From 0bf29828a296f478e47d2d3c9a992372050f15cf Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sat, 23 Dec 2023 14:36:20 -0500 Subject: [PATCH 01/36] controller.go changed --- pkg/auth/serviceaccount.go | 5 +++++ pkg/reconciler/broker/trigger/controller.go | 10 +++++++--- pkg/reconciler/broker/trigger/controller_test.go | 12 +++++++++++- 3 files changed, 23 insertions(+), 4 deletions(-) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index 3f80bb41cd9..6c0a02c6ee1 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -26,6 +26,8 @@ import ( "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" + "knative.dev/eventing/pkg/apis/sources" + "go.uber.org/zap" v1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -66,6 +68,9 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me Annotations: map[string]string{ "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, + Labels: map[string]string{ + sources.OIDCLabelKey: "", + }, }, } } diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index afc7a2a7ffb..34795929bbd 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -19,12 +19,14 @@ package mttrigger import ( "context" + "knative.dev/eventing/pkg/apis/sources" + "go.uber.org/zap" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" "knative.dev/pkg/client/injection/ducks/duck/v1/source" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + //serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -45,6 +47,8 @@ import ( eventinglisters "knative.dev/eventing/pkg/client/listers/eventing/v1" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" + + serviceaccountinformer "client/injection/kube/informers/core/v1/serviceaccount/filtered" ) // NewController initializes the controller and is called by the generated code @@ -59,7 +63,7 @@ func NewController( subscriptionInformer := subscriptioninformer.Get(ctx) configmapInformer := configmapinformer.Get(ctx) secretInformer := secretinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store")) featureStore.WatchConfigs(cmw) @@ -113,7 +117,7 @@ func NewController( // Reconciler Trigger when the OIDC service account changes serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ - FilterFunc: controller.FilterController(&eventing.Trigger{}), + FilterFunc: controller.FilterController(&eventing.Trigger{}), // replace with filtered informer Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index 86bf267d939..e29e3d5da30 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -17,9 +17,13 @@ limitations under the License. package mttrigger import ( + "context" "fmt" "testing" + "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -45,10 +49,11 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher(&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "config-features"}})) @@ -57,6 +62,11 @@ func TestNew(t *testing.T) { } } +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + return ctx +} + func TestFilterTriggers(t *testing.T) { ctx, _ := SetupFakeContext(t) From 17c775a1df07bd363461db1d435f912b8a10e6af Mon Sep 17 00:00:00 2001 From: Scott Date: Sat, 23 Dec 2023 20:33:12 -0500 Subject: [PATCH 02/36] #7320 WIP --- docs/eventing-api.md | 10 ++ pkg/apis/sources/v1/ping_types.go | 2 + pkg/apis/sources/v1/zz_generated.deepcopy.go | 5 + pkg/reconciler/pingsource/pingsource.go | 102 +++++++++++++++- pkg/reconciler/pingsource/pingsource_test.go | 14 +++ .../pingsource/resources/oidc_rolebinding.go | 115 ++++++++++++++++++ 6 files changed, 246 insertions(+), 2 deletions(-) create mode 100644 pkg/reconciler/pingsource/resources/oidc_rolebinding.go diff --git a/docs/eventing-api.md b/docs/eventing-api.md index b48faf9b2c3..be83e05f830 100644 --- a/docs/eventing-api.md +++ b/docs/eventing-api.md @@ -6232,6 +6232,16 @@ state. Source.

+ + +namespaces
+ +[]string + + + + +

SinkBindingSpec diff --git a/pkg/apis/sources/v1/ping_types.go b/pkg/apis/sources/v1/ping_types.go index 5390fc288ff..b752da20442 100644 --- a/pkg/apis/sources/v1/ping_types.go +++ b/pkg/apis/sources/v1/ping_types.go @@ -93,6 +93,8 @@ type PingSourceStatus struct { // * SinkURI - the current active sink URI that has been configured for the // Source. duckv1.SourceStatus `json:",inline"` + + Namespaces []string `json:"namespaces"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/sources/v1/zz_generated.deepcopy.go b/pkg/apis/sources/v1/zz_generated.deepcopy.go index 6d175e3c960..3bed1735e4a 100644 --- a/pkg/apis/sources/v1/zz_generated.deepcopy.go +++ b/pkg/apis/sources/v1/zz_generated.deepcopy.go @@ -358,6 +358,11 @@ func (in *PingSourceSpec) DeepCopy() *PingSourceSpec { func (in *PingSourceStatus) DeepCopyInto(out *PingSourceStatus) { *out = *in in.SourceStatus.DeepCopyInto(&out.SourceStatus) + if in.Namespaces != nil { + in, out := &in.Namespaces, &out.Namespaces + *out = make([]string, len(*in)) + copy(*out, *in) + } return } diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go index cd88c938646..2297ff4ad5e 100644 --- a/pkg/reconciler/pingsource/pingsource.go +++ b/pkg/reconciler/pingsource/pingsource.go @@ -21,7 +21,7 @@ import ( "encoding/json" "fmt" - v1 "k8s.io/client-go/listers/core/v1" + clientv1 "k8s.io/client-go/listers/core/v1" "go.uber.org/zap" @@ -41,6 +41,7 @@ import ( "knative.dev/pkg/system" "knative.dev/pkg/tracker" + rbacv1listers "k8s.io/client-go/listers/rbac/v1" "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" "knative.dev/eventing/pkg/apis/feature" @@ -79,7 +80,10 @@ type Reconciler struct { // Leader election configuration for the mt receive adapter leConfig string - serviceAccountLister v1.ServiceAccountLister + serviceAccountLister clientv1.ServiceAccountLister + roleLister rbacv1listers.RoleLister + roleBindingLister rbacv1listers.RoleBindingLister + namespaceLister clientv1.NamespaceLister } // Check that our Reconciler implements ReconcileKind @@ -113,6 +117,23 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo return err } + if featureFlags.IsOIDCAuthentication() { + // Create the role + err := r.createOIDCRole(ctx, source) + + if err != nil { + logging.FromContext(ctx).Errorw("Failed when creating the OIDC Role for PingSource", zap.Error(err)) + return err + } + + // Create the rolebinding + err = r.createOIDCRoleBinding(ctx, source) + if err != nil { + logging.FromContext(ctx).Errorw("Failed when creating the OIDC RoleBinding for PingSource", zap.Error(err)) + return err + } + } + sinkAddr, err := r.sinkResolver.AddressableFromDestinationV1(ctx, *dest, source) if err != nil { source.Status.MarkNoSink("NotFound", "") @@ -214,3 +235,80 @@ func findContainer(podSpec *corev1.PodSpec, name string) *corev1.Container { func zero(i *int32) bool { return i != nil && *i == 0 } + +func (r *Reconciler) createOIDCRole(ctx context.Context, source *sourcesv1.PingSource) error { + roleName := resources.GetOIDCTokenRoleName(source.Name) + + expected, err := resources.MakeOIDCRole(source) + + if err != nil { + return fmt.Errorf("Cannot create OIDC role for PingSource %s/%s: %w", source.GetName(), source.GetNamespace(), err) + } + // By querying roleLister to see whether the role exist or not + role, err := r.roleLister.Roles(source.GetNamespace()).Get(roleName) + + if apierrors.IsNotFound(err) { + // If the role does not exist, we will call kubeclient to create it + role = expected + _, err = r.kubeClientSet.RbacV1().Roles(source.GetNamespace()).Create(ctx, role, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("could not create OIDC service account role %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "ApiServerSource", err) + } + } else { + // If the role does exist, we will check whether an update is needed + // By comparing the role's rule + if !equality.Semantic.DeepEqual(role.Rules, expected.Rules) { + // If the role's rules are not equal, we will update the role + role.Rules = expected.Rules + _, err = r.kubeClientSet.RbacV1().Roles(source.GetNamespace()).Update(ctx, role, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("could not update OIDC service account role %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "ApiServerSource", err) + } + } else { + // If the role does exist and no update is needed, we will just return + return nil + } + } + + return nil + +} + +// createOIDCRoleBinding: this function will call resources package to get the rolebinding object +// and then pass to kubeclient to make the actual OIDC rolebinding +func (r *Reconciler) createOIDCRoleBinding(ctx context.Context, source *sourcesv1.PingSource) error { + roleBindingName := resources.GetOIDCTokenRoleBindingName(source.Name) + + expected, err := resources.MakeOIDCRoleBinding(source) + if err != nil { + return fmt.Errorf("Cannot create OIDC roleBinding for PingSource %s/%s: %w", source.GetName(), source.GetNamespace(), err) + } + + // By querying roleBindingLister to see whether the roleBinding exist or not + roleBinding, err := r.roleBindingLister.RoleBindings(source.GetNamespace()).Get(roleBindingName) + if apierrors.IsNotFound(err) { + // If the role does not exist, we will call kubeclient to create it + roleBinding = expected + _, err = r.kubeClientSet.RbacV1().RoleBindings(source.GetNamespace()).Create(ctx, roleBinding, metav1.CreateOptions{}) + if err != nil { + return fmt.Errorf("could not create OIDC service account rolebinding %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "apiserversource", err) + } + } else { + // If the role does exist, we will check whether an update is needed + // By comparing the role's rule + if !equality.Semantic.DeepEqual(roleBinding.RoleRef, expected.RoleRef) || !equality.Semantic.DeepEqual(roleBinding.Subjects, expected.Subjects) { + // If the role's rules are not equal, we will update the role + roleBinding.RoleRef = expected.RoleRef + roleBinding.Subjects = expected.Subjects + _, err = r.kubeClientSet.RbacV1().RoleBindings(source.GetNamespace()).Update(ctx, roleBinding, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("could not update OIDC service account rolebinding %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "apiserversource", err) + } + } else { + // If the role does exist and no update is needed, we will just return + return nil + } + } + + return nil +} diff --git a/pkg/reconciler/pingsource/pingsource_test.go b/pkg/reconciler/pingsource/pingsource_test.go index 4e84a050926..036082c9c4a 100644 --- a/pkg/reconciler/pingsource/pingsource_test.go +++ b/pkg/reconciler/pingsource/pingsource_test.go @@ -87,6 +87,20 @@ var ( Name: &sinkURL.Scheme, URL: sinkURL, } + sinkAudience = "sink-oidc-audience" + sinkOIDCAddressable = &duckv1.Addressable{ + Name: &sinkURL.Scheme, + URL: sinkURL, + Audience: &sinkAudience, + } + sinkOIDCDest = duckv1.Destination{ + Ref: &duckv1.KReference{ + Name: sinkName, + Kind: "Channel", + APIVersion: "messaging.knative.dev/v1", + }, + Audience: &sinkAudience, + } ) const ( diff --git a/pkg/reconciler/pingsource/resources/oidc_rolebinding.go b/pkg/reconciler/pingsource/resources/oidc_rolebinding.go new file mode 100644 index 00000000000..91e51600515 --- /dev/null +++ b/pkg/reconciler/pingsource/resources/oidc_rolebinding.go @@ -0,0 +1,115 @@ +/* +Copyright 2020 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// taken from #7452, with modifications for pingsource + +package resources + +import ( + "fmt" + + "knative.dev/eventing/pkg/apis/sources" + + "knative.dev/pkg/kmeta" + + rbacv1 "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + v1 "knative.dev/eventing/pkg/apis/sources/v1" +) + +// GetOIDCTokenRoleName will return the name of the role for creating the JWT token +func GetOIDCTokenRoleName(sourceName string) string { + return kmeta.ChildName(sourceName, "-create-oidc-token") +} + +// GetOIDCTokenRoleBindingName will return the name of the rolebinding for creating the JWT token +func GetOIDCTokenRoleBindingName(sourceName string) string { + return kmeta.ChildName(sourceName, "-create-oidc-token") +} + +func MakeOIDCRole(source *v1.PingSource) (*rbacv1.Role, error) { + roleName := GetOIDCTokenRoleName(source.Name) + + if source.Status.Auth == nil || source.Status.Auth.ServiceAccountName == nil { + return nil, fmt.Errorf("Error when making OIDC Role for pingsource, as the OIDC service account does not exist") + } + + return &rbacv1.Role{ + ObjectMeta: metav1.ObjectMeta{ + Name: roleName, + Namespace: source.GetNamespace(), + Annotations: map[string]string{ + "description": fmt.Sprintf("Role for OIDC Authentication for PingSource %q", source.GetName()), + }, + Labels: map[string]string{ + sources.OIDCLabelKey: "", + }, + OwnerReferences: []metav1.OwnerReference{ + *kmeta.NewControllerRef(source), + }, + }, + Rules: []rbacv1.PolicyRule{ + rbacv1.PolicyRule{ + APIGroups: []string{""}, + // apiServerSource OIDC service account name, it is in the source.Status, NOT in source.Spec + ResourceNames: []string{*source.Status.Auth.ServiceAccountName}, + Resources: []string{"serviceaccounts/token"}, + Verbs: []string{"create"}, + }, + }, + }, nil + +} + +// MakeOIDCRoleBinding will return the rolebinding object for generating the JWT token +func MakeOIDCRoleBinding(source *v1.PingSource) (*rbacv1.RoleBinding, error) { + roleName := GetOIDCTokenRoleName(source.Name) + roleBindingName := GetOIDCTokenRoleBindingName(source.Name) + + if *source.Status.Auth.ServiceAccountName == "" { + return nil, fmt.Errorf("Error when making OIDC RoleBinding for pingserversource, as the Spec service account does not exist") + } + + return &rbacv1.RoleBinding{ + ObjectMeta: metav1.ObjectMeta{ + Name: roleBindingName, + Namespace: source.GetNamespace(), + Annotations: map[string]string{ + "description": fmt.Sprintf("Role Binding for OIDC Authentication for PingServerSource %q", source.GetName()), + }, + Labels: map[string]string{ + sources.OIDCLabelKey: "", + }, + OwnerReferences: []metav1.OwnerReference{ + *kmeta.NewControllerRef(source), + }, + }, + RoleRef: rbacv1.RoleRef{ + APIGroup: "rbac.authorization.k8s.io", + Kind: "Role", + Name: roleName, + }, + Subjects: []rbacv1.Subject{ + { + Kind: "ServiceAccount", + Namespace: source.GetNamespace(), + //Note: apiServerSource service account name, it is in the source.Spec, NOT in source.Status.Auth + Name: *source.Status.Auth.ServiceAccountName, + }, + }, + }, nil + +} From a82c2aa28eb5c555e6a684ff4990a986ad88ddf6 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sun, 24 Dec 2023 00:06:23 -0500 Subject: [PATCH 03/36] WIP: Testing filtered informer (knative#7341) --- pkg/reconciler/broker/trigger/controller.go | 2 +- .../broker/trigger/controller_test.go | 2 +- .../serviceaccount/filtered/serviceaccount.go | 65 +++++++++++++++++++ 3 files changed, 67 insertions(+), 2 deletions(-) create mode 100644 vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index 34795929bbd..a9e4eaa3cd5 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -48,7 +48,7 @@ import ( "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "client/injection/kube/informers/core/v1/serviceaccount/filtered" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" ) // NewController initializes the controller and is called by the generated code diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index e29e3d5da30..3b73498c4f7 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -45,11 +45,11 @@ import ( _ "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake" // Fake injection informers + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go new file mode 100644 index 00000000000..58cb4fc80bb --- /dev/null +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go @@ -0,0 +1,65 @@ +/* +Copyright 2022 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by injection-gen. DO NOT EDIT. + +package filtered + +import ( + context "context" + + v1 "k8s.io/client-go/informers/core/v1" + filtered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + controller "knative.dev/pkg/controller" + injection "knative.dev/pkg/injection" + logging "knative.dev/pkg/logging" +) + +func init() { + injection.Default.RegisterFilteredInformers(withInformer) +} + +// Key is used for associating the Informer inside the context.Context. +type Key struct { + Selector string +} + +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(filtered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := filtered.Get(ctx, selector) + inf := f.Core().V1().ServiceAccounts() + ctx = context.WithValue(ctx, Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs +} + +// Get extracts the typed informer from the context. +func Get(ctx context.Context, selector string) v1.ServiceAccountInformer { + untyped := ctx.Value(Key{Selector: selector}) + if untyped == nil { + logging.FromContext(ctx).Panicf( + "Unable to fetch k8s.io/client-go/informers/core/v1.ServiceAccountInformer with selector %s from context.", selector) + } + return untyped.(v1.ServiceAccountInformer) +} From d4bfe4ec78ade89a424c1b8fe1462aa7e070dd00 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Tue, 2 Jan 2024 15:33:58 -0500 Subject: [PATCH 04/36] unit test passed --- .../broker/trigger/controller_test.go | 2 +- .../v1/serviceaccount/filtered/fake/fake.go | 52 +++++++++++++++++++ vendor/modules.txt | 2 + 3 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index 3b73498c4f7..f44e4124d61 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -49,7 +49,7 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" ) func TestNew(t *testing.T) { diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go new file mode 100644 index 00000000000..4a89f8b5d30 --- /dev/null +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go @@ -0,0 +1,52 @@ +/* +Copyright 2022 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by injection-gen. DO NOT EDIT. + +package fake + +import ( + context "context" + + filtered "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" + factoryfiltered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + controller "knative.dev/pkg/controller" + injection "knative.dev/pkg/injection" + logging "knative.dev/pkg/logging" +) + +var Get = filtered.Get + +func init() { + injection.Fake.RegisterFilteredInformers(withInformer) +} + +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(factoryfiltered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := factoryfiltered.Get(ctx, selector) + inf := f.Core().V1().ServiceAccounts() + ctx = context.WithValue(ctx, filtered.Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs +} diff --git a/vendor/modules.txt b/vendor/modules.txt index f5a58419cf9..2f6bcf51b51 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1286,6 +1286,8 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/service knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake +knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered +knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake knative.dev/pkg/client/injection/kube/informers/factory knative.dev/pkg/client/injection/kube/informers/factory/fake knative.dev/pkg/client/injection/kube/informers/factory/filtered From 979911d541029be214723eea57e2dc9d241953e3 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Tue, 2 Jan 2024 16:05:13 -0500 Subject: [PATCH 05/36] Revert "Merge remote-tracking branch 'otherfork/main' into main" This reverts commit 94cd51bdbdbb026b1c3ec2b004e0e4dfd564ea19, reversing changes made to 0bf29828a296f478e47d2d3c9a992372050f15cf. --- docs/eventing-api.md | 10 -- pkg/apis/sources/v1/ping_types.go | 2 - pkg/apis/sources/v1/zz_generated.deepcopy.go | 5 - pkg/reconciler/pingsource/pingsource.go | 102 +--------------- pkg/reconciler/pingsource/pingsource_test.go | 14 --- .../pingsource/resources/oidc_rolebinding.go | 115 ------------------ 6 files changed, 2 insertions(+), 246 deletions(-) delete mode 100644 pkg/reconciler/pingsource/resources/oidc_rolebinding.go diff --git a/docs/eventing-api.md b/docs/eventing-api.md index be83e05f830..b48faf9b2c3 100644 --- a/docs/eventing-api.md +++ b/docs/eventing-api.md @@ -6232,16 +6232,6 @@ state. Source.

- - -namespaces
- -[]string - - - - -

SinkBindingSpec diff --git a/pkg/apis/sources/v1/ping_types.go b/pkg/apis/sources/v1/ping_types.go index b752da20442..5390fc288ff 100644 --- a/pkg/apis/sources/v1/ping_types.go +++ b/pkg/apis/sources/v1/ping_types.go @@ -93,8 +93,6 @@ type PingSourceStatus struct { // * SinkURI - the current active sink URI that has been configured for the // Source. duckv1.SourceStatus `json:",inline"` - - Namespaces []string `json:"namespaces"` } // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object diff --git a/pkg/apis/sources/v1/zz_generated.deepcopy.go b/pkg/apis/sources/v1/zz_generated.deepcopy.go index 3bed1735e4a..6d175e3c960 100644 --- a/pkg/apis/sources/v1/zz_generated.deepcopy.go +++ b/pkg/apis/sources/v1/zz_generated.deepcopy.go @@ -358,11 +358,6 @@ func (in *PingSourceSpec) DeepCopy() *PingSourceSpec { func (in *PingSourceStatus) DeepCopyInto(out *PingSourceStatus) { *out = *in in.SourceStatus.DeepCopyInto(&out.SourceStatus) - if in.Namespaces != nil { - in, out := &in.Namespaces, &out.Namespaces - *out = make([]string, len(*in)) - copy(*out, *in) - } return } diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go index 2297ff4ad5e..cd88c938646 100644 --- a/pkg/reconciler/pingsource/pingsource.go +++ b/pkg/reconciler/pingsource/pingsource.go @@ -21,7 +21,7 @@ import ( "encoding/json" "fmt" - clientv1 "k8s.io/client-go/listers/core/v1" + v1 "k8s.io/client-go/listers/core/v1" "go.uber.org/zap" @@ -41,7 +41,6 @@ import ( "knative.dev/pkg/system" "knative.dev/pkg/tracker" - rbacv1listers "k8s.io/client-go/listers/rbac/v1" "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" "knative.dev/eventing/pkg/apis/feature" @@ -80,10 +79,7 @@ type Reconciler struct { // Leader election configuration for the mt receive adapter leConfig string - serviceAccountLister clientv1.ServiceAccountLister - roleLister rbacv1listers.RoleLister - roleBindingLister rbacv1listers.RoleBindingLister - namespaceLister clientv1.NamespaceLister + serviceAccountLister v1.ServiceAccountLister } // Check that our Reconciler implements ReconcileKind @@ -117,23 +113,6 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo return err } - if featureFlags.IsOIDCAuthentication() { - // Create the role - err := r.createOIDCRole(ctx, source) - - if err != nil { - logging.FromContext(ctx).Errorw("Failed when creating the OIDC Role for PingSource", zap.Error(err)) - return err - } - - // Create the rolebinding - err = r.createOIDCRoleBinding(ctx, source) - if err != nil { - logging.FromContext(ctx).Errorw("Failed when creating the OIDC RoleBinding for PingSource", zap.Error(err)) - return err - } - } - sinkAddr, err := r.sinkResolver.AddressableFromDestinationV1(ctx, *dest, source) if err != nil { source.Status.MarkNoSink("NotFound", "") @@ -235,80 +214,3 @@ func findContainer(podSpec *corev1.PodSpec, name string) *corev1.Container { func zero(i *int32) bool { return i != nil && *i == 0 } - -func (r *Reconciler) createOIDCRole(ctx context.Context, source *sourcesv1.PingSource) error { - roleName := resources.GetOIDCTokenRoleName(source.Name) - - expected, err := resources.MakeOIDCRole(source) - - if err != nil { - return fmt.Errorf("Cannot create OIDC role for PingSource %s/%s: %w", source.GetName(), source.GetNamespace(), err) - } - // By querying roleLister to see whether the role exist or not - role, err := r.roleLister.Roles(source.GetNamespace()).Get(roleName) - - if apierrors.IsNotFound(err) { - // If the role does not exist, we will call kubeclient to create it - role = expected - _, err = r.kubeClientSet.RbacV1().Roles(source.GetNamespace()).Create(ctx, role, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("could not create OIDC service account role %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "ApiServerSource", err) - } - } else { - // If the role does exist, we will check whether an update is needed - // By comparing the role's rule - if !equality.Semantic.DeepEqual(role.Rules, expected.Rules) { - // If the role's rules are not equal, we will update the role - role.Rules = expected.Rules - _, err = r.kubeClientSet.RbacV1().Roles(source.GetNamespace()).Update(ctx, role, metav1.UpdateOptions{}) - if err != nil { - return fmt.Errorf("could not update OIDC service account role %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "ApiServerSource", err) - } - } else { - // If the role does exist and no update is needed, we will just return - return nil - } - } - - return nil - -} - -// createOIDCRoleBinding: this function will call resources package to get the rolebinding object -// and then pass to kubeclient to make the actual OIDC rolebinding -func (r *Reconciler) createOIDCRoleBinding(ctx context.Context, source *sourcesv1.PingSource) error { - roleBindingName := resources.GetOIDCTokenRoleBindingName(source.Name) - - expected, err := resources.MakeOIDCRoleBinding(source) - if err != nil { - return fmt.Errorf("Cannot create OIDC roleBinding for PingSource %s/%s: %w", source.GetName(), source.GetNamespace(), err) - } - - // By querying roleBindingLister to see whether the roleBinding exist or not - roleBinding, err := r.roleBindingLister.RoleBindings(source.GetNamespace()).Get(roleBindingName) - if apierrors.IsNotFound(err) { - // If the role does not exist, we will call kubeclient to create it - roleBinding = expected - _, err = r.kubeClientSet.RbacV1().RoleBindings(source.GetNamespace()).Create(ctx, roleBinding, metav1.CreateOptions{}) - if err != nil { - return fmt.Errorf("could not create OIDC service account rolebinding %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "apiserversource", err) - } - } else { - // If the role does exist, we will check whether an update is needed - // By comparing the role's rule - if !equality.Semantic.DeepEqual(roleBinding.RoleRef, expected.RoleRef) || !equality.Semantic.DeepEqual(roleBinding.Subjects, expected.Subjects) { - // If the role's rules are not equal, we will update the role - roleBinding.RoleRef = expected.RoleRef - roleBinding.Subjects = expected.Subjects - _, err = r.kubeClientSet.RbacV1().RoleBindings(source.GetNamespace()).Update(ctx, roleBinding, metav1.UpdateOptions{}) - if err != nil { - return fmt.Errorf("could not update OIDC service account rolebinding %s/%s for %s: %w", source.GetName(), source.GetNamespace(), "apiserversource", err) - } - } else { - // If the role does exist and no update is needed, we will just return - return nil - } - } - - return nil -} diff --git a/pkg/reconciler/pingsource/pingsource_test.go b/pkg/reconciler/pingsource/pingsource_test.go index 036082c9c4a..4e84a050926 100644 --- a/pkg/reconciler/pingsource/pingsource_test.go +++ b/pkg/reconciler/pingsource/pingsource_test.go @@ -87,20 +87,6 @@ var ( Name: &sinkURL.Scheme, URL: sinkURL, } - sinkAudience = "sink-oidc-audience" - sinkOIDCAddressable = &duckv1.Addressable{ - Name: &sinkURL.Scheme, - URL: sinkURL, - Audience: &sinkAudience, - } - sinkOIDCDest = duckv1.Destination{ - Ref: &duckv1.KReference{ - Name: sinkName, - Kind: "Channel", - APIVersion: "messaging.knative.dev/v1", - }, - Audience: &sinkAudience, - } ) const ( diff --git a/pkg/reconciler/pingsource/resources/oidc_rolebinding.go b/pkg/reconciler/pingsource/resources/oidc_rolebinding.go deleted file mode 100644 index 91e51600515..00000000000 --- a/pkg/reconciler/pingsource/resources/oidc_rolebinding.go +++ /dev/null @@ -1,115 +0,0 @@ -/* -Copyright 2020 The Knative Authors - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -// taken from #7452, with modifications for pingsource - -package resources - -import ( - "fmt" - - "knative.dev/eventing/pkg/apis/sources" - - "knative.dev/pkg/kmeta" - - rbacv1 "k8s.io/api/rbac/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - v1 "knative.dev/eventing/pkg/apis/sources/v1" -) - -// GetOIDCTokenRoleName will return the name of the role for creating the JWT token -func GetOIDCTokenRoleName(sourceName string) string { - return kmeta.ChildName(sourceName, "-create-oidc-token") -} - -// GetOIDCTokenRoleBindingName will return the name of the rolebinding for creating the JWT token -func GetOIDCTokenRoleBindingName(sourceName string) string { - return kmeta.ChildName(sourceName, "-create-oidc-token") -} - -func MakeOIDCRole(source *v1.PingSource) (*rbacv1.Role, error) { - roleName := GetOIDCTokenRoleName(source.Name) - - if source.Status.Auth == nil || source.Status.Auth.ServiceAccountName == nil { - return nil, fmt.Errorf("Error when making OIDC Role for pingsource, as the OIDC service account does not exist") - } - - return &rbacv1.Role{ - ObjectMeta: metav1.ObjectMeta{ - Name: roleName, - Namespace: source.GetNamespace(), - Annotations: map[string]string{ - "description": fmt.Sprintf("Role for OIDC Authentication for PingSource %q", source.GetName()), - }, - Labels: map[string]string{ - sources.OIDCLabelKey: "", - }, - OwnerReferences: []metav1.OwnerReference{ - *kmeta.NewControllerRef(source), - }, - }, - Rules: []rbacv1.PolicyRule{ - rbacv1.PolicyRule{ - APIGroups: []string{""}, - // apiServerSource OIDC service account name, it is in the source.Status, NOT in source.Spec - ResourceNames: []string{*source.Status.Auth.ServiceAccountName}, - Resources: []string{"serviceaccounts/token"}, - Verbs: []string{"create"}, - }, - }, - }, nil - -} - -// MakeOIDCRoleBinding will return the rolebinding object for generating the JWT token -func MakeOIDCRoleBinding(source *v1.PingSource) (*rbacv1.RoleBinding, error) { - roleName := GetOIDCTokenRoleName(source.Name) - roleBindingName := GetOIDCTokenRoleBindingName(source.Name) - - if *source.Status.Auth.ServiceAccountName == "" { - return nil, fmt.Errorf("Error when making OIDC RoleBinding for pingserversource, as the Spec service account does not exist") - } - - return &rbacv1.RoleBinding{ - ObjectMeta: metav1.ObjectMeta{ - Name: roleBindingName, - Namespace: source.GetNamespace(), - Annotations: map[string]string{ - "description": fmt.Sprintf("Role Binding for OIDC Authentication for PingServerSource %q", source.GetName()), - }, - Labels: map[string]string{ - sources.OIDCLabelKey: "", - }, - OwnerReferences: []metav1.OwnerReference{ - *kmeta.NewControllerRef(source), - }, - }, - RoleRef: rbacv1.RoleRef{ - APIGroup: "rbac.authorization.k8s.io", - Kind: "Role", - Name: roleName, - }, - Subjects: []rbacv1.Subject{ - { - Kind: "ServiceAccount", - Namespace: source.GetNamespace(), - //Note: apiServerSource service account name, it is in the source.Spec, NOT in source.Status.Auth - Name: *source.Status.Auth.ServiceAccountName, - }, - }, - }, nil - -} From bbefcc28f5b1033c940e3454337672a90ad4973c Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 5 Jan 2024 22:58:22 -0500 Subject: [PATCH 06/36] Removed comments --- pkg/reconciler/broker/trigger/controller.go | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index a9e4eaa3cd5..12a6bc126b8 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -26,7 +26,6 @@ import ( "k8s.io/client-go/tools/cache" "knative.dev/pkg/client/injection/ducks/duck/v1/source" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap" - //serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -117,7 +116,7 @@ func NewController( // Reconciler Trigger when the OIDC service account changes serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ - FilterFunc: controller.FilterController(&eventing.Trigger{}), // replace with filtered informer + FilterFunc: controller.FilterController(&eventing.Trigger{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) From de30fc5686d5c9f01d4eadd553eee99b23ff75f6 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sat, 6 Jan 2024 13:38:01 -0500 Subject: [PATCH 07/36] Changed to filtered informer for Subscription identity service account --- pkg/reconciler/subscription/controller.go | 6 ++++-- pkg/reconciler/subscription/controller_test.go | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/pkg/reconciler/subscription/controller.go b/pkg/reconciler/subscription/controller.go index f4f4a0da9bd..44fd2a495f3 100644 --- a/pkg/reconciler/subscription/controller.go +++ b/pkg/reconciler/subscription/controller.go @@ -19,6 +19,8 @@ package subscription import ( "context" + "knative.dev/eventing/pkg/apis/sources" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" "knative.dev/pkg/client/injection/apiextensions/informers/apiextensions/v1/customresourcedefinition" @@ -35,7 +37,7 @@ import ( subscriptionreconciler "knative.dev/eventing/pkg/client/injection/reconciler/messaging/v1/subscription" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -48,7 +50,7 @@ func NewController( subscriptionInformer := subscription.Get(ctx) channelInformer := channel.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) diff --git a/pkg/reconciler/subscription/controller_test.go b/pkg/reconciler/subscription/controller_test.go index dcddd2611bb..b859261341a 100644 --- a/pkg/reconciler/subscription/controller_test.go +++ b/pkg/reconciler/subscription/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package subscription import ( + "context" "testing" + "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -27,16 +31,17 @@ import ( "knative.dev/eventing/pkg/apis/feature" // Fake injection informers + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/channel/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/apiextensions/informers/apiextensions/v1/customresourcedefinition/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -50,3 +55,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + return ctx +} \ No newline at end of file From ce5a7788701d5adcfb83bc9cb70333d37b1f3682 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sat, 6 Jan 2024 13:44:09 -0500 Subject: [PATCH 08/36] Changed to filtered informer for Sequence service accounts --- pkg/reconciler/sequence/controller.go | 6 ++++-- pkg/reconciler/sequence/controller_test.go | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/pkg/reconciler/sequence/controller.go b/pkg/reconciler/sequence/controller.go index 6d8a8fe71f6..d8cb8e83d89 100644 --- a/pkg/reconciler/sequence/controller.go +++ b/pkg/reconciler/sequence/controller.go @@ -19,6 +19,8 @@ package sequence import ( "context" + "knative.dev/eventing/pkg/apis/sources" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" v1 "knative.dev/eventing/pkg/apis/flows/v1" @@ -33,7 +35,7 @@ import ( "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription" sequencereconciler "knative.dev/eventing/pkg/client/injection/reconciler/flows/v1/sequence" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -46,7 +48,7 @@ func NewController( sequenceInformer := sequence.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { diff --git a/pkg/reconciler/sequence/controller_test.go b/pkg/reconciler/sequence/controller_test.go index 2e93479d5ba..f8ff4144bb3 100644 --- a/pkg/reconciler/sequence/controller_test.go +++ b/pkg/reconciler/sequence/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package sequence import ( + "context" "testing" + "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -26,14 +30,15 @@ import ( // Fake injection informers "knative.dev/eventing/pkg/apis/feature" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/sequence/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -46,3 +51,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + return ctx +} \ No newline at end of file From 2ae10902289435a415e98b0086a83f6f4f1d8ebb Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sat, 6 Jan 2024 13:48:28 -0500 Subject: [PATCH 09/36] Changed to filtered informer for Parallel identity service accounts --- pkg/reconciler/parallel/controller.go | 6 ++++-- pkg/reconciler/parallel/controller_test.go | 14 ++++++++++++-- 2 files changed, 16 insertions(+), 4 deletions(-) diff --git a/pkg/reconciler/parallel/controller.go b/pkg/reconciler/parallel/controller.go index 86522c21244..1b4a2853619 100644 --- a/pkg/reconciler/parallel/controller.go +++ b/pkg/reconciler/parallel/controller.go @@ -19,12 +19,14 @@ package parallel import ( "context" + "knative.dev/eventing/pkg/apis/sources" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" v1 "knative.dev/eventing/pkg/apis/flows/v1" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -46,7 +48,7 @@ func NewController( parallelInformer := parallel.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { diff --git a/pkg/reconciler/parallel/controller_test.go b/pkg/reconciler/parallel/controller_test.go index 57f214a68ae..bfbd202f735 100644 --- a/pkg/reconciler/parallel/controller_test.go +++ b/pkg/reconciler/parallel/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package parallel import ( + "context" "testing" + "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -26,14 +30,15 @@ import ( // Fake injection informers "knative.dev/eventing/pkg/apis/feature" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/parallel/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -47,3 +52,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + return ctx +} \ No newline at end of file From 695e58cca21871dbc06919885f98e80edec83868 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Sat, 6 Jan 2024 13:51:52 -0500 Subject: [PATCH 10/36] Changed to filtered informer for APIServerSource identity service account --- pkg/reconciler/apiserversource/controller.go | 4 ++-- pkg/reconciler/apiserversource/controller_test.go | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/apiserversource/controller.go b/pkg/reconciler/apiserversource/controller.go index ae0e38bd191..11a9355a6a8 100644 --- a/pkg/reconciler/apiserversource/controller.go +++ b/pkg/reconciler/apiserversource/controller.go @@ -39,7 +39,7 @@ import ( apiserversourceinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/apiserversource" apiserversourcereconciler "knative.dev/eventing/pkg/client/injection/reconciler/sources/v1/apiserversource" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" roleinformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered" rolebindinginformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered" ) @@ -61,7 +61,7 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) apiServerSourceInformer := apiserversourceinformer.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) // Create a selector string roleInformer := roleinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) diff --git a/pkg/reconciler/apiserversource/controller_test.go b/pkg/reconciler/apiserversource/controller_test.go index 16d9a5df23c..f4ec08b5a35 100644 --- a/pkg/reconciler/apiserversource/controller_test.go +++ b/pkg/reconciler/apiserversource/controller_test.go @@ -40,7 +40,7 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/sources/v1/apiserversource/fake" _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered/fake" From efc1cc3d2fcca40c28a196f399c9a3d0809509e6 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Tue, 9 Jan 2024 23:07:26 -0500 Subject: [PATCH 11/36] fixed unit tests --- pkg/auth/serviceaccount_test.go | 5 +++++ pkg/reconciler/broker/trigger/controller_test.go | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 39146f9af37..8c9e2c4cd9e 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -23,6 +23,8 @@ import ( duckv1 "knative.dev/pkg/apis/duck/v1" kubeclient "knative.dev/pkg/client/injection/kube/client/fake" + "knative.dev/eventing/pkg/apis/sources" + "github.com/google/go-cmp/cmp" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -108,6 +110,9 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { Annotations: map[string]string{ "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, + Labels: map[string]string{ + sources.OIDCLabelKey: "", + }, }, } diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index f44e4124d61..eda6d613c8a 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -68,8 +68,8 @@ func SetUpInformerSelector(ctx context.Context) context.Context { } func TestFilterTriggers(t *testing.T) { - ctx, _ := SetupFakeContext(t) - + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) + tt := []struct { name string trigger interface{} From a414f3eb64a6f17d202e87965f24adc77e670a83 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Wed, 10 Jan 2024 16:48:24 -0500 Subject: [PATCH 12/36] added label selector for mtchannel_broker --- cmd/mtchannel_broker/main.go | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/cmd/mtchannel_broker/main.go b/cmd/mtchannel_broker/main.go index 7126df0bcd0..7d26ba8a436 100644 --- a/cmd/mtchannel_broker/main.go +++ b/cmd/mtchannel_broker/main.go @@ -23,7 +23,11 @@ import ( "context" "knative.dev/pkg/injection/sharedmain" + "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/reconciler/broker" mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger" ) @@ -33,7 +37,12 @@ const ( ) func main() { - sharedmain.Main( + ctx := signals.NewContext() + + ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector) + + sharedmain.MainWithContext(ctx, component, broker.NewController, From de787c69799434986c664d327d75020cb4da02ed Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 17:32:51 -0500 Subject: [PATCH 13/36] added filtered informer for sinkbinding identity service accounts --- pkg/reconciler/sinkbinding/controller.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index b8da07abcad..9028e3c7b91 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -20,6 +20,8 @@ import ( "context" "time" + "knative.dev/eventing/pkg/apis/sources" + corev1listers "k8s.io/client-go/listers/core/v1" "knative.dev/pkg/system" @@ -44,7 +46,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -80,7 +82,7 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) secretInformer := secretinformer.Get(ctx) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() From c365d4a994f41ca9a218a8ba0d6a14ac2684d134 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 20:24:56 -0500 Subject: [PATCH 14/36] added OIDC label selector in webhook --- cmd/webhook/main.go | 1 + 1 file changed, 1 insertion(+) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index f0b6dbed176..0f989bd4486 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -287,6 +287,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From 7d7336099f38404836d882c26c2e941a7c68b377 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:08:43 -0500 Subject: [PATCH 15/36] added filtered informer for containersource service accounts --- pkg/reconciler/containersource/controller.go | 5 +++-- pkg/reconciler/containersource/controller_test.go | 3 ++- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/containersource/controller.go b/pkg/reconciler/containersource/controller.go index 4b09697aec1..9710f14b85b 100644 --- a/pkg/reconciler/containersource/controller.go +++ b/pkg/reconciler/containersource/controller.go @@ -24,6 +24,7 @@ import ( "knative.dev/pkg/system" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/apis/sources" v1 "knative.dev/eventing/pkg/apis/sources/v1" eventingclient "knative.dev/eventing/pkg/client/injection/client" containersourceinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/containersource" @@ -34,7 +35,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/logging" @@ -51,7 +52,7 @@ func NewController( containersourceInformer := containersourceinformer.Get(ctx) sinkbindingInformer := sinkbindinginformer.Get(ctx) deploymentInformer := deploymentinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) var globalResync func(obj interface{}) diff --git a/pkg/reconciler/containersource/controller_test.go b/pkg/reconciler/containersource/controller_test.go index 834c9818694..88de589896a 100644 --- a/pkg/reconciler/containersource/controller_test.go +++ b/pkg/reconciler/containersource/controller_test.go @@ -25,6 +25,7 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" . "knative.dev/pkg/reconciler/testing" + "knative.dev/eventing/pkg/apis/sources" // Fake injection informers _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" @@ -56,6 +57,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector) return ctx } From c04861029973bd0ca2008d98d2ef3c386dc53a98 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:09:05 -0500 Subject: [PATCH 16/36] added filtered informer for pingsource service accounts --- pkg/reconciler/pingsource/controller.go | 5 +++-- pkg/reconciler/pingsource/controller_test.go | 10 +++++++++- 2 files changed, 12 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/pingsource/controller.go b/pkg/reconciler/pingsource/controller.go index 724908e6a67..a00bd2eecb9 100644 --- a/pkg/reconciler/pingsource/controller.go +++ b/pkg/reconciler/pingsource/controller.go @@ -19,9 +19,10 @@ package pingsource import ( "context" + "knative.dev/eventing/pkg/apis/sources" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "go.uber.org/zap" @@ -77,7 +78,7 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) pingSourceInformer := pingsourceinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) r := &Reconciler{ kubeClientSet: kubeclient.Get(ctx), diff --git a/pkg/reconciler/pingsource/controller_test.go b/pkg/reconciler/pingsource/controller_test.go index 33b740443e0..f3516e03c14 100644 --- a/pkg/reconciler/pingsource/controller_test.go +++ b/pkg/reconciler/pingsource/controller_test.go @@ -17,12 +17,15 @@ limitations under the License. package pingsource import ( + "context" "testing" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/eventing/pkg/apis/feature" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/pkg/configmap" "knative.dev/pkg/logging" "knative.dev/pkg/metrics" @@ -39,7 +42,7 @@ import ( ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -90,3 +93,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + return ctx +} \ No newline at end of file From 3d3bd2c86b3626663e1e21723f2749af83a303b5 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:11:37 -0500 Subject: [PATCH 17/36] added OIDC label selector in apiserver ctx --- cmd/apiserver_receive_adapter/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go index 2506789d203..75eb9c489fd 100644 --- a/cmd/apiserver_receive_adapter/main.go +++ b/cmd/apiserver_receive_adapter/main.go @@ -22,6 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/apiserver" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/eventingtls" ) @@ -34,6 +35,7 @@ func main() { ctx = adapter.WithInjectorEnabled(ctx) ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From f5d583f454b8df8b081cc6b67c835edd7d2e6521 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:12:03 -0500 Subject: [PATCH 18/36] added OIDC label selector in broker/filter --- cmd/broker/filter/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index 562c6d2c06f..f3c125cd382 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -40,6 +40,7 @@ import ( "knative.dev/eventing/cmd/broker" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/broker/filter" brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker" @@ -81,6 +82,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From d934231cdfde1c154e9eec9304ca44583308090d Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:12:19 -0500 Subject: [PATCH 19/36] added OIDC label selector in broker/ingress --- cmd/broker/ingress/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index e722b56d7d0..ef3197d8b44 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -44,6 +44,7 @@ import ( cmdbroker "knative.dev/eventing/cmd/broker" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/broker" "knative.dev/eventing/pkg/broker/ingress" @@ -103,6 +104,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From 08dbe1ee745d105f1cc29387c1c2a52f712e0716 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:12:49 -0500 Subject: [PATCH 20/36] added OIDC label selector in in_memory/channel_dispatcher --- cmd/in_memory/channel_dispatcher/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go index 52d7ebfe448..883d21471bb 100644 --- a/cmd/in_memory/channel_dispatcher/main.go +++ b/cmd/in_memory/channel_dispatcher/main.go @@ -27,6 +27,7 @@ import ( "knative.dev/pkg/injection/sharedmain" "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/eventingtls" inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher" ) @@ -39,6 +40,7 @@ func main() { } ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From d3205ab720e8ee74c73084873d6f6bc4766761a2 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:13:09 -0500 Subject: [PATCH 21/36] added OIDC label selector in mtping --- cmd/mtping/main.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go index eb30bbc74ca..f8af75aa430 100644 --- a/cmd/mtping/main.go +++ b/cmd/mtping/main.go @@ -20,6 +20,7 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" "knative.dev/eventing/pkg/eventingtls" @@ -57,6 +58,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector, ) From a31fc39905a0c6b8eb9f59c585b8f2a27781ae54 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 21:19:03 -0500 Subject: [PATCH 22/36] fixed unit test issues for pingsource --- pkg/reconciler/pingsource/controller_test.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pkg/reconciler/pingsource/controller_test.go b/pkg/reconciler/pingsource/controller_test.go index f3516e03c14..04598c578cb 100644 --- a/pkg/reconciler/pingsource/controller_test.go +++ b/pkg/reconciler/pingsource/controller_test.go @@ -32,11 +32,12 @@ import ( "knative.dev/pkg/tracing/config" // Fake injection informers + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype/fake" _ "knative.dev/eventing/pkg/client/injection/informers/sources/v1/pingsource/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/fake" . "knative.dev/pkg/reconciler/testing" ) From b69cc29c1d1fa262588f4f1bb2e133d8b38694f6 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Thu, 11 Jan 2024 22:23:38 -0500 Subject: [PATCH 23/36] fixed unit test for container source --- pkg/reconciler/containersource/controller_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/reconciler/containersource/controller_test.go b/pkg/reconciler/containersource/controller_test.go index 88de589896a..c60bd0db216 100644 --- a/pkg/reconciler/containersource/controller_test.go +++ b/pkg/reconciler/containersource/controller_test.go @@ -30,7 +30,7 @@ import ( // Fake injection informers _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/injection/clients/dynamicclient/fake" From e95329e5e32427d52b2ab82b57d6ff64436f87f0 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 19 Jan 2024 11:08:54 -0500 Subject: [PATCH 24/36] formatted files --- cmd/mtchannel_broker/main.go | 4 ++-- cmd/mtping/main.go | 2 +- pkg/reconciler/broker/trigger/controller.go | 2 +- pkg/reconciler/broker/trigger/controller_test.go | 4 ++-- pkg/reconciler/containersource/controller_test.go | 2 +- pkg/reconciler/parallel/controller_test.go | 4 ++-- pkg/reconciler/pingsource/controller_test.go | 6 +++--- pkg/reconciler/sequence/controller_test.go | 4 ++-- pkg/reconciler/subscription/controller_test.go | 4 ++-- 9 files changed, 16 insertions(+), 16 deletions(-) diff --git a/cmd/mtchannel_broker/main.go b/cmd/mtchannel_broker/main.go index 7d26ba8a436..985fdf28fe7 100644 --- a/cmd/mtchannel_broker/main.go +++ b/cmd/mtchannel_broker/main.go @@ -22,12 +22,12 @@ import ( "context" - "knative.dev/pkg/injection/sharedmain" "knative.dev/eventing/pkg/apis/sources" + "knative.dev/pkg/injection/sharedmain" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/signals" - + "knative.dev/eventing/pkg/reconciler/broker" mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger" ) diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go index f8af75aa430..39ca91c2ec1 100644 --- a/cmd/mtping/main.go +++ b/cmd/mtping/main.go @@ -20,9 +20,9 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/signals" - "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/eventingtls" ) diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index 12a6bc126b8..fba74b28b37 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -116,7 +116,7 @@ func NewController( // Reconciler Trigger when the OIDC service account changes serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ - FilterFunc: controller.FilterController(&eventing.Trigger{}), + FilterFunc: controller.FilterController(&eventing.Trigger{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index eda6d613c8a..3c88bfdf410 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -45,11 +45,11 @@ import ( _ "knative.dev/pkg/injection/clients/namespacedkube/informers/core/v1/secret/fake" // Fake injection informers - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { @@ -69,7 +69,7 @@ func SetUpInformerSelector(ctx context.Context) context.Context { func TestFilterTriggers(t *testing.T) { ctx, _ := SetupFakeContext(t, SetUpInformerSelector) - + tt := []struct { name string trigger interface{} diff --git a/pkg/reconciler/containersource/controller_test.go b/pkg/reconciler/containersource/controller_test.go index c60bd0db216..868942fc5bb 100644 --- a/pkg/reconciler/containersource/controller_test.go +++ b/pkg/reconciler/containersource/controller_test.go @@ -22,10 +22,10 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "knative.dev/eventing/pkg/apis/sources" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" . "knative.dev/pkg/reconciler/testing" - "knative.dev/eventing/pkg/apis/sources" // Fake injection informers _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" diff --git a/pkg/reconciler/parallel/controller_test.go b/pkg/reconciler/parallel/controller_test.go index bfbd202f735..dd013907e77 100644 --- a/pkg/reconciler/parallel/controller_test.go +++ b/pkg/reconciler/parallel/controller_test.go @@ -30,11 +30,11 @@ import ( // Fake injection informers "knative.dev/eventing/pkg/apis/feature" - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/parallel/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { @@ -56,4 +56,4 @@ func TestNew(t *testing.T) { func SetUpInformerSelector(ctx context.Context) context.Context { ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) return ctx -} \ No newline at end of file +} diff --git a/pkg/reconciler/pingsource/controller_test.go b/pkg/reconciler/pingsource/controller_test.go index 04598c578cb..2c4bb776a30 100644 --- a/pkg/reconciler/pingsource/controller_test.go +++ b/pkg/reconciler/pingsource/controller_test.go @@ -24,20 +24,20 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/eventing/pkg/apis/feature" - filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/eventing/pkg/apis/sources" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/logging" "knative.dev/pkg/metrics" "knative.dev/pkg/tracing/config" // Fake injection informers - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype/fake" _ "knative.dev/eventing/pkg/client/injection/informers/sources/v1/pingsource/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/fake" . "knative.dev/pkg/reconciler/testing" ) @@ -98,4 +98,4 @@ func TestNew(t *testing.T) { func SetUpInformerSelector(ctx context.Context) context.Context { ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) return ctx -} \ No newline at end of file +} diff --git a/pkg/reconciler/sequence/controller_test.go b/pkg/reconciler/sequence/controller_test.go index f8ff4144bb3..410707fa5cb 100644 --- a/pkg/reconciler/sequence/controller_test.go +++ b/pkg/reconciler/sequence/controller_test.go @@ -30,11 +30,11 @@ import ( // Fake injection informers "knative.dev/eventing/pkg/apis/feature" - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/sequence/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { @@ -55,4 +55,4 @@ func TestNew(t *testing.T) { func SetUpInformerSelector(ctx context.Context) context.Context { ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) return ctx -} \ No newline at end of file +} diff --git a/pkg/reconciler/subscription/controller_test.go b/pkg/reconciler/subscription/controller_test.go index b859261341a..fd23cd4fe35 100644 --- a/pkg/reconciler/subscription/controller_test.go +++ b/pkg/reconciler/subscription/controller_test.go @@ -31,13 +31,13 @@ import ( "knative.dev/eventing/pkg/apis/feature" // Fake injection informers - _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/channel/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/apiextensions/informers/apiextensions/v1/customresourcedefinition/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { @@ -59,4 +59,4 @@ func TestNew(t *testing.T) { func SetUpInformerSelector(ctx context.Context) context.Context { ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) return ctx -} \ No newline at end of file +} From 8e112d8852a2e318f1baa3e185c7c49187da44ee Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Mon, 22 Jan 2024 10:41:21 -0500 Subject: [PATCH 25/36] updated service account informer in apiserversource --- pkg/reconciler/apiserversource/controller.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/reconciler/apiserversource/controller.go b/pkg/reconciler/apiserversource/controller.go index bb548d3a2be..ca989698ad0 100644 --- a/pkg/reconciler/apiserversource/controller.go +++ b/pkg/reconciler/apiserversource/controller.go @@ -68,7 +68,7 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) apiServerSourceInformer := apiserversourceinformer.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) // Create a selector string roleInformer := roleinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) @@ -90,7 +90,7 @@ func NewController( ceSource: GetCfgHost(ctx), configs: reconcilersource.WatchConfigurations(ctx, component, cmw), namespaceLister: namespaceInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), roleLister: roleInformer.Lister(), roleBindingLister: rolebindingInformer.Lister(), trustBundleConfigMapLister: trustBundleConfigMapInformer.Lister(), @@ -143,7 +143,7 @@ func NewController( }) // Reconciler ApiServerSource when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.ApiServerSource{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) From c04375a84e57cd6b6ac2c961b3950844cb34cba7 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Mon, 22 Jan 2024 11:56:05 -0500 Subject: [PATCH 26/36] updated service account informers in other places --- pkg/reconciler/broker/trigger/controller.go | 6 +++--- pkg/reconciler/containersource/controller.go | 4 ++-- pkg/reconciler/parallel/controller.go | 6 +++--- pkg/reconciler/pingsource/controller.go | 6 +++--- pkg/reconciler/sequence/controller.go | 6 +++--- pkg/reconciler/sinkbinding/controller.go | 6 +++--- pkg/reconciler/subscription/controller.go | 6 +++--- 7 files changed, 20 insertions(+), 20 deletions(-) diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index fba74b28b37..953dfc0b616 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -62,7 +62,7 @@ func NewController( subscriptionInformer := subscriptioninformer.Get(ctx) configmapInformer := configmapinformer.Get(ctx) secretInformer := secretinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store")) featureStore.WatchConfigs(cmw) @@ -77,7 +77,7 @@ func NewController( triggerLister: triggerLister, configmapLister: configmapInformer.Lister(), secretLister: secretInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := triggerreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { return controller.Options{ @@ -115,7 +115,7 @@ func NewController( }) // Reconciler Trigger when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&eventing.Trigger{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/containersource/controller.go b/pkg/reconciler/containersource/controller.go index 9710f14b85b..de31e7d5140 100644 --- a/pkg/reconciler/containersource/controller.go +++ b/pkg/reconciler/containersource/controller.go @@ -52,7 +52,7 @@ func NewController( containersourceInformer := containersourceinformer.Get(ctx) sinkbindingInformer := sinkbindinginformer.Get(ctx) deploymentInformer := deploymentinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) var globalResync func(obj interface{}) @@ -70,7 +70,7 @@ func NewController( containerSourceLister: containersourceInformer.Lister(), deploymentLister: deploymentInformer.Lister(), sinkBindingLister: sinkbindingInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), trustBundleConfigMapLister: trustBundleConfigMapInformer.Lister(), } impl := v1containersource.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { diff --git a/pkg/reconciler/parallel/controller.go b/pkg/reconciler/parallel/controller.go index 1b4a2853619..4e13326532e 100644 --- a/pkg/reconciler/parallel/controller.go +++ b/pkg/reconciler/parallel/controller.go @@ -48,7 +48,7 @@ func NewController( parallelInformer := parallel.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { @@ -61,7 +61,7 @@ func NewController( r := &Reconciler{ parallelLister: parallelInformer.Lister(), subscriptionLister: subscriptionInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), kubeclient: kubeclient.Get(ctx), dynamicClientSet: dynamicclient.Get(ctx), eventingClientSet: eventingclient.Get(ctx), @@ -86,7 +86,7 @@ func NewController( Handler: controller.HandleAll(impl.EnqueueControllerOf), }) // Reconcile Parallel when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.Parallel{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/pingsource/controller.go b/pkg/reconciler/pingsource/controller.go index a00bd2eecb9..26f07baa387 100644 --- a/pkg/reconciler/pingsource/controller.go +++ b/pkg/reconciler/pingsource/controller.go @@ -78,13 +78,13 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) pingSourceInformer := pingsourceinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) r := &Reconciler{ kubeClientSet: kubeclient.Get(ctx), leConfig: leConfig, configAcc: reconcilersource.WatchConfigurations(ctx, component, cmw), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := pingsourcereconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { @@ -114,7 +114,7 @@ func NewController( )), }) - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&sourcesv1.PingSource{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/sequence/controller.go b/pkg/reconciler/sequence/controller.go index d8cb8e83d89..acbeefe7e9a 100644 --- a/pkg/reconciler/sequence/controller.go +++ b/pkg/reconciler/sequence/controller.go @@ -48,7 +48,7 @@ func NewController( sequenceInformer := sequence.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { @@ -63,7 +63,7 @@ func NewController( subscriptionLister: subscriptionInformer.Lister(), dynamicClientSet: dynamicclient.Get(ctx), eventingClientSet: eventingclient.Get(ctx), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), kubeclient: kubeclient.Get(ctx), } @@ -88,7 +88,7 @@ func NewController( }) // Reconcile Sequence when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.Sequence{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index 9028e3c7b91..3f733a4329a 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -82,7 +82,7 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := Serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) secretInformer := secretinformer.Get(ctx) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() @@ -138,7 +138,7 @@ func NewController( res: sbResolver, tracker: impl.Tracker, kubeclient: kubeclient.Get(ctx), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), secretLister: secretInformer.Lister(), featureStore: featureStore, tokenProvider: auth.NewOIDCTokenProvider(ctx), @@ -157,7 +157,7 @@ func NewController( } // Reconcile SinkBinding when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.SinkBinding{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/subscription/controller.go b/pkg/reconciler/subscription/controller.go index 44fd2a495f3..97f2005f329 100644 --- a/pkg/reconciler/subscription/controller.go +++ b/pkg/reconciler/subscription/controller.go @@ -50,7 +50,7 @@ func NewController( subscriptionInformer := subscription.Get(ctx) channelInformer := channel.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) var globalResync func(obj interface{}) @@ -67,7 +67,7 @@ func NewController( kreferenceResolver: kref.NewKReferenceResolver(customresourcedefinition.Get(ctx).Lister()), subscriptionLister: subscriptionInformer.Lister(), channelLister: channelInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := subscriptionreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { return controller.Options{ @@ -99,7 +99,7 @@ func NewController( )) // Reconciler Subscription when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&messagingv1.Subscription{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) From d7f6e43202d4940e00f2bc1ef4506aca261c3113 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Mon, 22 Jan 2024 13:13:40 -0500 Subject: [PATCH 27/36] small typo fix --- pkg/reconciler/sinkbinding/controller.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index 3f733a4329a..b1ed0218ed5 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -82,7 +82,7 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - oidcServiceaccountInformer := Serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) secretInformer := secretinformer.Get(ctx) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() From f2fe55301bb9d4c1794f35885a1e4069e4d3ac24 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Wed, 24 Jan 2024 14:21:16 -0500 Subject: [PATCH 28/36] added actual value for OIDC label --- pkg/auth/serviceaccount.go | 2 +- pkg/auth/serviceaccount_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index 6c0a02c6ee1..a7695ff846d 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -69,7 +69,7 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + sources.OIDCLabelKey: "OIDC label", }, }, } diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 8c9e2c4cd9e..6ee5903933b 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -111,7 +111,7 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + sources.OIDCLabelKey: "OIDC label", }, }, } From b2941ac83544f1938213e29583b054fc135ab49c Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 13:46:42 -0500 Subject: [PATCH 29/36] added a valid value for OIDClabelkey --- pkg/auth/serviceaccount.go | 2 +- pkg/auth/serviceaccount_test.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index a7695ff846d..8b373bfda18 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -69,7 +69,7 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, Labels: map[string]string{ - sources.OIDCLabelKey: "OIDC label", + sources.OIDCLabelKey: "enabled", }, }, } diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 6ee5903933b..2b1adf4670f 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -111,7 +111,7 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, Labels: map[string]string{ - sources.OIDCLabelKey: "OIDC label", + sources.OIDCLabelKey: "enabled", }, }, } From 2c94ec7ce039dca6010f9362f16435b9fb28c5fa Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 15:19:40 -0500 Subject: [PATCH 30/36] changed references of OIDCLabelKey --- pkg/auth/serviceaccount.go | 12 ++++++++++-- pkg/auth/serviceaccount_test.go | 4 ++-- .../apiserversource/apiserversource_test.go | 6 ++---- .../apiserversource/resources/oidc_rolebinding.go | 6 +++--- 4 files changed, 17 insertions(+), 11 deletions(-) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index ec593ef9bf4..4e30b3480ef 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -26,7 +26,7 @@ import ( "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "go.uber.org/zap" v1 "k8s.io/api/core/v1" @@ -39,6 +39,14 @@ import ( "knative.dev/pkg/ptr" ) +const ( + //OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "oidc" + + // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers + OIDCLabelSelector = OIDCLabelKey +) + // GetOIDCServiceAccountNameForResource returns the service account name to use // for OIDC authentication for the given resource. func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string { @@ -69,7 +77,7 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, Labels: map[string]string{ - sources.OIDCLabelKey: "enabled", + auth.OIDCLabelKey: "enabled", }, }, } diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 3d64ea0c9f4..600ec770513 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -23,7 +23,7 @@ import ( duckv1 "knative.dev/pkg/apis/duck/v1" kubeclient "knative.dev/pkg/client/injection/kube/client/fake" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "github.com/google/go-cmp/cmp" v1 "k8s.io/api/core/v1" @@ -111,7 +111,7 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, Labels: map[string]string{ - sources.OIDCLabelKey: "enabled", + auth.OIDCLabelKey: "enabled", }, }, } diff --git a/pkg/reconciler/apiserversource/apiserversource_test.go b/pkg/reconciler/apiserversource/apiserversource_test.go index d53dd96ea1e..aeec9356f1f 100644 --- a/pkg/reconciler/apiserversource/apiserversource_test.go +++ b/pkg/reconciler/apiserversource/apiserversource_test.go @@ -21,8 +21,6 @@ import ( "fmt" "testing" - "knative.dev/eventing/pkg/apis/sources" - "knative.dev/pkg/kmeta" rbacv1 "k8s.io/api/rbac/v1" @@ -1425,7 +1423,7 @@ func makeOIDCRole() *rbacv1.Role { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), @@ -1455,7 +1453,7 @@ func makeOIDCRoleBinding() *rbacv1.RoleBinding { "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), diff --git a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go index 0b486cb1526..ac9a8d13fd1 100644 --- a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go +++ b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go @@ -19,7 +19,7 @@ package resources import ( "fmt" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/pkg/kmeta" @@ -54,7 +54,7 @@ func MakeOIDCRole(source *v1.ApiServerSource) (*rbacv1.Role, error) { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source), @@ -92,7 +92,7 @@ func MakeOIDCRoleBinding(source *v1.ApiServerSource) (*rbacv1.RoleBinding, error "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source), From 3d0d399d7da1bb78b5c57e9f71b2219b694c5b23 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 15:21:58 -0500 Subject: [PATCH 31/36] fixed import path problem --- pkg/auth/serviceaccount.go | 4 +--- pkg/auth/serviceaccount_test.go | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index 4e30b3480ef..dbe1fb97b99 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -26,8 +26,6 @@ import ( "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" - "knative.dev/eventing/pkg/auth" - "go.uber.org/zap" v1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -77,7 +75,7 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, Labels: map[string]string{ - auth.OIDCLabelKey: "enabled", + OIDCLabelKey: "enabled", }, }, } diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 600ec770513..8c9564b9d92 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -23,8 +23,6 @@ import ( duckv1 "knative.dev/pkg/apis/duck/v1" kubeclient "knative.dev/pkg/client/injection/kube/client/fake" - "knative.dev/eventing/pkg/auth" - "github.com/google/go-cmp/cmp" v1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -111,7 +109,7 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, Labels: map[string]string{ - auth.OIDCLabelKey: "enabled", + OIDCLabelKey: "enabled", }, }, } From 8c3042691bf5e06018cb56213df83ac7f84dc4c4 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 15:26:44 -0500 Subject: [PATCH 32/36] changed OIDCLabelSelector in all main.go files --- cmd/apiserver_receive_adapter/main.go | 4 ++-- cmd/broker/filter/main.go | 3 +-- cmd/broker/ingress/main.go | 3 +-- cmd/controller/main.go | 4 ++-- cmd/in_memory/channel_dispatcher/main.go | 4 ++-- cmd/mtchannel_broker/main.go | 4 ++-- cmd/mtping/main.go | 4 ++-- cmd/webhook/main.go | 3 ++- 8 files changed, 14 insertions(+), 15 deletions(-) diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go index 75eb9c489fd..a701fa21d04 100644 --- a/cmd/apiserver_receive_adapter/main.go +++ b/cmd/apiserver_receive_adapter/main.go @@ -20,9 +20,9 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/adapter/apiserver" "knative.dev/eventing/pkg/adapter/v2" - "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/eventingtls" ) @@ -35,7 +35,7 @@ func main() { ctx = adapter.WithInjectorEnabled(ctx) ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index f3c125cd382..8a699b72e22 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -40,7 +40,6 @@ import ( "knative.dev/eventing/cmd/broker" "knative.dev/eventing/pkg/apis/feature" - "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/broker/filter" brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker" @@ -82,7 +81,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index ef3197d8b44..7647805d6e9 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -44,7 +44,6 @@ import ( cmdbroker "knative.dev/eventing/cmd/broker" "knative.dev/eventing/pkg/apis/feature" - "knative.dev/eventing/pkg/apis/sources" "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/broker" "knative.dev/eventing/pkg/broker/ingress" @@ -104,7 +103,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/controller/main.go b/cmd/controller/main.go index d7249444633..f86ae9126ab 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -28,7 +28,7 @@ import ( "knative.dev/pkg/injection/sharedmain" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -79,7 +79,7 @@ func main() { }() ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go index 883d21471bb..116bf66f00f 100644 --- a/cmd/in_memory/channel_dispatcher/main.go +++ b/cmd/in_memory/channel_dispatcher/main.go @@ -27,7 +27,7 @@ import ( "knative.dev/pkg/injection/sharedmain" "knative.dev/pkg/signals" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher" ) @@ -40,7 +40,7 @@ func main() { } ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/mtchannel_broker/main.go b/cmd/mtchannel_broker/main.go index 985fdf28fe7..1728adaf39d 100644 --- a/cmd/mtchannel_broker/main.go +++ b/cmd/mtchannel_broker/main.go @@ -22,7 +22,7 @@ import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/pkg/injection/sharedmain" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -40,7 +40,7 @@ func main() { ctx := signals.NewContext() ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector) + auth.OIDCLabelSelector) sharedmain.MainWithContext(ctx, component, diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go index 39ca91c2ec1..9a35d892cb1 100644 --- a/cmd/mtping/main.go +++ b/cmd/mtping/main.go @@ -22,7 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) @@ -58,7 +58,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 0f989bd4486..70ce5a8f37d 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -25,6 +25,7 @@ import ( "k8s.io/client-go/kubernetes/scheme" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/apis/feature" "knative.dev/eventing/pkg/eventingtls" @@ -287,7 +288,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) From bee47f47bc97bfd398bd3f6946973d19bdab85fa Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 15:36:07 -0500 Subject: [PATCH 33/36] changed instances of OIDCLabelSelector in controller and controller test files --- pkg/reconciler/apiserversource/controller.go | 8 ++++---- pkg/reconciler/apiserversource/controller_test.go | 4 ++-- pkg/reconciler/broker/trigger/controller.go | 4 ++-- pkg/reconciler/broker/trigger/controller_test.go | 4 ++-- pkg/reconciler/containersource/controller.go | 4 ++-- pkg/reconciler/containersource/controller_test.go | 4 ++-- pkg/reconciler/parallel/controller.go | 4 ++-- pkg/reconciler/parallel/controller_test.go | 4 ++-- pkg/reconciler/pingsource/controller.go | 4 ++-- pkg/reconciler/pingsource/controller_test.go | 4 ++-- pkg/reconciler/sequence/controller.go | 4 ++-- pkg/reconciler/sequence/controller_test.go | 4 ++-- pkg/reconciler/sinkbinding/controller.go | 4 +--- pkg/reconciler/subscription/controller.go | 4 ++-- pkg/reconciler/subscription/controller_test.go | 4 ++-- 15 files changed, 31 insertions(+), 33 deletions(-) diff --git a/pkg/reconciler/apiserversource/controller.go b/pkg/reconciler/apiserversource/controller.go index ca989698ad0..cfddfc7be6b 100644 --- a/pkg/reconciler/apiserversource/controller.go +++ b/pkg/reconciler/apiserversource/controller.go @@ -22,7 +22,7 @@ import ( configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" "knative.dev/pkg/system" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" eventingreconciler "knative.dev/eventing/pkg/reconciler" @@ -68,11 +68,11 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) apiServerSourceInformer := apiserversourceinformer.Get(ctx) namespaceInformer := namespace.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) // Create a selector string - roleInformer := roleinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) - rolebindingInformer := rolebindinginformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + roleInformer := roleinformer.Get(ctx, auth.OIDCLabelSelector) + rolebindingInformer := rolebindinginformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) diff --git a/pkg/reconciler/apiserversource/controller_test.go b/pkg/reconciler/apiserversource/controller_test.go index eb97300f8f0..497d150f619 100644 --- a/pkg/reconciler/apiserversource/controller_test.go +++ b/pkg/reconciler/apiserversource/controller_test.go @@ -23,7 +23,7 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" "knative.dev/eventing/pkg/apis/feature" @@ -98,6 +98,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index 953dfc0b616..a575df9fc82 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -19,7 +19,7 @@ package mttrigger import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "go.uber.org/zap" "k8s.io/apimachinery/pkg/labels" @@ -62,7 +62,7 @@ func NewController( subscriptionInformer := subscriptioninformer.Get(ctx) configmapInformer := configmapinformer.Get(ctx) secretInformer := secretinformer.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store")) featureStore.WatchConfigs(cmw) diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index 3c88bfdf410..772dec3bd9c 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -21,7 +21,7 @@ import ( "fmt" "testing" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "github.com/stretchr/testify/assert" @@ -63,7 +63,7 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/containersource/controller.go b/pkg/reconciler/containersource/controller.go index de31e7d5140..eb336db9365 100644 --- a/pkg/reconciler/containersource/controller.go +++ b/pkg/reconciler/containersource/controller.go @@ -24,7 +24,7 @@ import ( "knative.dev/pkg/system" "knative.dev/eventing/pkg/apis/feature" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" v1 "knative.dev/eventing/pkg/apis/sources/v1" eventingclient "knative.dev/eventing/pkg/client/injection/client" containersourceinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/containersource" @@ -52,7 +52,7 @@ func NewController( containersourceInformer := containersourceinformer.Get(ctx) sinkbindingInformer := sinkbindinginformer.Get(ctx) deploymentInformer := deploymentinformer.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) var globalResync func(obj interface{}) diff --git a/pkg/reconciler/containersource/controller_test.go b/pkg/reconciler/containersource/controller_test.go index 868942fc5bb..21d4d9b7149 100644 --- a/pkg/reconciler/containersource/controller_test.go +++ b/pkg/reconciler/containersource/controller_test.go @@ -22,7 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" . "knative.dev/pkg/reconciler/testing" @@ -57,6 +57,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector, eventingtls.TrustBundleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector) return ctx } diff --git a/pkg/reconciler/parallel/controller.go b/pkg/reconciler/parallel/controller.go index 4e13326532e..524b968836d 100644 --- a/pkg/reconciler/parallel/controller.go +++ b/pkg/reconciler/parallel/controller.go @@ -19,7 +19,7 @@ package parallel import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" @@ -48,7 +48,7 @@ func NewController( parallelInformer := parallel.Get(ctx) subscriptionInformer := subscription.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { diff --git a/pkg/reconciler/parallel/controller_test.go b/pkg/reconciler/parallel/controller_test.go index dd013907e77..3af5abc8a1c 100644 --- a/pkg/reconciler/parallel/controller_test.go +++ b/pkg/reconciler/parallel/controller_test.go @@ -20,7 +20,7 @@ import ( "context" "testing" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" corev1 "k8s.io/api/core/v1" @@ -54,6 +54,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/pingsource/controller.go b/pkg/reconciler/pingsource/controller.go index 26f07baa387..8603301be5e 100644 --- a/pkg/reconciler/pingsource/controller.go +++ b/pkg/reconciler/pingsource/controller.go @@ -19,7 +19,7 @@ package pingsource import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" @@ -78,7 +78,7 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) pingSourceInformer := pingsourceinformer.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) r := &Reconciler{ kubeClientSet: kubeclient.Get(ctx), diff --git a/pkg/reconciler/pingsource/controller_test.go b/pkg/reconciler/pingsource/controller_test.go index 2c4bb776a30..2c9a373328d 100644 --- a/pkg/reconciler/pingsource/controller_test.go +++ b/pkg/reconciler/pingsource/controller_test.go @@ -24,7 +24,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/eventing/pkg/apis/feature" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/logging" @@ -96,6 +96,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/sequence/controller.go b/pkg/reconciler/sequence/controller.go index acbeefe7e9a..2ba64da960c 100644 --- a/pkg/reconciler/sequence/controller.go +++ b/pkg/reconciler/sequence/controller.go @@ -19,7 +19,7 @@ package sequence import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" @@ -48,7 +48,7 @@ func NewController( sequenceInformer := sequence.Get(ctx) subscriptionInformer := subscription.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { diff --git a/pkg/reconciler/sequence/controller_test.go b/pkg/reconciler/sequence/controller_test.go index 410707fa5cb..ee62360a68d 100644 --- a/pkg/reconciler/sequence/controller_test.go +++ b/pkg/reconciler/sequence/controller_test.go @@ -20,7 +20,7 @@ import ( "context" "testing" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" corev1 "k8s.io/api/core/v1" @@ -53,6 +53,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index b1ed0218ed5..946c25bdf72 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -20,8 +20,6 @@ import ( "context" "time" - "knative.dev/eventing/pkg/apis/sources" - corev1listers "k8s.io/client-go/listers/core/v1" "knative.dev/pkg/system" @@ -82,7 +80,7 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) secretInformer := secretinformer.Get(ctx) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() diff --git a/pkg/reconciler/subscription/controller.go b/pkg/reconciler/subscription/controller.go index 97f2005f329..6f5d96b3849 100644 --- a/pkg/reconciler/subscription/controller.go +++ b/pkg/reconciler/subscription/controller.go @@ -19,7 +19,7 @@ package subscription import ( "context" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" @@ -50,7 +50,7 @@ func NewController( subscriptionInformer := subscription.Get(ctx) channelInformer := channel.Get(ctx) - oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) diff --git a/pkg/reconciler/subscription/controller_test.go b/pkg/reconciler/subscription/controller_test.go index fd23cd4fe35..19416e1ef32 100644 --- a/pkg/reconciler/subscription/controller_test.go +++ b/pkg/reconciler/subscription/controller_test.go @@ -20,7 +20,7 @@ import ( "context" "testing" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" corev1 "k8s.io/api/core/v1" @@ -57,6 +57,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) return ctx } From 5c254494c6e0187bfddddf23f46d4f0188167166 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 15:36:39 -0500 Subject: [PATCH 34/36] deleted OIDC related labels from register.go --- pkg/apis/sources/register.go | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/pkg/apis/sources/register.go b/pkg/apis/sources/register.go index 3cd87d78e75..be8709c3590 100644 --- a/pkg/apis/sources/register.go +++ b/pkg/apis/sources/register.go @@ -31,13 +31,7 @@ const ( // SourceDuckLabelValue is the label value to indicate // the CRD is a Source duck type. - SourceDuckLabelValue = "true" - - //OIDCLabelKey is used to filter out all the informers that related to OIDC work - OIDCLabelKey = "oidc" - - // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers - OIDCTokenRoleLabelSelector = OIDCLabelKey + SourceDuckLabelValue = "true" ) var ( From 63346a6199f472fca00c365e38c1e9bfe01d1a86 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Fri, 26 Jan 2024 20:27:24 -0500 Subject: [PATCH 35/36] fixed formatting issues --- cmd/apiserver_receive_adapter/main.go | 2 +- cmd/controller/main.go | 2 +- cmd/webhook/main.go | 2 +- pkg/apis/sources/register.go | 2 +- pkg/auth/serviceaccount.go | 8 ++++---- pkg/reconciler/containersource/controller.go | 2 +- pkg/reconciler/pingsource/controller.go | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go index a701fa21d04..736af22bc9e 100644 --- a/cmd/apiserver_receive_adapter/main.go +++ b/cmd/apiserver_receive_adapter/main.go @@ -20,9 +20,9 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/signals" - "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/adapter/apiserver" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) diff --git a/cmd/controller/main.go b/cmd/controller/main.go index f86ae9126ab..e6e5d61cfdb 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -28,7 +28,7 @@ import ( "knative.dev/pkg/injection/sharedmain" - "knative.dev/eventing/pkg/auth" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 70ce5a8f37d..1dfac21d38a 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -25,8 +25,8 @@ import ( "k8s.io/client-go/kubernetes/scheme" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" - "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" diff --git a/pkg/apis/sources/register.go b/pkg/apis/sources/register.go index be8709c3590..55b4a748b17 100644 --- a/pkg/apis/sources/register.go +++ b/pkg/apis/sources/register.go @@ -31,7 +31,7 @@ const ( // SourceDuckLabelValue is the label value to indicate // the CRD is a Source duck type. - SourceDuckLabelValue = "true" + SourceDuckLabelValue = "true" ) var ( diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index dbe1fb97b99..b67666ef6af 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -38,11 +38,11 @@ import ( ) const ( - //OIDCLabelKey is used to filter out all the informers that related to OIDC work - OIDCLabelKey = "oidc" + //OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "oidc" - // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers - OIDCLabelSelector = OIDCLabelKey + // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers + OIDCLabelSelector = OIDCLabelKey ) // GetOIDCServiceAccountNameForResource returns the service account name to use diff --git a/pkg/reconciler/containersource/controller.go b/pkg/reconciler/containersource/controller.go index eb336db9365..49ff5a6e5c1 100644 --- a/pkg/reconciler/containersource/controller.go +++ b/pkg/reconciler/containersource/controller.go @@ -24,8 +24,8 @@ import ( "knative.dev/pkg/system" "knative.dev/eventing/pkg/apis/feature" - "knative.dev/eventing/pkg/auth" v1 "knative.dev/eventing/pkg/apis/sources/v1" + "knative.dev/eventing/pkg/auth" eventingclient "knative.dev/eventing/pkg/client/injection/client" containersourceinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/containersource" sinkbindinginformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/sinkbinding" diff --git a/pkg/reconciler/pingsource/controller.go b/pkg/reconciler/pingsource/controller.go index 8603301be5e..be0d30f2a90 100644 --- a/pkg/reconciler/pingsource/controller.go +++ b/pkg/reconciler/pingsource/controller.go @@ -19,8 +19,8 @@ package pingsource import ( "context" - "knative.dev/eventing/pkg/auth" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" + "knative.dev/eventing/pkg/auth" serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" From 9a44a7382693ef2f04863ac039993c530fe39ba8 Mon Sep 17 00:00:00 2001 From: Yijie Wang Date: Mon, 29 Jan 2024 16:19:34 -0500 Subject: [PATCH 36/36] Added value for OIDCLabelKey --- pkg/reconciler/apiserversource/apiserversource_test.go | 4 ++-- pkg/reconciler/apiserversource/resources/oidc_rolebinding.go | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/reconciler/apiserversource/apiserversource_test.go b/pkg/reconciler/apiserversource/apiserversource_test.go index aeec9356f1f..4743af0d253 100644 --- a/pkg/reconciler/apiserversource/apiserversource_test.go +++ b/pkg/reconciler/apiserversource/apiserversource_test.go @@ -1423,7 +1423,7 @@ func makeOIDCRole() *rbacv1.Role { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - auth.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), @@ -1453,7 +1453,7 @@ func makeOIDCRoleBinding() *rbacv1.RoleBinding { "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - auth.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), diff --git a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go index ac9a8d13fd1..1c38c5ef4c1 100644 --- a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go +++ b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go @@ -54,7 +54,7 @@ func MakeOIDCRole(source *v1.ApiServerSource) (*rbacv1.Role, error) { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - auth.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source), @@ -92,7 +92,7 @@ func MakeOIDCRoleBinding(source *v1.ApiServerSource) (*rbacv1.RoleBinding, error "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - auth.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source),