support auto generation of SinkBindings identity service account #7327
Conversation
|
Welcome @rahulii! It looks like this is your first PR to knative/eventing 🎉 |
knative-prow
bot
added
needs-ok-to-test
|
Hi @rahulii. Thanks for your PR. I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@creydr please review. |
|
/ok-to-test |
knative-prow
bot
added
ok-to-test
here is the o/p - @creydr |
|
@rahulii Thanks for the update. Can you fix the unit tests? eventing/pkg/reconciler/broker/trigger/trigger_test.go Lines 1489 to 1558 in 402f6ac |
@creydr there are no tests implemented currently for SB reconciler, should I go ahead and create it (a new _test.go file) ? |
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #7327 +/- ##
==========================================
+ Coverage 76.90% 76.92% +0.02%
==========================================
Files 252 252
Lines 13693 13701 +8
==========================================
+ Hits 10530 10539 +9
Misses 2637 2637
+ Partials 526 525 -1
☔ View full report in Codecov by Sentry. |
| sb.Status.MarkOIDCIdentityCreatedSucceeded() | ||
| } else { | ||
| sb.Status.Auth = nil | ||
| sb.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "") |
There was a problem hiding this comment.
Do we have a constant string we can use across the board for this reason? /cc @creydr
There was a problem hiding this comment.
Not yet. But makes sense to introduce one, as we have this at multiple places 👍
There was a problem hiding this comment.
I think that can be a part of seperate PR!
| // Reconcile SinkBinding when the OIDC service account changes | ||
| serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ | ||
| FilterFunc: controller.FilterController(&v1.SinkBinding{}), | ||
| Handler: controller.HandleAll(impl.EnqueueControllerOf), | ||
| }) | ||
|
|
There was a problem hiding this comment.
@creydr it's a general common not specific to this PR, but we should evaluate if it makes sense to label all of our service accounts and use a "filtered informer" so that we're not watching all service accounts into a cluster which could be quite large but only "ours"
There was a problem hiding this comment.
I think it makes sense to label the service account 👍🏼
There was a problem hiding this comment.
That's a good point @pierDipi. I think we can do this in a separate PR
| // reconcile sinkindings on changes on the features configmap | ||
| configmapInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ | ||
| FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), feature.FlagsConfigName), | ||
| Handler: controller.HandleAll(func(i interface{}) { | ||
| impl.GlobalResync(sbInformer.Informer()) | ||
| }), | ||
| }) |
There was a problem hiding this comment.
Instead of using a cluster-wide configmap informer, we can configure a callback function when calling NewStore, that saves quite a bit of memory since that watcher is watching only configmaps in the system namespace as opposed to watching every configmap in the cluster /cc @creydr
There was a problem hiding this comment.
see example in pkg/reconciler/broker/controller.go
There was a problem hiding this comment.
like featureStore.WatchConfigs(cmw) , right ?
There was a problem hiding this comment.
yes. featureStore.WatchConfigs(cmw) takes additional callback functions which get called on configmap updates. E.g.:
var globalResync func(obj interface{})
featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
if globalResync != nil {
globalResync(nil)
}
})
with globalResync being something like:
globalResync = func(obj interface{}) {
impl.GlobalResync(sbInformer.Informer())
}
rahulii
force-pushed
the
support-oidc-sinkbinding
branch
from
f214983
to
9800d17
Compare
|
/ok-to-test |
|
@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷 |
hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ? wdyt? |
I see. Works for me. |
thanks @creydr , LMK if you need any more changes on this PR! Thanks! |
|
@rahulii the verify job failed. Probably because some relevant changes got merged into main in the meantime. Can you rerun |
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
Signed-off-by: rahulii <r.sawra@gmail.com>
rahulii
force-pushed
the
support-oidc-sinkbinding
branch
from
cf83f7d
to
fdda99e
Compare
|
@creydr is the e2e test failure because of this PR changes ? 🤔 |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: creydr, rahulii The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
approved
Fixes #7324
Proposed Changes
Pre-review Checklist
Release Note