker class (knative#7849) * Reconcile trigger on OIDC service account changes only, if SA references a trigger for correct broker class * Run goimports and gofmt * Remove deprecated use of pointer.Bool(v) and switch to prt.Bool(v) --------- Co-authored-by: Yijie Wang <147119743+yijie-04@users.noreply.github.com> Co-authored-by: Scott <scottprotoss@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As the Eventing OIDC feature track describes, sources must authenticate their requests. Therefor the PingSource must request a JWT and add it as a Bearer Token to its
Authenticationheader.When having #7175, we need to update the PingSource to add the Authentication header with a JWT to all outgoing requests.
In particular this means for the PingSource adapter:
Additional Information:
AuthStatus#7227.status.SinkAudience(required AddSinkAudiencetoSourceStatuspkg#2844).The text was updated successfully, but these errors were encountered: