Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide the OIDC token for the SinkBinding as a volume #7323

Closed
creydr opened this issue Sep 29, 2023 · 3 comments · Fixed by #7444
Closed

Provide the OIDC token for the SinkBinding as a volume #7323

creydr opened this issue Sep 29, 2023 · 3 comments · Fixed by #7444
Assignees
@creydr
Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.

Comments

@creydr
Copy link
Member

creydr commented Sep 29, 2023
edited
Loading

Problem

As the Eventing OIDC feature track describes, the SinkBinding controller will add a volume to its managing container, which contains the token for authentication.
This will be a token for the SinkBindings identity (from .status.auth.serviceAccountName) and issued for the sinks audience (.status.sinkAudience).
The token will not be injected as a env var for security reasons and as it would not be refreshable without a pod restart.
The SinkBinding controller will take care of the token handling & refreshing.

For the SinkBinding controller, this means:

  • when the sink has no audience defined:
    • no change in behavior
  • when the the sink has an audience defined:
    • create a secret containing a JWT for the sinkbinding
    • mount this secret as a volume into the referencing resource as a volume to /oidc/token
    • take care about token renewals and updates of the secret

Additonal Information
@creydr creydr added the help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. label Sep 29, 2023
@rahulii
Copy link
Contributor

rahulii commented Sep 30, 2023

/assign

@creydr creydr mentioned this issue Oct 2, 2023
Closed
@Cali0707
Copy link
Member

Hey @rahulii are you still working on this? If you are and need help, feel free to reach out here or on slack.

If you don't want to work on this anymore, please let me know. Thanks!

@creydr
Copy link
Member Author

creydr commented Nov 10, 2023

@rahulii As we didn't hear anything on this since some time, I would unassign you from this to give other contributors a chance to work on this.
Feel free to assign it to you again, when you're ready to work on it.

@creydr creydr assigned creydr and rahulii and unassigned rahulii Nov 10, 2023
@creydr creydr mentioned this issue Nov 13, 2023
Merged
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@creydr creydr

Labels
help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines.
Projects
Eventing Sender Identity
Status: ✅ Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Provide volume with OIDC token in SinkBinding creydr/knative-eventing
3 participants
@creydr @rahulii @Cali0707