From 023a7cef0f441f9cd805deee70dff0223d2e5855 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 27 Feb 2024 11:32:47 +0100 Subject: [PATCH 01/11] Add CA rotation tests Signed-off-by: Pierangelo Di Pilato --- test/rekt/apiserversource_test.go | 1 + test/rekt/channel_test.go | 1 + .../features/apiserversource/data_plane.go | 57 ++++++++++++ .../features/channel/eventing_tls_feature.go | 87 +++++++++++++++++++ test/rekt/features/pingsource/features.go | 44 ++++++++++ test/rekt/features/trigger/feature.go | 77 ++++++++++++++++ test/rekt/pingsource_test.go | 1 + .../resources/configmap/config-features.yaml | 15 +++- test/rekt/resources/configmap/configmap.go | 13 +++ .../resources/configmap/configmap_test.go | 55 ++++++++++++ test/rekt/trigger_test.go | 1 + 11 files changed, 351 insertions(+), 1 deletion(-) create mode 100644 test/rekt/resources/configmap/configmap_test.go diff --git a/test/rekt/apiserversource_test.go b/test/rekt/apiserversource_test.go index e2641fc3ba8..55abd203796 100644 --- a/test/rekt/apiserversource_test.go +++ b/test/rekt/apiserversource_test.go @@ -111,6 +111,7 @@ func TestApiServerSourceDataPlaneTLS(t *testing.T) { env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLS()) env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLSTrustBundle()) + env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLSWithAdditionalTrustBundle()) } func TestApiServerSourceDataPlane_EventModes(t *testing.T) { diff --git a/test/rekt/channel_test.go b/test/rekt/channel_test.go index 6cca352dd22..478326e727b 100644 --- a/test/rekt/channel_test.go +++ b/test/rekt/channel_test.go @@ -358,6 +358,7 @@ func TestInMemoryChannelTLS(t *testing.T) { env.ParallelTest(ctx, t, channel.SubscriptionTLS()) env.ParallelTest(ctx, t, channel.SubscriptionTLSTrustBundle()) + env.ParallelTest(ctx, t, channel.SubscriptionTLSWithAdditionalTrustBundle()) } func TestChannelImplDispatcherAuthenticatesWithOIDC(t *testing.T) { diff --git a/test/rekt/features/apiserversource/data_plane.go b/test/rekt/features/apiserversource/data_plane.go index f88a2c9055d..a90b9f767a1 100644 --- a/test/rekt/features/apiserversource/data_plane.go +++ b/test/rekt/features/apiserversource/data_plane.go @@ -25,6 +25,7 @@ import ( duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/network" "knative.dev/reconciler-test/pkg/environment" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/resources/addressable" @@ -271,6 +272,62 @@ func SendsEventsWithTLSTrustBundle() *feature.Feature { return f } +func SendsEventsWithTLSWithAdditionalTrustBundle() *feature.Feature { + src := feature.MakeRandomK8sName("apiserversource") + sink := feature.MakeRandomK8sName("sink") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeatureNamed("Send events to TLS sink - additional trust bundle") + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + sacmName := feature.MakeRandomK8sName("apiserversource") + f.Requirement("Create Service Account for ApiServerSource with RBAC for v1.Event resources", + setupAccountAndRoleForPods(sacmName)) + + cfg := []manifest.CfgFn{ + apiserversource.WithServiceAccountName(sacmName), + apiserversource.WithEventMode(v1.ResourceMode), + apiserversource.WithResources(v1.APIVersionKindSelector{ + APIVersion: "v1", + Kind: "Event", + }), + } + + f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) { + cfg = append(cfg, apiserversource.WithSink(&duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + })) + apiserversource.Install(src, cfg...)(ctx, t) + }) + f.Requirement("ApiServerSource goes ready", apiserversource.IsReady(src)) + + f.Stable("ApiServerSource as event source"). + Must("delivers events on sink with ref", + eventassert.OnStore(sink). + Match(eventassert.MatchKind(eventshub.EventReceived)). + MatchEvent(test.HasType("dev.knative.apiserver.resource.update")). + AtLeast(1), + ). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)) + + return f +} + // SendsEventsWithEventTypes tests apiserversource to a ready broker. func SendsEventsWithEventTypes() *feature.Feature { source := feature.MakeRandomK8sName("source") diff --git a/test/rekt/features/channel/eventing_tls_feature.go b/test/rekt/features/channel/eventing_tls_feature.go index 3bb633afef8..45b48b7e065 100644 --- a/test/rekt/features/channel/eventing_tls_feature.go +++ b/test/rekt/features/channel/eventing_tls_feature.go @@ -31,6 +31,7 @@ import ( "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/resources/service" "knative.dev/reconciler-test/resources/certificate" @@ -38,6 +39,7 @@ import ( "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/channel_impl" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/subscription" ) @@ -243,3 +245,88 @@ func SubscriptionTLSTrustBundle() *feature.Feature { return f } + +func SubscriptionTLSWithAdditionalTrustBundle() *feature.Feature { + + channelName := feature.MakeRandomK8sName("channel") + subscriptionName := feature.MakeRandomK8sName("sub") + sink := feature.MakeRandomK8sName("sink") + source := feature.MakeRandomK8sName("source") + dlsName := feature.MakeRandomK8sName("dls") + dlsSubscriptionName := feature.MakeRandomK8sName("dls-sub") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeature() + + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + f.Setup("install sink", eventshub.Install(dlsName, eventshub.StartReceiverTLS)) + f.Setup("install channel", channel_impl.Install(channelName)) + f.Setup("channel is ready", channel_impl.IsReady(channelName)) + + f.Setup("install subscription", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + } + subscription.Install(subscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithSubscriberFromDestination(d))(ctx, t) + }) + f.Setup("subscription is ready", subscription.IsReady(subscriptionName)) + f.Setup("install dead letter subscription", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(dlsName, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the trust-bundle + } + + subscription.Install(dlsSubscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithDeadLetterSinkFromDestination(d), + subscription.WithSubscriber(nil, "http://127.0.0.1:2468", ""))(ctx, t) + }) + f.Setup("subscription dead letter is ready", subscription.IsReady(dlsSubscriptionName)) + f.Setup("Channel has HTTPS address", channel_impl.ValidateAddress(channelName, addressable.AssertHTTPSAddress)) + + event := cetest.FullEvent() + event.SetID(uuid.New().String()) + + f.Requirement("install source", eventshub.Install(source, + eventshub.StartSenderToResourceTLS(channel_impl.GVR(), channelName, nil), + eventshub.InputEvent(event), + // Send multiple events so that we take into account that the certificate rotation might + // be detected by the server after some time. + eventshub.SendMultipleEvents(100, 3*time.Second), + )) + + f.Assert("Event sent", assert.OnStore(source). + MatchSentEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + f.Assert("Event received in sink", assert.OnStore(sink). + MatchReceivedEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + f.Assert("Event received in dead letter sink", assert.OnStore(dlsName). + MatchReceivedEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + + return f +} diff --git a/test/rekt/features/pingsource/features.go b/test/rekt/features/pingsource/features.go index acce020dd0e..c421ce5ad2d 100644 --- a/test/rekt/features/pingsource/features.go +++ b/test/rekt/features/pingsource/features.go @@ -27,6 +27,7 @@ import ( "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" "knative.dev/reconciler-test/pkg/resources/service" @@ -34,6 +35,7 @@ import ( "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/eventtype" "knative.dev/eventing/test/rekt/resources/trigger" @@ -132,6 +134,48 @@ func SendsEventsTLSTrustBundle() *feature.Feature { return f } +func SendsEventsTLSWithAdditionalTrustBundle() *feature.Feature { + src := feature.MakeRandomK8sName("pingsource") + sink := feature.MakeRandomK8sName("sink") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeature() + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + f.Requirement("install pingsource", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the trust-bundle + } + + pingsource.Install(src, pingsource.WithSink(d))(ctx, t) + }) + f.Requirement("pingsource goes ready", pingsource.IsReady(src)) + + f.Stable("pingsource as event source"). + Must("delivers events", assert.OnStore(sink). + Match(eventassert.MatchKind(eventshub.EventReceived)). + MatchEvent(test.HasType("dev.knative.sources.ping")). + AtLeast(1)). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(pingsource.Gvr(), src)) + + return f +} + func SendsEventsWithSinkURI() *feature.Feature { source := feature.MakeRandomK8sName("pingsource") sink := feature.MakeRandomK8sName("sink") diff --git a/test/rekt/features/trigger/feature.go b/test/rekt/features/trigger/feature.go index 4896fd1c7d7..74663ca9c0e 100644 --- a/test/rekt/features/trigger/feature.go +++ b/test/rekt/features/trigger/feature.go @@ -27,6 +27,7 @@ import ( "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" "knative.dev/reconciler-test/pkg/resources/service" @@ -36,6 +37,7 @@ import ( "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/pingsource" "knative.dev/eventing/test/rekt/resources/trigger" ) @@ -235,3 +237,78 @@ func TriggerWithTLSSubscriberTrustBundle() *feature.Feature { return f } + +func TriggerWithTLSSubscriberWithAdditionalCATrustBundles() *feature.Feature { + f := feature.NewFeatureNamed("Trigger with TLS subscriber and additional trust bundle") + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + brokerName := feature.MakeRandomK8sName("broker") + sourceName := feature.MakeRandomK8sName("source") + sinkName := feature.MakeRandomK8sName("sink") + triggerName := feature.MakeRandomK8sName("trigger") + dlsName := feature.MakeRandomK8sName("dls") + dlsTriggerName := feature.MakeRandomK8sName("dls-trigger") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + eventToSend := test.FullEvent() + + // Install Broker + f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...)) + f.Setup("Broker is ready", broker.IsReady(brokerName)) + f.Setup("Broker is addressable", broker.IsAddressable(brokerName)) + + // Install Sink + f.Setup("Install Sink", eventshub.Install(sinkName, eventshub.StartReceiverTLS)) + f.Setup("Install dead letter sink service", eventshub.Install(dlsName, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + // Install Trigger + f.Setup("Install trigger", func(ctx context.Context, t feature.T) { + subscriber := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sinkName, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + } + + trigger.Install(triggerName, brokerName, + trigger.WithSubscriberFromDestination(subscriber))(ctx, t) + }) + f.Setup("Wait for Trigger to become ready", trigger.IsReady(triggerName)) + + f.Setup("Install failing trigger", func(ctx context.Context, t feature.T) { + dls := service.AsDestinationRef(dlsName) + + linear := eventingv1.BackoffPolicyLinear + trigger.Install(dlsTriggerName, brokerName, + trigger.WithRetry(10, &linear, pointer.String("PT1S")), + trigger.WithDeadLetterSinkFromDestination(dls), + trigger.WithSubscriber(nil, "http://127.0.0.1:2468"))(ctx, t) + }) + f.Setup("Wait for failing Trigger to become ready", trigger.IsReady(dlsTriggerName)) + + // Install Source + f.Requirement("Install Source", eventshub.Install( + sourceName, + eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.InputEvent(eventToSend), + )) + + f.Assert("Trigger delivers events to TLS subscriber", assert.OnStore(sinkName). + MatchReceivedEvent(test.HasId(eventToSend.ID())). + AtLeast(1)) + f.Assert("Trigger delivers events to TLS dead letter sink", assert.OnStore(dlsName). + MatchReceivedEvent(test.HasId(eventToSend.ID())). + AtLeast(1)) + + return f +} diff --git a/test/rekt/pingsource_test.go b/test/rekt/pingsource_test.go index 1aab02f7e8c..8bc45a0f43d 100644 --- a/test/rekt/pingsource_test.go +++ b/test/rekt/pingsource_test.go @@ -61,6 +61,7 @@ func TestPingSourceTLS(t *testing.T) { env.ParallelTest(ctx, t, pingsource.SendsEventsTLS()) env.ParallelTest(ctx, t, pingsource.SendsEventsTLSTrustBundle()) + env.ParallelTest(ctx, t, pingsource.SendsEventsTLSWithAdditionalTrustBundle()) } func TestPingSourceWithSinkURI(t *testing.T) { diff --git a/test/rekt/resources/configmap/config-features.yaml b/test/rekt/resources/configmap/config-features.yaml index 017d7574d5e..b56566f5343 100644 --- a/test/rekt/resources/configmap/config-features.yaml +++ b/test/rekt/resources/configmap/config-features.yaml @@ -3,10 +3,23 @@ kind: ConfigMap metadata: name: {{ .name }} namespace: {{ .namespace }} + {{ if .labels }} + labels: + {{ range $key, $value := .labels }} + {{ $key }}: "{{ $value }}" + {{ end }} + {{ else }} labels: knative.dev/config-propagation: original knative.dev/config-category: eventing + {{ end }} data: + {{ if .data }} + {{ range $key, $value := .data }} + {{ $key }}: |- + {{ $value }} + {{ end }} + {{ else }} _example: | my-enabled-flag: "enabled" my-disabled-flag: "disabled" @@ -14,4 +27,4 @@ data: apiserversources.nodeselector.testkey: testvalue apiserversources.nodeselector.testkey1: testvalue1 apiserversources.nodeselector.testkey2: testvalue2 - + {{ end }} diff --git a/test/rekt/resources/configmap/configmap.go b/test/rekt/resources/configmap/configmap.go index 8776df0c0e6..f6e31fcd24a 100644 --- a/test/rekt/resources/configmap/configmap.go +++ b/test/rekt/resources/configmap/configmap.go @@ -19,6 +19,7 @@ package configmap import ( "context" "embed" + "strings" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/manifest" @@ -44,3 +45,15 @@ func Install(name string, ns string, opts ...manifest.CfgFn) feature.StepFn { } } } + +var WithLabels = manifest.WithLabels + +func WithData(key, value string) manifest.CfgFn { + return func(m map[string]interface{}) { + if _, ok := m["data"]; !ok { + m["data"] = map[string]string{} + } + value = strings.ReplaceAll(value, "\n", "\n ") + m["data"].(map[string]string)[key] = value + } +} diff --git a/test/rekt/resources/configmap/configmap_test.go b/test/rekt/resources/configmap/configmap_test.go new file mode 100644 index 00000000000..d38491b9e0c --- /dev/null +++ b/test/rekt/resources/configmap/configmap_test.go @@ -0,0 +1,55 @@ +/* +Copyright 2024 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package configmap + +import ( + "os" + + testlog "knative.dev/reconciler-test/pkg/logging" + "knative.dev/reconciler-test/pkg/manifest" +) + +func Example_withData() { + ctx := testlog.NewContext() + images := map[string]string{} + cfg := map[string]interface{}{ + "name": "foo", + "namespace": "bar", + } + + WithData("ca.crt", "x\nx")(cfg) + WithLabels(map[string]string{"a": "b"})(cfg) + + files, err := manifest.ExecuteYAML(ctx, yaml, images, cfg) + if err != nil { + panic(err) + } + + manifest.OutputYAML(os.Stdout, files) + // Output: + // apiVersion: v1 + // kind: ConfigMap + // metadata: + // name: foo + // namespace: bar + // labels: + // a: "b" + // data: + // ca.crt: |- + // x + // x +} diff --git a/test/rekt/trigger_test.go b/test/rekt/trigger_test.go index 66981384270..6b17ae110e9 100644 --- a/test/rekt/trigger_test.go +++ b/test/rekt/trigger_test.go @@ -95,4 +95,5 @@ func TestTriggerTLSSubscriber(t *testing.T) { env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriber()) env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriberTrustBundle()) + env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriberWithAdditionalCATrustBundles()) } From 8109afd5bcd321ed537dda7618ed21460596b1e2 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 27 Feb 2024 11:32:47 +0100 Subject: [PATCH 02/11] Add CA rotation tests Signed-off-by: Pierangelo Di Pilato --- test/rekt/apiserversource_test.go | 1 + test/rekt/channel_test.go | 1 + .../features/apiserversource/data_plane.go | 57 ++++++++++++ .../features/channel/eventing_tls_feature.go | 87 +++++++++++++++++++ test/rekt/features/pingsource/features.go | 44 ++++++++++ test/rekt/features/trigger/feature.go | 77 ++++++++++++++++ test/rekt/pingsource_test.go | 1 + .../resources/configmap/config-features.yaml | 21 ++++- test/rekt/resources/configmap/configmap.go | 13 +++ .../resources/configmap/configmap_test.go | 55 ++++++++++++ test/rekt/trigger_test.go | 1 + 11 files changed, 354 insertions(+), 4 deletions(-) create mode 100644 test/rekt/resources/configmap/configmap_test.go diff --git a/test/rekt/apiserversource_test.go b/test/rekt/apiserversource_test.go index e2641fc3ba8..55abd203796 100644 --- a/test/rekt/apiserversource_test.go +++ b/test/rekt/apiserversource_test.go @@ -111,6 +111,7 @@ func TestApiServerSourceDataPlaneTLS(t *testing.T) { env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLS()) env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLSTrustBundle()) + env.ParallelTest(ctx, t, apiserversourcefeatures.SendsEventsWithTLSWithAdditionalTrustBundle()) } func TestApiServerSourceDataPlane_EventModes(t *testing.T) { diff --git a/test/rekt/channel_test.go b/test/rekt/channel_test.go index 6cca352dd22..478326e727b 100644 --- a/test/rekt/channel_test.go +++ b/test/rekt/channel_test.go @@ -358,6 +358,7 @@ func TestInMemoryChannelTLS(t *testing.T) { env.ParallelTest(ctx, t, channel.SubscriptionTLS()) env.ParallelTest(ctx, t, channel.SubscriptionTLSTrustBundle()) + env.ParallelTest(ctx, t, channel.SubscriptionTLSWithAdditionalTrustBundle()) } func TestChannelImplDispatcherAuthenticatesWithOIDC(t *testing.T) { diff --git a/test/rekt/features/apiserversource/data_plane.go b/test/rekt/features/apiserversource/data_plane.go index 01661db1716..9b306e8a538 100644 --- a/test/rekt/features/apiserversource/data_plane.go +++ b/test/rekt/features/apiserversource/data_plane.go @@ -25,6 +25,7 @@ import ( duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/network" "knative.dev/reconciler-test/pkg/environment" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/resources/addressable" @@ -271,6 +272,62 @@ func SendsEventsWithTLSTrustBundle() *feature.Feature { return f } +func SendsEventsWithTLSWithAdditionalTrustBundle() *feature.Feature { + src := feature.MakeRandomK8sName("apiserversource") + sink := feature.MakeRandomK8sName("sink") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeatureNamed("Send events to TLS sink - additional trust bundle") + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + sacmName := feature.MakeRandomK8sName("apiserversource") + f.Requirement("Create Service Account for ApiServerSource with RBAC for v1.Event resources", + setupAccountAndRoleForPods(sacmName)) + + cfg := []manifest.CfgFn{ + apiserversource.WithServiceAccountName(sacmName), + apiserversource.WithEventMode(v1.ResourceMode), + apiserversource.WithResources(v1.APIVersionKindSelector{ + APIVersion: "v1", + Kind: "Event", + }), + } + + f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) { + cfg = append(cfg, apiserversource.WithSink(&duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + })) + apiserversource.Install(src, cfg...)(ctx, t) + }) + f.Requirement("ApiServerSource goes ready", apiserversource.IsReady(src)) + + f.Stable("ApiServerSource as event source"). + Must("delivers events on sink with ref", + eventassert.OnStore(sink). + Match(eventassert.MatchKind(eventshub.EventReceived)). + MatchEvent(test.HasType("dev.knative.apiserver.resource.update")). + AtLeast(1), + ). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)) + + return f +} + // SendsEventsWithEventTypes tests apiserversource to a ready broker. func SendsEventsWithEventTypes() *feature.Feature { source := feature.MakeRandomK8sName("source") diff --git a/test/rekt/features/channel/eventing_tls_feature.go b/test/rekt/features/channel/eventing_tls_feature.go index 3bb633afef8..45b48b7e065 100644 --- a/test/rekt/features/channel/eventing_tls_feature.go +++ b/test/rekt/features/channel/eventing_tls_feature.go @@ -31,6 +31,7 @@ import ( "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/resources/service" "knative.dev/reconciler-test/resources/certificate" @@ -38,6 +39,7 @@ import ( "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/channel_impl" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/subscription" ) @@ -243,3 +245,88 @@ func SubscriptionTLSTrustBundle() *feature.Feature { return f } + +func SubscriptionTLSWithAdditionalTrustBundle() *feature.Feature { + + channelName := feature.MakeRandomK8sName("channel") + subscriptionName := feature.MakeRandomK8sName("sub") + sink := feature.MakeRandomK8sName("sink") + source := feature.MakeRandomK8sName("source") + dlsName := feature.MakeRandomK8sName("dls") + dlsSubscriptionName := feature.MakeRandomK8sName("dls-sub") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeature() + + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + f.Setup("install sink", eventshub.Install(dlsName, eventshub.StartReceiverTLS)) + f.Setup("install channel", channel_impl.Install(channelName)) + f.Setup("channel is ready", channel_impl.IsReady(channelName)) + + f.Setup("install subscription", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + } + subscription.Install(subscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithSubscriberFromDestination(d))(ctx, t) + }) + f.Setup("subscription is ready", subscription.IsReady(subscriptionName)) + f.Setup("install dead letter subscription", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(dlsName, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the trust-bundle + } + + subscription.Install(dlsSubscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithDeadLetterSinkFromDestination(d), + subscription.WithSubscriber(nil, "http://127.0.0.1:2468", ""))(ctx, t) + }) + f.Setup("subscription dead letter is ready", subscription.IsReady(dlsSubscriptionName)) + f.Setup("Channel has HTTPS address", channel_impl.ValidateAddress(channelName, addressable.AssertHTTPSAddress)) + + event := cetest.FullEvent() + event.SetID(uuid.New().String()) + + f.Requirement("install source", eventshub.Install(source, + eventshub.StartSenderToResourceTLS(channel_impl.GVR(), channelName, nil), + eventshub.InputEvent(event), + // Send multiple events so that we take into account that the certificate rotation might + // be detected by the server after some time. + eventshub.SendMultipleEvents(100, 3*time.Second), + )) + + f.Assert("Event sent", assert.OnStore(source). + MatchSentEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + f.Assert("Event received in sink", assert.OnStore(sink). + MatchReceivedEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + f.Assert("Event received in dead letter sink", assert.OnStore(dlsName). + MatchReceivedEvent(cetest.HasId(event.ID())). + AtLeast(1), + ) + + return f +} diff --git a/test/rekt/features/pingsource/features.go b/test/rekt/features/pingsource/features.go index 8d6a58e9bd5..ac2787a75d1 100644 --- a/test/rekt/features/pingsource/features.go +++ b/test/rekt/features/pingsource/features.go @@ -27,6 +27,7 @@ import ( "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" "knative.dev/reconciler-test/pkg/resources/service" @@ -34,6 +35,7 @@ import ( "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/eventtype" "knative.dev/eventing/test/rekt/resources/trigger" @@ -132,6 +134,48 @@ func SendsEventsTLSTrustBundle() *feature.Feature { return f } +func SendsEventsTLSWithAdditionalTrustBundle() *feature.Feature { + src := feature.MakeRandomK8sName("pingsource") + sink := feature.MakeRandomK8sName("sink") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + f := feature.NewFeature() + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + f.Setup("install sink", eventshub.Install(sink, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + f.Requirement("install pingsource", func(ctx context.Context, t feature.T) { + d := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sink, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the trust-bundle + } + + pingsource.Install(src, pingsource.WithSink(d))(ctx, t) + }) + f.Requirement("pingsource goes ready", pingsource.IsReady(src)) + + f.Stable("pingsource as event source"). + Must("delivers events", assert.OnStore(sink). + Match(eventassert.MatchKind(eventshub.EventReceived)). + MatchEvent(test.HasType("dev.knative.sources.ping")). + AtLeast(1)). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(pingsource.Gvr(), src)) + + return f +} + func SendsEventsWithSinkURI() *feature.Feature { source := feature.MakeRandomK8sName("pingsource") sink := feature.MakeRandomK8sName("sink") diff --git a/test/rekt/features/trigger/feature.go b/test/rekt/features/trigger/feature.go index 4896fd1c7d7..74663ca9c0e 100644 --- a/test/rekt/features/trigger/feature.go +++ b/test/rekt/features/trigger/feature.go @@ -27,6 +27,7 @@ import ( "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/feature" + "knative.dev/reconciler-test/pkg/knative" "knative.dev/reconciler-test/pkg/manifest" "knative.dev/reconciler-test/pkg/resources/service" @@ -36,6 +37,7 @@ import ( "knative.dev/eventing/pkg/eventingtls/eventingtlstesting" "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/eventing/test/rekt/resources/configmap" "knative.dev/eventing/test/rekt/resources/pingsource" "knative.dev/eventing/test/rekt/resources/trigger" ) @@ -235,3 +237,78 @@ func TriggerWithTLSSubscriberTrustBundle() *feature.Feature { return f } + +func TriggerWithTLSSubscriberWithAdditionalCATrustBundles() *feature.Feature { + f := feature.NewFeatureNamed("Trigger with TLS subscriber and additional trust bundle") + + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + + brokerName := feature.MakeRandomK8sName("broker") + sourceName := feature.MakeRandomK8sName("source") + sinkName := feature.MakeRandomK8sName("sink") + triggerName := feature.MakeRandomK8sName("trigger") + dlsName := feature.MakeRandomK8sName("dls") + dlsTriggerName := feature.MakeRandomK8sName("dls-trigger") + trustBundle := feature.MakeRandomK8sName("trust-bundle") + + eventToSend := test.FullEvent() + + // Install Broker + f.Setup("Install Broker", broker.Install(brokerName, broker.WithEnvConfig()...)) + f.Setup("Broker is ready", broker.IsReady(brokerName)) + f.Setup("Broker is addressable", broker.IsAddressable(brokerName)) + + // Install Sink + f.Setup("Install Sink", eventshub.Install(sinkName, eventshub.StartReceiverTLS)) + f.Setup("Install dead letter sink service", eventshub.Install(dlsName, eventshub.StartReceiverTLS)) + + f.Setup("Add trust bundle to system namespace", func(ctx context.Context, t feature.T) { + + configmap.Install(trustBundle, knative.KnativeNamespaceFromContext(ctx), + configmap.WithLabels(map[string]string{"networking.knative.dev/trust-bundle": "true"}), + configmap.WithData("ca.crt", *eventshub.GetCaCerts(ctx)), + )(ctx, t) + }) + + // Install Trigger + f.Setup("Install trigger", func(ctx context.Context, t feature.T) { + subscriber := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(sinkName, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + } + + trigger.Install(triggerName, brokerName, + trigger.WithSubscriberFromDestination(subscriber))(ctx, t) + }) + f.Setup("Wait for Trigger to become ready", trigger.IsReady(triggerName)) + + f.Setup("Install failing trigger", func(ctx context.Context, t feature.T) { + dls := service.AsDestinationRef(dlsName) + + linear := eventingv1.BackoffPolicyLinear + trigger.Install(dlsTriggerName, brokerName, + trigger.WithRetry(10, &linear, pointer.String("PT1S")), + trigger.WithDeadLetterSinkFromDestination(dls), + trigger.WithSubscriber(nil, "http://127.0.0.1:2468"))(ctx, t) + }) + f.Setup("Wait for failing Trigger to become ready", trigger.IsReady(dlsTriggerName)) + + // Install Source + f.Requirement("Install Source", eventshub.Install( + sourceName, + eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.InputEvent(eventToSend), + )) + + f.Assert("Trigger delivers events to TLS subscriber", assert.OnStore(sinkName). + MatchReceivedEvent(test.HasId(eventToSend.ID())). + AtLeast(1)) + f.Assert("Trigger delivers events to TLS dead letter sink", assert.OnStore(dlsName). + MatchReceivedEvent(test.HasId(eventToSend.ID())). + AtLeast(1)) + + return f +} diff --git a/test/rekt/pingsource_test.go b/test/rekt/pingsource_test.go index 1aab02f7e8c..8bc45a0f43d 100644 --- a/test/rekt/pingsource_test.go +++ b/test/rekt/pingsource_test.go @@ -61,6 +61,7 @@ func TestPingSourceTLS(t *testing.T) { env.ParallelTest(ctx, t, pingsource.SendsEventsTLS()) env.ParallelTest(ctx, t, pingsource.SendsEventsTLSTrustBundle()) + env.ParallelTest(ctx, t, pingsource.SendsEventsTLSWithAdditionalTrustBundle()) } func TestPingSourceWithSinkURI(t *testing.T) { diff --git a/test/rekt/resources/configmap/config-features.yaml b/test/rekt/resources/configmap/config-features.yaml index 6dd98e50f9d..b56566f5343 100644 --- a/test/rekt/resources/configmap/config-features.yaml +++ b/test/rekt/resources/configmap/config-features.yaml @@ -3,15 +3,28 @@ kind: ConfigMap metadata: name: {{ .name }} namespace: {{ .namespace }} + {{ if .labels }} + labels: + {{ range $key, $value := .labels }} + {{ $key }}: "{{ $value }}" + {{ end }} + {{ else }} labels: knative.dev/config-propagation: original knative.dev/config-category: eventing + {{ end }} data: + {{ if .data }} + {{ range $key, $value := .data }} + {{ $key }}: |- + {{ $value }} + {{ end }} + {{ else }} _example: | my-enabled-flag: "enabled" my-disabled-flag: "disabled" my-allowed-flag: "allowed" - apiserversources-nodeselector-testkey: testvalue - apiserversources-nodeselector-testkey1: testvalue1 - apiserversources-nodeselector-testkey2: testvalue2 - + apiserversources.nodeselector.testkey: testvalue + apiserversources.nodeselector.testkey1: testvalue1 + apiserversources.nodeselector.testkey2: testvalue2 + {{ end }} diff --git a/test/rekt/resources/configmap/configmap.go b/test/rekt/resources/configmap/configmap.go index 8776df0c0e6..f6e31fcd24a 100644 --- a/test/rekt/resources/configmap/configmap.go +++ b/test/rekt/resources/configmap/configmap.go @@ -19,6 +19,7 @@ package configmap import ( "context" "embed" + "strings" "knative.dev/reconciler-test/pkg/feature" "knative.dev/reconciler-test/pkg/manifest" @@ -44,3 +45,15 @@ func Install(name string, ns string, opts ...manifest.CfgFn) feature.StepFn { } } } + +var WithLabels = manifest.WithLabels + +func WithData(key, value string) manifest.CfgFn { + return func(m map[string]interface{}) { + if _, ok := m["data"]; !ok { + m["data"] = map[string]string{} + } + value = strings.ReplaceAll(value, "\n", "\n ") + m["data"].(map[string]string)[key] = value + } +} diff --git a/test/rekt/resources/configmap/configmap_test.go b/test/rekt/resources/configmap/configmap_test.go new file mode 100644 index 00000000000..d38491b9e0c --- /dev/null +++ b/test/rekt/resources/configmap/configmap_test.go @@ -0,0 +1,55 @@ +/* +Copyright 2024 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package configmap + +import ( + "os" + + testlog "knative.dev/reconciler-test/pkg/logging" + "knative.dev/reconciler-test/pkg/manifest" +) + +func Example_withData() { + ctx := testlog.NewContext() + images := map[string]string{} + cfg := map[string]interface{}{ + "name": "foo", + "namespace": "bar", + } + + WithData("ca.crt", "x\nx")(cfg) + WithLabels(map[string]string{"a": "b"})(cfg) + + files, err := manifest.ExecuteYAML(ctx, yaml, images, cfg) + if err != nil { + panic(err) + } + + manifest.OutputYAML(os.Stdout, files) + // Output: + // apiVersion: v1 + // kind: ConfigMap + // metadata: + // name: foo + // namespace: bar + // labels: + // a: "b" + // data: + // ca.crt: |- + // x + // x +} diff --git a/test/rekt/trigger_test.go b/test/rekt/trigger_test.go index 66981384270..6b17ae110e9 100644 --- a/test/rekt/trigger_test.go +++ b/test/rekt/trigger_test.go @@ -95,4 +95,5 @@ func TestTriggerTLSSubscriber(t *testing.T) { env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriber()) env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriberTrustBundle()) + env.ParallelTest(ctx, t, trigger.TriggerWithTLSSubscriberWithAdditionalCATrustBundles()) } From 50ec78cfb74634d3413a68284c34d881199e5c66 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 15 May 2024 11:43:31 +0200 Subject: [PATCH 03/11] Fix test Signed-off-by: Pierangelo Di Pilato --- hack/e2e-debug.sh | 2 +- test/rekt/features/trigger/feature.go | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/hack/e2e-debug.sh b/hack/e2e-debug.sh index 29006c7140e..2a4bf338848 100755 --- a/hack/e2e-debug.sh +++ b/hack/e2e-debug.sh @@ -35,4 +35,4 @@ wait_until_pods_running knative-eventing || fail_test "Pods in knative-eventing header "Running tests" -go_test_e2e -timeout=30m -run="${test_name}" "${test_dir}" || fail_test "Test(s) failed" +go test -tags=e2e -v -parallel="${PARALLEL:-12}" -timeout=30m -run="${test_name}" "${test_dir}" || fail_test "Test(s) failed" diff --git a/test/rekt/features/trigger/feature.go b/test/rekt/features/trigger/feature.go index 01379fc8d48..f4a8f89f91e 100644 --- a/test/rekt/features/trigger/feature.go +++ b/test/rekt/features/trigger/feature.go @@ -287,7 +287,13 @@ func TriggerWithTLSSubscriberWithAdditionalCATrustBundles() *feature.Feature { f.Setup("Wait for Trigger to become ready", trigger.IsReady(triggerName)) f.Setup("Install failing trigger", func(ctx context.Context, t feature.T) { - dls := service.AsDestinationRef(dlsName) + dls := &duckv1.Destination{ + URI: &apis.URL{ + Scheme: "https", // Force using https + Host: network.GetServiceHostname(dlsName, environment.FromContext(ctx).Namespace()), + }, + CACerts: nil, // CA certs are in the new trust-bundle + } linear := eventingv1.BackoffPolicyLinear trigger.Install(dlsTriggerName, brokerName, From 0c5a8a12d86f5bf013e338e2c91573a68cee3c9a Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 21 May 2024 17:02:14 +0200 Subject: [PATCH 04/11] Add propagation improvements for webhook (running before reconciler) Signed-off-by: Pierangelo Di Pilato --- pkg/apis/sources/v1/sinkbinding_lifecycle.go | 28 +++++++++++++++---- pkg/eventingtls/trust_bundle.go | 26 +++++++++++------ .../apiserversource/apiserversource.go | 3 +- pkg/reconciler/sinkbinding/sinkbinding.go | 3 +- 4 files changed, 45 insertions(+), 15 deletions(-) diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go index 0138839f2f5..2928f4ce848 100644 --- a/pkg/apis/sources/v1/sinkbinding_lifecycle.go +++ b/pkg/apis/sources/v1/sinkbinding_lifecycle.go @@ -24,6 +24,7 @@ import ( "go.uber.org/zap" corev1listers "k8s.io/client-go/listers/core/v1" + kubeclient "knative.dev/pkg/client/injection/kube/client" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -196,13 +197,30 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) { Value: ceOverrides, }) } - - pss, err := eventingtls.AddTrustBundleVolumes(GetTrustBundleConfigMapLister(ctx), sb, &ps.Spec.Template.Spec) + gvk := schema.GroupVersionKind{ + Group: SchemeGroupVersion.Group, + Version: SchemeGroupVersion.Version, + Kind: "SinkBinding", + } + bundles, err := eventingtls.PropagateTrustBundles(ctx, kubeclient.Get(ctx), GetTrustBundleConfigMapLister(ctx), gvk, sb) if err != nil { - logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes %s/%s: %+v", zap.Error(err)) - return + logging.FromContext(ctx).Errorw("Failed to propagate trust bundles", zap.Error(err)) + } + if len(bundles) > 0 { + pss, err := eventingtls.AddTrustBundleVolumesFromConfigMaps(bundles, &ps.Spec.Template.Spec) + if err != nil { + logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes from configmaps %s/%s: %+v", zap.Error(err)) + return + } + ps.Spec.Template.Spec = *pss + } else { + pss, err := eventingtls.AddTrustBundleVolumes(GetTrustBundleConfigMapLister(ctx), sb, &ps.Spec.Template.Spec) + if err != nil { + logging.FromContext(ctx).Errorw("Failed to add trust bundle volumes %s/%s: %+v", zap.Error(err)) + return + } + ps.Spec.Template.Spec = *pss } - ps.Spec.Template.Spec = *pss if sb.Status.OIDCTokenSecretName != nil { ps.Spec.Template.Spec.Volumes = append(ps.Spec.Template.Spec.Volumes, corev1.Volume{ diff --git a/pkg/eventingtls/trust_bundle.go b/pkg/eventingtls/trust_bundle.go index a5c82b7139b..6eff1868f21 100644 --- a/pkg/eventingtls/trust_bundle.go +++ b/pkg/eventingtls/trust_bundle.go @@ -57,18 +57,20 @@ var ( // PropagateTrustBundles propagates Trust bundles ConfigMaps from the system.Namespace() to the // obj namespace. -func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustBundleConfigMapLister corev1listers.ConfigMapLister, gvk schema.GroupVersionKind, obj kmeta.Accessor) error { +func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustBundleConfigMapLister corev1listers.ConfigMapLister, gvk schema.GroupVersionKind, obj kmeta.Accessor) ([]*corev1.ConfigMap, error) { systemNamespaceBundles, err := trustBundleConfigMapLister.ConfigMaps(system.Namespace()).List(TrustBundleSelector) if err != nil { - return fmt.Errorf("failed to list trust bundle ConfigMaps in %q: %w", system.Namespace(), err) + return nil, fmt.Errorf("failed to list trust bundle ConfigMaps in %q: %w", system.Namespace(), err) } userNamespaceBundles, err := trustBundleConfigMapLister.ConfigMaps(obj.GetNamespace()).List(TrustBundleSelector) if err != nil { - return fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err) + return nil, fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err) } + outputUserNamespaceBundles := make([]*corev1.ConfigMap, 0, len(systemNamespaceBundles)) + type Pair struct { sysCM *corev1.ConfigMap userCm *corev1.ConfigMap @@ -114,7 +116,7 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB // Only delete the ConfigMap if the object owns it if equality.Semantic.DeepDerivative(expectedOr, or) { if err := deleteConfigMap(ctx, k8s, obj, p.userCm); err != nil { - return err + return nil, err } } } @@ -136,8 +138,9 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB // Update owner references expected.OwnerReferences = withOwnerReferences(obj, gvk, []metav1.OwnerReference{}) if err := createConfigMap(ctx, k8s, expected); err != nil { - return err + return nil, err } + outputUserNamespaceBundles = append(outputUserNamespaceBundles, expected) continue } @@ -146,13 +149,17 @@ func PropagateTrustBundles(ctx context.Context, k8s kubernetes.Interface, trustB // Update owner references expected.OwnerReferences = withOwnerReferences(obj, gvk, p.userCm.OwnerReferences) - if !equality.Semantic.DeepDerivative(expected, p.userCm) { + if !equality.Semantic.DeepDerivative(expected.Data, p.userCm.Data) || + !equality.Semantic.DeepDerivative(expected.BinaryData, p.userCm.BinaryData) || + !equality.Semantic.DeepDerivative(expected.Labels, p.userCm.Labels) { if err := updateConfigMap(ctx, k8s, expected); err != nil { - return err + return nil, err } } + outputUserNamespaceBundles = append(outputUserNamespaceBundles, expected) } - return nil + + return outputUserNamespaceBundles, nil } func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj kmeta.Accessor, pt *corev1.PodSpec) (*corev1.PodSpec, error) { @@ -160,7 +167,10 @@ func AddTrustBundleVolumes(trustBundleLister corev1listers.ConfigMapLister, obj if err != nil { return nil, fmt.Errorf("failed to list trust bundles ConfigMaps in %q: %w", obj.GetNamespace(), err) } + return AddTrustBundleVolumesFromConfigMaps(cms, pt) +} +func AddTrustBundleVolumesFromConfigMaps(cms []*corev1.ConfigMap, pt *corev1.PodSpec) (*corev1.PodSpec, error) { pt = pt.DeepCopy() sources := make([]corev1.VolumeProjection, 0, len(cms)) for _, cm := range cms { diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go index a4051f378ab..2f712ae53ee 100644 --- a/pkg/reconciler/apiserversource/apiserversource.go +++ b/pkg/reconciler/apiserversource/apiserversource.go @@ -464,5 +464,6 @@ func (r *Reconciler) propagateTrustBundles(ctx context.Context, source *v1.ApiSe Version: v1.SchemeGroupVersion.Version, Kind: "ApiServerSource", } - return eventingtls.PropagateTrustBundles(ctx, r.kubeClientSet, r.trustBundleConfigMapLister, gvk, source) + _, err := eventingtls.PropagateTrustBundles(ctx, r.kubeClientSet, r.trustBundleConfigMapLister, gvk, source) + return err } diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go index 74744d24453..665fa2b2d50 100644 --- a/pkg/reconciler/sinkbinding/sinkbinding.go +++ b/pkg/reconciler/sinkbinding/sinkbinding.go @@ -245,5 +245,6 @@ func (s *SinkBindingSubResourcesReconciler) propagateTrustBundles(ctx context.Co Version: v1.SchemeGroupVersion.Version, Kind: "SinkBinding", } - return eventingtls.PropagateTrustBundles(ctx, s.kubeclient, s.trustBundleConfigMapLister, gvk, sb) + _, err := eventingtls.PropagateTrustBundles(ctx, s.kubeclient, s.trustBundleConfigMapLister, gvk, sb) + return err } From f3edb9d909e167f9bfaec89af192fb87cf8a1cdf Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 22 May 2024 18:00:08 +0200 Subject: [PATCH 05/11] Add ETv1b3 conversion Signed-off-by: Pierangelo Di Pilato --- cmd/webhook/main.go | 3 + .../eventing/v1beta2/eventtype_conversion.go | 77 ++++++++++++++++- .../v1beta2/eventtype_conversion_test.go | 84 +++++++++++++++++++ 3 files changed, 160 insertions(+), 4 deletions(-) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index 1dfac21d38a..9a951c21044 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -25,6 +25,7 @@ import ( "k8s.io/client-go/kubernetes/scheme" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" + eventingv1beta3 "knative.dev/eventing/pkg/apis/eventing/v1beta3" "knative.dev/eventing/pkg/apis/feature" "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" @@ -241,6 +242,7 @@ func NewConversionController(ctx context.Context, cmw configmap.Watcher) *contro sourcesv1_ = sourcesv1.SchemeGroupVersion.Version eventingv1beta1_ = eventingv1beta1.SchemeGroupVersion.Version eventingv1beta2_ = eventingv1beta2.SchemeGroupVersion.Version + eventingv1beta3_ = eventingv1beta3.SchemeGroupVersion.Version ) return conversion.NewConversionController(ctx, @@ -265,6 +267,7 @@ func NewConversionController(ctx context.Context, cmw configmap.Watcher) *contro Zygotes: map[string]conversion.ConvertibleObject{ eventingv1beta1_: &eventingv1beta1.EventType{}, eventingv1beta2_: &eventingv1beta2.EventType{}, + eventingv1beta3_: &eventingv1beta3.EventType{}, }, }, }, diff --git a/pkg/apis/eventing/v1beta2/eventtype_conversion.go b/pkg/apis/eventing/v1beta2/eventtype_conversion.go index 2bdd421a5c2..6212e245df5 100644 --- a/pkg/apis/eventing/v1beta2/eventtype_conversion.go +++ b/pkg/apis/eventing/v1beta2/eventtype_conversion.go @@ -18,17 +18,86 @@ package v1beta2 import ( "context" - "fmt" "knative.dev/pkg/apis" + duckv1 "knative.dev/pkg/apis/duck/v1" + + eventing "knative.dev/eventing/pkg/apis/eventing/v1" + "knative.dev/eventing/pkg/apis/eventing/v1beta3" ) -// ConvertTo implements apis.Convertible +// ConvertTo converts the receiver into `to`. func (source *EventType) ConvertTo(ctx context.Context, to apis.Convertible) error { - return fmt.Errorf("v1beta2 is the highest known version, got: %T", to) + switch sink := to.(type) { + case *v1beta3.EventType: + + source.ObjectMeta.DeepCopyInto(&sink.ObjectMeta) + source.Status.Status.DeepCopyInto(&sink.Status.Status) + + sink.Spec.Reference = source.Spec.Reference.DeepCopy() + sink.Spec.Description = source.Spec.Description + + if source.Spec.Reference == nil && source.Spec.Broker != "" { + source.Spec.Reference = &duckv1.KReference{ + Kind: "Broker", + Name: source.Spec.Broker, + APIVersion: eventing.SchemeGroupVersion.String(), + } + } + + sink.Spec.Attributes = []v1beta3.EventAttributeDefinition{} + if source.Spec.Type != "" { + sink.Spec.Attributes = append(sink.Spec.Attributes, v1beta3.EventAttributeDefinition{ + Name: "type", + Required: true, + Value: source.Spec.Type, + }) + } + if source.Spec.Schema != nil { + sink.Spec.Attributes = append(sink.Spec.Attributes, v1beta3.EventAttributeDefinition{ + Name: "schemadata", + Required: false, + Value: source.Spec.Schema.String(), + }) + } + if source.Spec.Source != nil { + sink.Spec.Attributes = append(sink.Spec.Attributes, v1beta3.EventAttributeDefinition{ + Name: "source", + Required: true, + Value: source.Spec.Source.String(), + }) + } + return nil + default: + return apis.ConvertToViaProxy(ctx, source, &v1beta3.EventType{}, to) + } + } // ConvertFrom implements apis.Convertible func (sink *EventType) ConvertFrom(ctx context.Context, from apis.Convertible) error { - return fmt.Errorf("v1beta2 is the highest known version, got: %T", from) + switch source := from.(type) { + case *v1beta3.EventType: + + source.ObjectMeta.DeepCopyInto(&sink.ObjectMeta) + source.Status.Status.DeepCopyInto(&sink.Status.Status) + + sink.Spec.Reference = source.Spec.Reference.DeepCopy() + sink.Spec.Description = source.Spec.Description + + for _, at := range source.Spec.Attributes { + switch at.Name { + case "source": + sink.Spec.Source, _ = apis.ParseURL(at.Value) + case "type": + sink.Spec.Type = at.Value + case "schemadata": + sink.Spec.Schema, _ = apis.ParseURL(at.Value) + } + } + + return nil + default: + return apis.ConvertFromViaProxy(ctx, from, &v1beta3.EventType{}, sink) + } } diff --git a/pkg/apis/eventing/v1beta2/eventtype_conversion_test.go b/pkg/apis/eventing/v1beta2/eventtype_conversion_test.go index a19802b478e..6ad1c9e29d4 100644 --- a/pkg/apis/eventing/v1beta2/eventtype_conversion_test.go +++ b/pkg/apis/eventing/v1beta2/eventtype_conversion_test.go @@ -19,6 +19,13 @@ package v1beta2 import ( "context" "testing" + + "github.com/google/go-cmp/cmp" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "knative.dev/pkg/apis" + duckv1 "knative.dev/pkg/apis/duck/v1" + + "knative.dev/eventing/pkg/apis/eventing/v1beta3" ) func TestEventTypeConversionHighestVersion(t *testing.T) { @@ -32,3 +39,80 @@ func TestEventTypeConversionHighestVersion(t *testing.T) { t.Errorf("ConvertFrom() = %#v, wanted error", good) } } + +func TestEventTypeConversionV1Beta3(t *testing.T) { + in := &EventType{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-name", + Namespace: "my-ns", + UID: "1234", + }, + Spec: EventTypeSpec{ + Type: "t1", + Source: &apis.URL{Scheme: "https", Host: "127.0.0.1", Path: "/sources/my-source"}, + Schema: &apis.URL{Scheme: "https", Host: "127.0.0.1", Path: "/schemas/my-schema"}, + Broker: "", + Reference: &duckv1.KReference{ + Kind: "Broker", + Name: "my-broker", + APIVersion: "eventing.knative.dev/v1", + }, + Description: "my-description", + }, + Status: EventTypeStatus{ + Status: duckv1.Status{ + ObservedGeneration: 1234, + }, + }, + } + + expected := &v1beta3.EventType{ + TypeMeta: metav1.TypeMeta{}, + ObjectMeta: metav1.ObjectMeta{ + Name: "my-name", + Namespace: "my-ns", + UID: "1234", + }, + Spec: v1beta3.EventTypeSpec{ + Reference: in.Spec.Reference.DeepCopy(), + Description: in.Spec.Description, + Attributes: []v1beta3.EventAttributeDefinition{ + { + Name: "type", + Required: true, + Value: in.Spec.Type, + }, + { + Name: "schemadata", + Required: false, + Value: in.Spec.Schema.String(), + }, + { + Name: "source", + Required: true, + Value: in.Spec.Source.String(), + }, + }, + }, + Status: v1beta3.EventTypeStatus{ + Status: duckv1.Status{ + ObservedGeneration: 1234, + }, + }, + } + got := &v1beta3.EventType{} + + if err := in.ConvertTo(context.Background(), got); err != nil { + t.Errorf("ConvertTo() = %#v, wanted no error, got %#v", expected, err) + } else if diff := cmp.Diff(expected, got); diff != "" { + t.Errorf("ConvertTo(), (-want, +got)\n%s", diff) + } + + from := &EventType{} + if err := from.ConvertFrom(context.Background(), expected); err != nil { + t.Errorf("ConvertFrom() = %#v, wanted no error %#v", in, err) + } else if diff := cmp.Diff(in, from); diff != "" { + t.Errorf("ConvertFrom(), (-want, +got)\n%s", diff) + } +} From c592d8edb41df70585ae08466e81b2d3843085b4 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Wed, 22 May 2024 18:10:44 +0200 Subject: [PATCH 06/11] Inject Kubeclient Signed-off-by: Pierangelo Di Pilato --- pkg/apis/sources/v1/sinkbinding_lifecycle.go | 18 ++++++++++++++++-- pkg/reconciler/sinkbinding/controller.go | 6 ++++-- 2 files changed, 20 insertions(+), 4 deletions(-) diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go index 2928f4ce848..5705a5b5b0c 100644 --- a/pkg/apis/sources/v1/sinkbinding_lifecycle.go +++ b/pkg/apis/sources/v1/sinkbinding_lifecycle.go @@ -23,8 +23,8 @@ import ( "strings" "go.uber.org/zap" + "k8s.io/client-go/kubernetes" corev1listers "k8s.io/client-go/listers/core/v1" - kubeclient "knative.dev/pkg/client/injection/kube/client" corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -202,7 +202,7 @@ func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) { Version: SchemeGroupVersion.Version, Kind: "SinkBinding", } - bundles, err := eventingtls.PropagateTrustBundles(ctx, kubeclient.Get(ctx), GetTrustBundleConfigMapLister(ctx), gvk, sb) + bundles, err := eventingtls.PropagateTrustBundles(ctx, getKubeClient(ctx), GetTrustBundleConfigMapLister(ctx), gvk, sb) if err != nil { logging.FromContext(ctx).Errorw("Failed to propagate trust bundles", zap.Error(err)) } @@ -328,6 +328,20 @@ func (sb *SinkBinding) Undo(ctx context.Context, ps *duckv1.WithPod) { } } +type kubeClientKey struct{} + +func WithKubeClient(ctx context.Context, k kubernetes.Interface) context.Context { + return context.WithValue(ctx, kubeClientKey{}, k) +} + +func getKubeClient(ctx context.Context) kubernetes.Interface { + k := ctx.Value(kubeClientKey{}) + if k == nil { + panic("No Kube client found in context.") + } + return k.(kubernetes.Interface) +} + type configMapListerKey struct{} func WithTrustBundleConfigMapLister(ctx context.Context, lister corev1listers.ConfigMapLister) context.Context { diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index 573b3c737e6..bcaec7af49d 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -142,8 +142,9 @@ func NewController( trustBundleConfigMapLister: trustBundleConfigMapLister, } + k8s := kubeclient.Get(ctx) c.WithContext = func(ctx context.Context, b psbinding.Bindable) (context.Context, error) { - return v1.WithTrustBundleConfigMapLister(v1.WithURIResolver(ctx, sbResolver), trustBundleConfigMapLister), nil + return v1.WithKubeClient(v1.WithTrustBundleConfigMapLister(v1.WithURIResolver(ctx, sbResolver), trustBundleConfigMapLister), k8s), nil } c.Tracker = impl.Tracker c.Factory = &duck.CachedInformerFactory{ @@ -226,9 +227,10 @@ func ListAll(ctx context.Context, handler cache.ResourceEventHandler) psbinding. func WithContextFactory(ctx context.Context, lister corev1listers.ConfigMapLister, handler func(types.NamespacedName)) psbinding.BindableContext { r := resolver.NewURIResolverFromTracker(ctx, tracker.New(handler, controller.GetTrackerLease(ctx))) + k := kubeclient.Get(ctx) return func(ctx context.Context, b psbinding.Bindable) (context.Context, error) { - return v1.WithTrustBundleConfigMapLister(v1.WithURIResolver(ctx, r), lister), nil + return v1.WithKubeClient(v1.WithTrustBundleConfigMapLister(v1.WithURIResolver(ctx, r), lister), k), nil } } From 8e40ea4c67b380dd00c2cca2eb317022ba4dee37 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Thu, 23 May 2024 14:42:31 +0200 Subject: [PATCH 07/11] Exclude core deployments from webhook injection Signed-off-by: Pierangelo Di Pilato --- config/brokers/mt-channel-broker/deployments/broker-filter.yaml | 1 + config/brokers/mt-channel-broker/deployments/broker-ingress.yaml | 1 + config/brokers/mt-channel-broker/deployments/controller.yaml | 1 + config/channels/in-memory-channel/deployments/controller.yaml | 1 + config/channels/in-memory-channel/deployments/dispatcher.yaml | 1 + config/core/deployments/controller.yaml | 1 + config/core/deployments/pingsource-mt-adapter.yaml | 1 + config/core/deployments/webhook.yaml | 1 + 8 files changed, 8 insertions(+) diff --git a/config/brokers/mt-channel-broker/deployments/broker-filter.yaml b/config/brokers/mt-channel-broker/deployments/broker-filter.yaml index 282c814839c..f208d9afa41 100644 --- a/config/brokers/mt-channel-broker/deployments/broker-filter.yaml +++ b/config/brokers/mt-channel-broker/deployments/broker-filter.yaml @@ -21,6 +21,7 @@ metadata: app.kubernetes.io/component: broker-filter app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/brokers/mt-channel-broker/deployments/broker-ingress.yaml b/config/brokers/mt-channel-broker/deployments/broker-ingress.yaml index 527bca86830..2fec3bdf2ba 100644 --- a/config/brokers/mt-channel-broker/deployments/broker-ingress.yaml +++ b/config/brokers/mt-channel-broker/deployments/broker-ingress.yaml @@ -21,6 +21,7 @@ metadata: app.kubernetes.io/component: broker-ingress app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/brokers/mt-channel-broker/deployments/controller.yaml b/config/brokers/mt-channel-broker/deployments/controller.yaml index 488f7fd2a83..10d35e44185 100644 --- a/config/brokers/mt-channel-broker/deployments/controller.yaml +++ b/config/brokers/mt-channel-broker/deployments/controller.yaml @@ -21,6 +21,7 @@ metadata: app.kubernetes.io/component: mt-broker-controller app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/channels/in-memory-channel/deployments/controller.yaml b/config/channels/in-memory-channel/deployments/controller.yaml index 19c1e1e9bb9..08ff23ad9ea 100644 --- a/config/channels/in-memory-channel/deployments/controller.yaml +++ b/config/channels/in-memory-channel/deployments/controller.yaml @@ -22,6 +22,7 @@ metadata: app.kubernetes.io/component: imc-controller app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/channels/in-memory-channel/deployments/dispatcher.yaml b/config/channels/in-memory-channel/deployments/dispatcher.yaml index 114dbbfaa52..f0eb20d16cc 100644 --- a/config/channels/in-memory-channel/deployments/dispatcher.yaml +++ b/config/channels/in-memory-channel/deployments/dispatcher.yaml @@ -22,6 +22,7 @@ metadata: app.kubernetes.io/component: imc-dispatcher app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/core/deployments/controller.yaml b/config/core/deployments/controller.yaml index dc7602ef54c..77ff138b53c 100644 --- a/config/core/deployments/controller.yaml +++ b/config/core/deployments/controller.yaml @@ -22,6 +22,7 @@ metadata: app.kubernetes.io/component: eventing-controller app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: diff --git a/config/core/deployments/pingsource-mt-adapter.yaml b/config/core/deployments/pingsource-mt-adapter.yaml index 09c4c5e8cf6..33469bdf2d8 100644 --- a/config/core/deployments/pingsource-mt-adapter.yaml +++ b/config/core/deployments/pingsource-mt-adapter.yaml @@ -21,6 +21,7 @@ metadata: app.kubernetes.io/component: pingsource-mt-adapter app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: # when set to 0 (and only 0) will be set to 1 when the first PingSource is created. replicas: 0 diff --git a/config/core/deployments/webhook.yaml b/config/core/deployments/webhook.yaml index 8b8cd2d3292..e7654254f46 100644 --- a/config/core/deployments/webhook.yaml +++ b/config/core/deployments/webhook.yaml @@ -21,6 +21,7 @@ metadata: app.kubernetes.io/component: eventing-webhook app.kubernetes.io/version: devel app.kubernetes.io/name: knative-eventing + bindings.knative.dev/exclude: "true" spec: selector: matchLabels: From 69ae4bd72b1cc2f67f5f8d8683fb39bf5725f3b6 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Thu, 23 May 2024 14:50:43 +0200 Subject: [PATCH 08/11] Fix unit tests Signed-off-by: Pierangelo Di Pilato --- pkg/apis/sources/v1/sinkbinding_lifecycle_test.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go b/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go index bae0d75509f..d624c213db1 100644 --- a/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go +++ b/pkg/apis/sources/v1/sinkbinding_lifecycle_test.go @@ -32,6 +32,7 @@ import ( "knative.dev/pkg/apis" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/client/injection/ducks/duck/v1/addressable" + kubeclient "knative.dev/pkg/client/injection/kube/client/fake" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/fake" fakedynamicclient "knative.dev/pkg/injection/clients/dynamicclient/fake" "knative.dev/pkg/resolver" @@ -906,6 +907,7 @@ func TestSinkBindingDo(t *testing.T) { } ctx = WithURIResolver(ctx, r) ctx = WithTrustBundleConfigMapLister(ctx, configmapinformer.Get(ctx).Lister()) + ctx = WithKubeClient(ctx, kubeclient.Get(ctx)) for _, cm := range test.configMaps { _ = configmapinformer.Get(ctx).Informer().GetIndexer().Add(cm) From a47ca0cfcf0c82290759670687623e122f715a21 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 11 Jun 2024 10:50:23 +0200 Subject: [PATCH 09/11] Use managed T for ApiServerSource TLS tests Signed-off-by: Pierangelo Di Pilato --- test/rekt/apiserversource_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rekt/apiserversource_test.go b/test/rekt/apiserversource_test.go index 72db447558f..92077775b5f 100644 --- a/test/rekt/apiserversource_test.go +++ b/test/rekt/apiserversource_test.go @@ -105,7 +105,7 @@ func TestApiServerSourceDataPlaneTLS(t *testing.T) { knative.WithLoggingConfig, knative.WithTracingConfig, k8s.WithEventListener, - //environment.Managed(t), + environment.Managed(t), eventshub.WithTLS(t), ) From d1f7eceb882099adf44f1d873a2a96089f346ffd Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 11 Jun 2024 14:19:41 +0200 Subject: [PATCH 10/11] Reduce number of retries Signed-off-by: Pierangelo Di Pilato --- test/rekt/features/trigger/feature.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rekt/features/trigger/feature.go b/test/rekt/features/trigger/feature.go index f4a8f89f91e..e0ae7b84ff9 100644 --- a/test/rekt/features/trigger/feature.go +++ b/test/rekt/features/trigger/feature.go @@ -297,7 +297,7 @@ func TriggerWithTLSSubscriberWithAdditionalCATrustBundles() *feature.Feature { linear := eventingv1.BackoffPolicyLinear trigger.Install(dlsTriggerName, brokerName, - trigger.WithRetry(10, &linear, pointer.String("PT1S")), + trigger.WithRetry(2, &linear, pointer.String("PT1S")), trigger.WithDeadLetterSinkFromDestination(dls), trigger.WithSubscriber(nil, "http://127.0.0.1:2468"))(ctx, t) }) From ec5b4b1d2ab9a28d1fcb6661241292de01d7987c Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Tue, 11 Jun 2024 14:24:49 +0200 Subject: [PATCH 11/11] Fix test configmap nodeselector config Signed-off-by: Pierangelo Di Pilato --- test/rekt/resources/configmap/config-features.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/test/rekt/resources/configmap/config-features.yaml b/test/rekt/resources/configmap/config-features.yaml index b56566f5343..2a56cb9bc04 100644 --- a/test/rekt/resources/configmap/config-features.yaml +++ b/test/rekt/resources/configmap/config-features.yaml @@ -24,7 +24,7 @@ data: my-enabled-flag: "enabled" my-disabled-flag: "disabled" my-allowed-flag: "allowed" - apiserversources.nodeselector.testkey: testvalue - apiserversources.nodeselector.testkey1: testvalue1 - apiserversources.nodeselector.testkey2: testvalue2 + apiserversources-nodeselector-testkey: testvalue + apiserversources-nodeselector-testkey1: testvalue1 + apiserversources-nodeselector-testkey2: testvalue2 {{ end }}