[release-1.13]: Watch only our own OIDC-related secrets (#8070) (#8072)

* Watch only our own OIDC-related secrets (#8070)

Filter OIDC secrets

Signed-off-by: Pierangelo Di Pilato <[email protected]>

* ./hack/update-deps.sh

Signed-off-by: Calum Murray <[email protected]>

* fix: serviceaccountInformer -> oidcServiceaccountInformer

Signed-off-by: Calum Murray <[email protected]>

* fix: add oidc label selector to main contexts (partial cherry pick of #7527)

Signed-off-by: Calum Murray <[email protected]>

* fix: don't use filtered sa informer when sa is not labelled

Signed-off-by: Calum Murray <[email protected]>

---------

Signed-off-by: Pierangelo Di Pilato <[email protected]>
Signed-off-by: Calum Murray <[email protected]>
Co-authored-by: Pierangelo Di Pilato <[email protected]>

cmd/apiserver_receive_adapter/main.go

@@ -22,6 +22,7 @@ import (
 
 	"knative.dev/eventing/pkg/adapter/apiserver"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 )
 
@@ -34,6 +35,7 @@ func main() {
 	ctx = adapter.WithInjectorEnabled(ctx)
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

cmd/broker/filter/main.go

@@ -81,6 +81,7 @@ func main() {
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

cmd/broker/ingress/main.go

@@ -103,6 +103,7 @@ func main() {
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

cmd/in_memory/channel_dispatcher/main.go

@@ -27,6 +27,7 @@ import (
 	"knative.dev/pkg/injection/sharedmain"
 	"knative.dev/pkg/signals"
 
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 	inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher"
 )
@@ -39,6 +40,7 @@ func main() {
 	}
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

cmd/mtchannel_broker/main.go

@@ -22,8 +22,11 @@ import (
 
 	"context"
 
+	filteredfactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/injection/sharedmain"
+	"knative.dev/pkg/signals"
 
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/reconciler/broker"
 	mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger"
 )
@@ -33,7 +36,11 @@ const (
 )
 
 func main() {
-	sharedmain.Main(
+	ctx := signals.NewContext()
+
+	ctx = filteredfactory.WithSelectors(ctx, auth.OIDCLabelSelector)
+
+	sharedmain.MainWithContext(ctx,
 		component,
 
 		broker.NewController,

cmd/mtping/main.go

@@ -22,6 +22,7 @@ import (
 
 	"knative.dev/eventing/pkg/adapter/mtping"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 )
 
@@ -57,6 +58,7 @@ func main() {
 	})
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

cmd/webhook/main.go

@@ -26,6 +26,7 @@ import (
 	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
 
 	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/eventingtls"
 
 	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
@@ -287,6 +288,7 @@ func main() {
 	})
 
 	ctx = filteredFactory.WithSelectors(ctx,
+		auth.OIDCLabelSelector,
 		eventingtls.TrustBundleLabelSelector,
 	)
 

pkg/auth/serviceaccount.go

@@ -21,11 +21,13 @@ import (
 	"fmt"
 	"strings"
 
-	"knative.dev/eventing/pkg/apis/feature"
+	"k8s.io/apimachinery/pkg/api/equality"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
 	pkgreconciler "knative.dev/pkg/reconciler"
 
+	"knative.dev/eventing/pkg/apis/feature"
+
 	"go.uber.org/zap"
 	v1 "k8s.io/api/core/v1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@@ -37,6 +39,14 @@ import (
 	"knative.dev/pkg/ptr"
 )
 
+const (
+	// OIDCLabelKey is used to filter out all the informers that related to OIDC work
+	OIDCLabelKey = "eventing.knative.dev/oidc"
+
+	// OIDCLabelSelector is the label selector for the OIDC resources
+	OIDCLabelSelector = OIDCLabelKey
+)
+
 // GetOIDCServiceAccountNameForResource returns the service account name to use
 // for OIDC authentication for the given resource.
 func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string {
@@ -76,28 +86,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 	saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
 	sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName)
 
+	expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
+
 	// If the resource doesn't exist, we'll create it.
 	if apierrs.IsNotFound(err) {
 		logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err))
 
-		expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
-
 		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{})
 		if err != nil {
-			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 		}
 
 		return nil
 	}
-
 	if err != nil {
-		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 	}
-
 	if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) {
 		return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name)
 	}
 
+	if !equality.Semantic.DeepDerivative(expected, sa) {
+		expected.ResourceVersion = sa.ResourceVersion
+
+		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
+		}
+
+		return nil
+
+	}
+
 	return nil
 }
 

pkg/reconciler/sinkbinding/controller.go

@@ -43,7 +43,7 @@ import (
 	"knative.dev/pkg/apis/duck"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
-	secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
+	secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered"
 	serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
@@ -80,8 +80,8 @@ func NewController(
 	dc := dynamicclient.Get(ctx)
 	psInformerFactory := podspecable.Get(ctx)
 	namespaceInformer := namespace.Get(ctx)
-	serviceaccountInformer := serviceaccountinformer.Get(ctx)
-	secretInformer := secretinformer.Get(ctx)
+	oidcServiceaccountInformer := serviceaccountinformer.Get(ctx)
+	secretInformer := secretinformer.Get(ctx, auth.OIDCLabelSelector)
 	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector)
 	trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister()
 
@@ -136,7 +136,7 @@ func NewController(
 		res:                        sbResolver,
 		tracker:                    impl.Tracker,
 		kubeclient:                 kubeclient.Get(ctx),
-		serviceAccountLister:       serviceaccountInformer.Lister(),
+		serviceAccountLister:       oidcServiceaccountInformer.Lister(),
 		secretLister:               secretInformer.Lister(),
 		featureStore:               featureStore,
 		tokenProvider:              auth.NewOIDCTokenProvider(ctx),
@@ -155,7 +155,7 @@ func NewController(
 	}
 
 	// Reconcile SinkBinding when the OIDC service account changes
-	serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
+	oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
 		FilterFunc: controller.FilterController(&v1.SinkBinding{}),
 		Handler:    controller.HandleAll(impl.EnqueueControllerOf),
 	})

pkg/reconciler/sinkbinding/sinkbinding.go

@@ -193,6 +193,9 @@ func (s *SinkBindingSubResourcesReconciler) renewOIDCTokenSecret(ctx context.Con
 
 	apiVersion := fmt.Sprintf("%s/%s", v1.SchemeGroupVersion.Group, v1.SchemeGroupVersion.Version)
 	applyConfig := new(applyconfigurationcorev1.SecretApplyConfiguration).
+		WithLabels(map[string]string{
+			auth.OIDCLabelKey: "enabled",
+		}).
 		WithName(secretName).
 		WithNamespace(sb.Namespace).
 		WithType(corev1.SecretTypeOpaque).

vendor/modules.txt

@@ -1283,7 +1283,7 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/namespace
 knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/pod
-knative.dev/pkg/client/injection/kube/informers/core/v1/secret
+knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered
 knative.dev/pkg/client/injection/kube/informers/core/v1/service
 knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount