knative · knative-prow · Jun 28, 2024 · Jun 20, 2024 · Jun 26, 2024 · Jun 26, 2024
diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -34,6 +34,7 @@ import (
 	"knative.dev/eventing/pkg/apis/sinks"
 	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
+	"knative.dev/eventing/pkg/reconciler/eventpolicy"
 	"knative.dev/eventing/pkg/reconciler/jobsink"
 
 	"knative.dev/eventing/pkg/reconciler/apiserversource"
@@ -93,6 +94,7 @@ func main() {
 
 		// Eventing
 		eventtype.NewController,
+		eventpolicy.NewController,
 
 		// Flows
 		parallel.NewController,

diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_lifecycle.go b/pkg/apis/eventing/v1alpha1/eventpolicy_lifecycle.go
@@ -1,5 +1,5 @@
 /*
-Copyright 2020 The Knative Authors
+Copyright 2024 The Knative Authors
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -20,10 +20,12 @@ import (
 	"knative.dev/pkg/apis"
 )
 
-var eventPolicyCondSet = apis.NewLivingConditionSet()
+var eventPolicyCondSet = apis.NewLivingConditionSet(EventPolicyConditionAuthenticationEnabled, EventPolicyConditionSubjectsResolved)
 
 const (
-	EventPolicyConditionReady = apis.ConditionReady
+	EventPolicyConditionReady                                    = apis.ConditionReady
+	EventPolicyConditionAuthenticationEnabled apis.ConditionType = "AuthenticationEnabled"
+	EventPolicyConditionSubjectsResolved      apis.ConditionType = "SubjectsResolved"
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -32,21 +34,41 @@ func (*EventPolicy) GetConditionSet() apis.ConditionSet {
 }
 
 // GetCondition returns the condition currently associated with the given type, or nil.
-func (et *EventPolicyStatus) GetCondition(t apis.ConditionType) *apis.Condition {
-	return eventPolicyCondSet.Manage(et).GetCondition(t)
+func (ep *EventPolicyStatus) GetCondition(t apis.ConditionType) *apis.Condition {
+	return eventPolicyCondSet.Manage(ep).GetCondition(t)
 }
 
 // IsReady returns true if the resource is ready overall.
-func (et *EventPolicyStatus) IsReady() bool {
-	return et.GetTopLevelCondition().IsTrue()
+func (ep *EventPolicyStatus) IsReady() bool {
+	return ep.GetTopLevelCondition().IsTrue()
 }
 
 // GetTopLevelCondition returns the top level Condition.
-func (et *EventPolicyStatus) GetTopLevelCondition() *apis.Condition {
-	return eventPolicyCondSet.Manage(et).GetTopLevelCondition()
+func (ep *EventPolicyStatus) GetTopLevelCondition() *apis.Condition {
+	return eventPolicyCondSet.Manage(ep).GetTopLevelCondition()
 }
 
 // InitializeConditions sets relevant unset conditions to Unknown state.
-func (et *EventPolicyStatus) InitializeConditions() {
-	eventPolicyCondSet.Manage(et).InitializeConditions()
+func (ep *EventPolicyStatus) InitializeConditions() {
+	eventPolicyCondSet.Manage(ep).InitializeConditions()
+}
+
+// MarkOIDCAuthenticationEnabled sets EventPolicyConditionAuthenticationEnabled condition to true.
+func (ep *EventPolicyStatus) MarkOIDCAuthenticationEnabled() {
+	eventPolicyCondSet.Manage(ep).MarkTrue(EventPolicyConditionAuthenticationEnabled)
+}
+
+// MarkOIDCAuthenticationDisabled sets EventPolicyConditionAuthenticationEnabled condition to false.
+func (ep *EventPolicyStatus) MarkOIDCAuthenticationDisabled(reason, messageFormat string, messageA ...interface{}) {
+	eventPolicyCondSet.Manage(ep).MarkFalse(EventPolicyConditionAuthenticationEnabled, reason, messageFormat, messageA...)
+}
+
+// MarkSubjectsResolved sets EventPolicyConditionSubjectsResolved condition to true.
+func (ep *EventPolicyStatus) MarkSubjectsResolvedSucceeded() {
+	eventPolicyCondSet.Manage(ep).MarkTrue(EventPolicyConditionSubjectsResolved)
+}
+
+// MarkSubjectsNotResolved sets EventPolicyConditionSubjectsResolved condition to false.
+func (ep *EventPolicyStatus) MarkSubjectsResolvedFailed(reason, messageFormat string, messageA ...interface{}) {
+	eventPolicyCondSet.Manage(ep).MarkFalse(EventPolicyConditionSubjectsResolved, reason, messageFormat, messageA...)
 }
diff --git a/pkg/apis/eventing/v1alpha1/eventpolicy_lifecycle_test.go b/pkg/apis/eventing/v1alpha1/eventpolicy_lifecycle_test.go
@@ -49,12 +49,12 @@ func TestEventPolicyGetConditionSet(t *testing.T) {
 func TestEventPolicyGetCondition(t *testing.T) {
 	tests := []struct {
 		name      string
-		ets       *EventPolicyStatus
+		eps       *EventPolicyStatus
 		condQuery apis.ConditionType
 		want      *apis.Condition
 	}{{
 		name: "single condition",
-		ets: &EventPolicyStatus{
+		eps: &EventPolicyStatus{
 			Status: duckv1.Status{
 				Conditions: []apis.Condition{
 					eventPolicyConditionReady,
@@ -67,7 +67,7 @@ func TestEventPolicyGetCondition(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			got := test.ets.GetCondition(test.condQuery)
+			got := test.eps.GetCondition(test.condQuery)
 			if diff := cmp.Diff(test.want, got); diff != "" {
 				t.Error("unexpected condition (-want, +got) =", diff)
 			}
@@ -78,18 +78,27 @@ func TestEventPolicyGetCondition(t *testing.T) {
 func TestEventPolicyInitializeConditions(t *testing.T) {
 	tests := []struct {
 		name string
-		ets  *EventPolicyStatus
+		eps  *EventPolicyStatus
 		want *EventPolicyStatus
 	}{
 		{
 			name: "empty",
-			ets:  &EventPolicyStatus{},
+			eps:  &EventPolicyStatus{},
 			want: &EventPolicyStatus{
 				Status: duckv1.Status{
-					Conditions: []apis.Condition{{
-						Type:   EventPolicyConditionReady,
-						Status: corev1.ConditionUnknown,
-					},
+					Conditions: []apis.Condition{
+						{
+							Type:   EventPolicyConditionAuthenticationEnabled,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   EventPolicyConditionReady,
+							Status: corev1.ConditionUnknown,
+						},
+						{
+							Type:   EventPolicyConditionSubjectsResolved,
+							Status: corev1.ConditionUnknown,
+						},
 					},
 				},
 			},
@@ -98,10 +107,100 @@ func TestEventPolicyInitializeConditions(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			test.ets.InitializeConditions()
-			if diff := cmp.Diff(test.want, test.ets, ignoreAllButTypeAndStatus); diff != "" {
+			test.eps.InitializeConditions()
+			if diff := cmp.Diff(test.want, test.eps, ignoreAllButTypeAndStatus); diff != "" {
 				t.Error("unexpected conditions (-want, +got) =", diff)
 			}
 		})
 	}
 }
+
+func TestEventPolicyReadyCondition(t *testing.T) {
+	tests := []struct {
+		name                          string
+		eps                           *EventPolicyStatus
+		markOIDCAuthenticationEnabled bool
+		markSubjectsResolvedSucceeded bool
+		wantReady                     bool
+	}{
+		{
+			name: "Initially everything is Unknown, Auth&SubjectsResolved marked as true, EP should become Ready",
+			eps: &EventPolicyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: EventPolicyConditionReady, Status: corev1.ConditionUnknown},
+						{Type: EventPolicyConditionAuthenticationEnabled, Status: corev1.ConditionUnknown},
+						{Type: EventPolicyConditionSubjectsResolved, Status: corev1.ConditionUnknown},
+					},
+				},
+			},
+			markOIDCAuthenticationEnabled: true,
+			markSubjectsResolvedSucceeded: true,
+			wantReady:                     true,
+		},
+		{
+			name: "Initially everything is True, Auth&SubjectsResolved stay true, EP should stay Ready",
+			eps: &EventPolicyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: EventPolicyConditionReady, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionAuthenticationEnabled, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionSubjectsResolved, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markOIDCAuthenticationEnabled: true,
+			markSubjectsResolvedSucceeded: true,
+			wantReady:                     true,
+		},
+		{
+			name: "Initially everything is True, then AuthenticationEnabled marked as False, EP should become NotReady",
+			eps: &EventPolicyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: EventPolicyConditionReady, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionAuthenticationEnabled, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionSubjectsResolved, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markOIDCAuthenticationEnabled: false,
+			markSubjectsResolvedSucceeded: true,
+			wantReady:                     false,
+		},
+		{
+			name: "Initially everything is True, then SubjectsResolved marked as False, EP should become NotReady",
+			eps: &EventPolicyStatus{
+				Status: duckv1.Status{
+					Conditions: []apis.Condition{
+						{Type: EventPolicyConditionReady, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionAuthenticationEnabled, Status: corev1.ConditionTrue},
+						{Type: EventPolicyConditionSubjectsResolved, Status: corev1.ConditionTrue},
+					},
+				},
+			},
+			markOIDCAuthenticationEnabled: true,
+			markSubjectsResolvedSucceeded: false,
+			wantReady:                     false,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			if test.markOIDCAuthenticationEnabled {
+				test.eps.MarkOIDCAuthenticationEnabled()
+			} else {
+				test.eps.MarkOIDCAuthenticationDisabled("OIDCAuthenticationDisabled", "")
+			}
+			if test.markSubjectsResolvedSucceeded {
+				test.eps.MarkSubjectsResolvedSucceeded()
+			} else {
+				test.eps.MarkSubjectsResolvedFailed("SubjectsNotResolved", "")
+			}
+			ep := EventPolicy{Status: *test.eps}
+			got := ep.GetConditionSet().Manage(test.eps).IsHappy()
+			if test.wantReady != got {
+				t.Errorf("unexpected readiness: want %v, got %v", test.wantReady, got)
+			}
+		})
+	}
+}
diff --git a/pkg/reconciler/channel/channel_test.go b/pkg/reconciler/channel/channel_test.go
@@ -400,7 +400,7 @@ func TestReconcile(t *testing.T) {
 				WithInMemoryChannelDLSUnknown(),
 				WithInMemoryChannelEventPoliciesReady()),
 			NewEventPolicy(unreadyEventPolicyName, testNS,
-				WithUnreadyEventPolicyCondition,
+				WithUnreadyEventPolicyCondition("", ""),
 				WithEventPolicyToRef(channelV1GVK, channelName),
 			),
 			NewEventPolicy(fmt.Sprintf("%s-%s", unreadyEventPolicyName, channelName), testNS,
@@ -453,7 +453,7 @@ func TestReconcile(t *testing.T) {
 				WithEventPolicyToRef(channelV1GVK, channelName),
 			),
 			NewEventPolicy(unreadyEventPolicyName, testNS,
-				WithUnreadyEventPolicyCondition,
+				WithUnreadyEventPolicyCondition("", ""),
 				WithEventPolicyToRef(channelV1GVK, channelName),
 			),
 			NewEventPolicy(fmt.Sprintf("%s-%s", readyEventPolicyName, channelName), testNS,

diff --git a/pkg/reconciler/eventpolicy/controller.go b/pkg/reconciler/eventpolicy/controller.go
@@ -0,0 +1,47 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eventpolicy
+
+import (
+	"context"
+
+	eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy"
+	eventpolicyreconciler "knative.dev/eventing/pkg/client/injection/reconciler/eventing/v1alpha1/eventpolicy"
+	"knative.dev/pkg/configmap"
+	"knative.dev/pkg/controller"
+	"knative.dev/pkg/resolver"
+)
+
+// NewController initializes the controller and is called by the generated code
+// Registers event handlers to enqueue events
+func NewController(
+	ctx context.Context,
+	cmw configmap.Watcher,
+) *controller.Impl {
+	// Access informers
+	eventPolicyInformer := eventpolicyinformer.Get(ctx)
+
+	r := &Reconciler{}
+	impl := eventpolicyreconciler.NewImpl(ctx, r)
+
+	r.authResolver = resolver.NewAuthenticatableResolverFromTracker(ctx, impl.Tracker)
+
+	// Set up event handlers
+	eventPolicyInformer.Informer().AddEventHandler(controller.HandleAll(impl.Enqueue))
+
+	return impl
+}
diff --git a/pkg/reconciler/eventpolicy/controller_test.go b/pkg/reconciler/eventpolicy/controller_test.go
@@ -0,0 +1,39 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package eventpolicy
+
+import (
+	"testing"
+
+	"knative.dev/pkg/configmap"
+
+	. "knative.dev/pkg/reconciler/testing"
+
+	// Fake injection informers
+	_ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/fake"
+	_ "knative.dev/pkg/client/injection/ducks/duck/v1/authstatus/fake"
+)
+
+func TestNew(t *testing.T) {
+	ctx, _ := SetupFakeContext(t)
+
+	c := NewController(ctx, configmap.NewStaticWatcher())
+
+	if c == nil {
+		t.Fatal("Expected NewController to return a non-nil value")
+	}
+}