Merge branch 'main' into main

knative · Jan 10, 2024 · 37f0dff · 37f0dff
2 parents efc1cc3 + d9921e0
commit 37f0dff
Show file tree

Hide file tree

Showing 488 changed files with 28,675 additions and 17,119 deletions.
diff --git a/OWNERS_ALIASES b/OWNERS_ALIASES
@@ -66,6 +66,7 @@ aliases:
   - salaboy
   knative-admin:
   - Cali0707
+  - Leo6Leo
   - ReToCode
   - aliok
   - creydr
@@ -91,6 +92,7 @@ aliases:
   - xtreme-sameer-vohra
   knative-release-leads:
   - Cali0707
+  - Leo6Leo
   - ReToCode
   - creydr
   - dsimansk

diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main
 
 import (
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/adapter/apiserver"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/eventingtls"
 )
 
 const (
@@ -30,5 +32,10 @@ const (
 func main() {
 	ctx := signals.NewContext()
 	ctx = adapter.WithInjectorEnabled(ctx)
+
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	adapter.MainWithContext(ctx, component, apiserver.NewEnvConfig, apiserver.NewAdapter)
 }
diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go
@@ -25,6 +25,8 @@ import (
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -42,6 +44,7 @@ import (
 	"knative.dev/eventing/pkg/broker/filter"
 	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
 	triggerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger"
+	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/reconciler/names"
 )
 
@@ -77,6 +80,10 @@ func main() {
 	log.Printf("Registering %d informer factories", len(injection.Default.GetInformerFactories()))
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	ctx, informers := injection.Default.SetupInformers(ctx, cfg)
 	ctx = injection.WithConfig(ctx, cfg)
 	kubeClient := kubeclient.Get(ctx)
@@ -126,7 +133,8 @@ func main() {
 	// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
 	// the messages to the triggers' subscribers) in this binary.
 	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
-	handler, err := filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, ctxFunc)
+	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+	handler, err := filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go
@@ -27,8 +27,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
 
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -43,11 +45,12 @@ import (
 	cmdbroker "knative.dev/eventing/cmd/broker"
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/auth"
-	broker "knative.dev/eventing/pkg/broker"
+	"knative.dev/eventing/pkg/broker"
 	"knative.dev/eventing/pkg/broker/ingress"
 	eventingclient "knative.dev/eventing/pkg/client/injection/client"
 	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
 	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
+	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/eventtype"
 	"knative.dev/eventing/pkg/reconciler/names"
 )
@@ -99,6 +102,10 @@ func main() {
 	log.Printf("Registering %d informer factories", len(injection.Default.GetInformerFactories()))
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	ctx, informers := injection.Default.SetupInformers(ctx, cfg)
 	ctx = injection.WithConfig(ctx, cfg)
 	loggingConfig, err := cmdbroker.GetLoggingConfig(ctx, system.Namespace(), logging.ConfigMapName())
@@ -160,7 +167,8 @@ func main() {
 
 	oidcTokenProvider := auth.NewOIDCTokenProvider(ctx)
 	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
-	handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, ctxFunc)
+	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+	handler, err = ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, oidcTokenVerifier, oidcTokenProvider, trustBundleConfigMapInformer, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -26,10 +26,12 @@ import (
 	"os"
 	"time"
 
+	"knative.dev/pkg/injection/sharedmain"
+
 	"knative.dev/eventing/pkg/apis/sources"
+	"knative.dev/eventing/pkg/eventingtls"
 
 	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
-	"knative.dev/pkg/injection/sharedmain"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/reconciler/apiserversource"
@@ -76,7 +78,10 @@ func main() {
 		}
 	}()
 
-	ctx = filteredFactory.WithSelectors(ctx, sources.OIDCTokenRoleLabelSelector)
+	ctx = filteredFactory.WithSelectors(ctx,
+		sources.OIDCTokenRoleLabelSelector,
+		eventingtls.TrustBundleLabelSelector,
+	)
 
 	sharedmain.MainWithContext(ctx, "controller",
 		// Messaging

diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go
@@ -22,10 +22,12 @@ import (
 
 	"os"
 
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
 	"knative.dev/pkg/signals"
 
+	"knative.dev/eventing/pkg/eventingtls"
 	inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher"
 )
 
@@ -36,6 +38,10 @@ func main() {
 		ctx = injection.WithNamespaceScope(ctx, ns)
 	}
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	sharedmain.MainWithContext(ctx, "inmemorychannel-dispatcher",
 		inmemorychannel.NewController,
 	)

diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main
 
 import (
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/adapter/mtping"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/eventingtls"
 )
 
 const (
@@ -54,5 +56,9 @@ func main() {
 		adapter.WithCloudEventsStatusReporterConfigurator(adapter.NewCloudEventsReporterConfiguratorFromConfigMap()),
 	})
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	adapter.MainWithContext(ctx, component, mtping.NewEnvConfig, mtping.NewAdapter)
 }
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -23,8 +23,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
+
 	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/eventing/pkg/eventingtls"
 
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -54,7 +58,7 @@ import (
 	pingdefaultconfig "knative.dev/eventing/pkg/apis/sources/config"
 	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
 	sourcesv1beta2 "knative.dev/eventing/pkg/apis/sources/v1beta2"
-	sugar "knative.dev/eventing/pkg/apis/sugar"
+	"knative.dev/eventing/pkg/apis/sugar"
 	"knative.dev/eventing/pkg/reconciler/sinkbinding"
 
 	versionedscheme "knative.dev/eventing/pkg/client/clientset/versioned/scheme"
@@ -194,7 +198,8 @@ func NewConfigValidationController(ctx context.Context, _ configmap.Watcher) *co
 
 func NewSinkBindingWebhook(opts ...psbinding.ReconcilerOption) injection.ControllerConstructor {
 	return func(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
-		withContext := sinkbinding.WithContextFactory(ctx, func(types.NamespacedName) {})
+		trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister()
+		withContext := sinkbinding.WithContextFactory(ctx, trustBundleConfigMapLister, func(types.NamespacedName) {})
 
 		return psbinding.NewAdmissionController(ctx,
 
@@ -281,6 +286,10 @@ func main() {
 		SecretName: "eventing-webhook-certs",
 	})
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	sharedmain.WebhookMainWithContext(ctx, webhook.NameFromEnv(),
 		certificates.NewController,
 		NewConfigValidationController,

diff --git a/config/brokers/mt-channel-broker-tls/broker-filter-tls-certificate.yaml b/config/brokers/mt-channel-broker-tls/broker-filter-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - broker-filter.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/brokers/mt-channel-broker-tls/broker-ingress-tls-certificate.yaml b/config/brokers/mt-channel-broker-tls/broker-ingress-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - broker-ingress.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/channels/in-memory-channel-tls/imc-dispatcher-tls-certificate.yaml b/config/channels/in-memory-channel-tls/imc-dispatcher-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - imc-dispatcher.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/core/resources/pingsource.yaml b/config/core/resources/pingsource.yaml
@@ -197,6 +197,9 @@ spec:
               sinkCACerts:
                 description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink.
                 type: string
+              sinkAudience:
+                description: sinkAudience is the OIDC audience of the sink.
+                type: string
     additionalPrinterColumns:
     - name: Sink
       type: string

diff --git a/config/core/roles/webhook-clusterrole.yaml b/config/core/roles/webhook-clusterrole.yaml
@@ -26,6 +26,9 @@ rules:
     resources:
       - "configmaps"
     verbs:
+      - "create"
+      - "update"
+      - "delete"
       - "get"
       - "list"
       - "watch"

diff --git a/config/tls/issuers/selfsigned-ca-issuer.yaml → config/tls/issuers/eventing-ca-issuer.yaml b/config/tls/issuers/selfsigned-ca-issuer.yaml → config/tls/issuers/eventing-ca-issuer.yaml
@@ -14,10 +14,9 @@
 
 # This is the issuer that every Eventing component should use to issue their server's certs.
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: selfsigned-ca-issuer
-  namespace: knative-eventing
+  name: knative-eventing-ca-issuer
 spec:
   ca:
-    secretName: eventing-ca
+    secretName: knative-eventing-ca
diff --git a/config/tls/issuers/selfsigned-issuer.yaml b/config/tls/issuers/selfsigned-issuer.yaml
@@ -14,21 +14,20 @@
 
 # This is the root issuer to bootstrap the eventing CA.
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: selfsigned-issuer
-  namespace: knative-eventing
+  name: knative-eventing-selfsigned-issuer
 spec:
   selfSigned: {}
 ---
 # This is the Eventing CA certificate.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: selfsigned-ca
-  namespace: knative-eventing
+  name: knative-eventing-selfsigned-ca
+  namespace: cert-manager
 spec:
-  secretName: eventing-ca
+  secretName: knative-eventing-ca
 
   isCA: true
   commonName: selfsigned-ca
@@ -37,6 +36,6 @@ spec:
     size: 256
 
   issuerRef:
-    name: selfsigned-issuer
-    kind: Issuer
+    name: knative-eventing-selfsigned-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/tls/trust-manager/bundle-configmap.yaml b/config/tls/trust-manager/bundle-configmap.yaml
@@ -0,0 +1,23 @@
+# Copyright 2024 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: knative-eventing-bundle
+  namespace: knative-eventing
+  labels:
+    networking.knative.dev/trust-bundle: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing