Reconcile event policies for mt-broker

[rahulii]

Fixes #7982

Proposed Changes

• 🎁 Reconcile Event Policies for MT-Broker
• 🎁 Create EventPolicy for underlying Channel in case OIDC Authentication is enabled
• 🎁 Delete orphaned EventPolicies.

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

 Reconcile Event Policies for MT-Broker

Docs

[knative-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[Cali0707]

nice start @rahulii - I left a few comments on what you have so far (I know it's a draft, but hopefully they help!)

[codecov]

Codecov Report

Attention: Patch coverage is 66.66667% with 26 lines in your changes missing coverage. Please review.

Project coverage is 67.84%. Comparing base (768f1bd) to head (cc53eba).
Report is 5 commits behind head on main.

Files	Patch %	Lines
pkg/reconciler/broker/broker.go	31.57%	21 Missing and 5 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8090      +/-   ##
==========================================
+ Coverage   67.80%   67.84%   +0.04%     
==========================================
  Files         367      368       +1     
  Lines       17373    17505     +132     
==========================================
+ Hits        11779    11877      +98     
- Misses       4859     4885      +26     
- Partials      735      743       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[Cali0707]

Hey @rahulii thanks for this great PR! I've left a few comments (one asking for clarification, the rest with tips on how to improve the code), but once we work through those I think we will be good to merge this - great work!!

[Cali0707]

Instead of using our own implementation here, we normally use the k8s ptr package, so this would become ptr.To(OIDCBrokerSub)

[rahulii]

done, PTAL!

[Cali0707]

There is a bit more complexity here than just adding the suffix to the name of the broker, since we might run into scenarios where the resulting name exceeds the allowed name length in k8s. Instead, we use kmeta.ChildName(parent, suffix) to generate the names normally. See here: https://pkg.go.dev/knative.dev/pkg/kmeta#ChildName

[rahulii]

done, PTAL!

[Cali0707]

I'm curious if we actually need all of these labels for the EventPolicies, what exactly are you using them all for?

[rahulii]

@Cali0707 I took reference from channel - https://github.com/knative/eventing/blob/main/pkg/reconciler/channel/resources/eventpolicy.go#L69
Hence, thought of adding the same here. LMK if you think it shouldn't be there, I will remove it !

[Cali0707]

Yeah looking there it seems like those labels are used to correctly select the EventPolicies which were created by the channel. We should also use the labels to make a label selector when checking which EventPolicies are owned by the broker. See here for how it is used in the channel:

eventing/pkg/reconciler/channel/channel.go

Lines 142 to 166 in bb2e0a3

	applyingEventPoliciesForBackingChannel, err := auth.GetEventPoliciesForResource(r.eventPolicyLister, backingChannel.GroupVersionKind(), backingChannel.ObjectMeta)
	if err != nil {
	return fmt.Errorf("could not get applying EventPolicies for for backing channel %s/%s: %w", channel.Namespace, channel.Name, err)
	}
	selector, err := labels.ValidatedSelectorFromSet(resources.LabelsForBackingChannelsEventPolicy(backingChannel))
	if err != nil {
	return fmt.Errorf("could not get valid selector for backing channels EventPolicy %s/%s: %w", backingChannel.Namespace, backingChannel.Name, err)
	}
	existingEventPoliciesForBackingChannel, err := r.eventPolicyLister.EventPolicies(backingChannel.Namespace).List(selector)
	if err != nil {
	return fmt.Errorf("could not get existing EventPolicies in backing channels namespace %q: %w", backingChannel.Namespace, err)
	}
	for _, policy := range existingEventPoliciesForBackingChannel {
	if !r.containsPolicy(policy.Name, applyingEventPoliciesForBackingChannel) {
	// the existing policy is not in the list of applying policies anymore --> is outdated --> delete it
	err := r.eventingClientSet.EventingV1alpha1().EventPolicies(policy.Namespace).Delete(ctx, policy.Name, metav1.DeleteOptions{})
	if err != nil && apierrs.IsNotFound(err) {
	return fmt.Errorf("could not delete old EventPolicy %s/%s: %w", policy.Namespace, policy.Name, err)
	}
	}
	}

[rahulii]

gotcha. So just to clarify: currently we are filtering EventPolicies based on the Owner References of broker, instead filter out based on the labels, right ?

[Cali0707]

No, filtering the eventpolicies by ownerreference is good, but when we list the eventpolicies, we should use a label selector with these labels (see line 152 in the code I linked above). So, to summarize what we would do is:

1. List the EventPolicy resources using a label selector to only retrieve relevant ones
2. Filter the EventPolicy resources by owner reference

[rahulii]

done, PTAL!

[Cali0707]

I'm adding a comment here, but it applies to all of the logging in this function:

I don't think these need to be logged at the Info level, it generally seems to be Debug logs. Additionally, if we are going to be using the logger everywhere, it seems to make sense to create the logger once at the start of the function and then re-use it throughout, instead of fetching it from the context every time we want to log something

[rahulii]

sure, will change from Info -> Debug.
On the other point, I was trying to be consistent with the rest of the code base!
So, should I keep it as it is for change to create a single logger object?

[Cali0707]

I would create a single logger object for this function if you are going to have this many log statements. In other places, since there isn't a ton of logging it might be fine to just fetch the logger everytime. But, normally we fetch the logger once when we have this much logging to do in a function

[rahulii]

done, PTAL!

[Cali0707]

all of these if/else blocks can make it a little unclear what is going on, I might refactor this to return early in many of these cases. For example, if the EventPolicy is successfully created, we can return nil. This gets rid of the need for the else if r.policyNeedsUpdate(...), which can be turned into a simpler if r.policyNeedsUpdate(...).

[rahulii]

good point, thanks for the feedback, I will make the changes!

[rahulii]

done, PTAL!

[Cali0707]

nit: this function doesn't really need to be a method on the Reconciler struct

Suggested change

	func (r *Reconciler) policyNeedsUpdate(foundEP, expected *eventingv1alpha1.EventPolicy) bool {
	func policyNeedsUpdate(foundEP, expected *eventingv1alpha1.EventPolicy) bool {

[rahulii]

done, PTAL!

[rahulii]

/ok-to-test

[Cali0707]

/lgtm
/approve

Thanks @rahulii !

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, rahulii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Cali0707]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment