Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use filtered informer to watch OIDC service accounts #7527

Merged
merged 41 commits into from
Jan 30, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
41 commits
Select commit Hold shift + click to select a range
0bf2982
controller.go changed
yijie-04 Dec 23, 2023
17c775a
#7320 WIP
Zazzscoot Dec 24, 2023
94cd51b
Merge remote-tracking branch 'otherfork/main' into main
yijie-04 Dec 24, 2023
a82c2aa
WIP: Testing filtered informer (knative#7341)
yijie-04 Dec 24, 2023
d4bfe4e
unit test passed
yijie-04 Jan 2, 2024
979911d
Revert "Merge remote-tracking branch 'otherfork/main' into main"
yijie-04 Jan 2, 2024
bbefcc2
Removed comments
yijie-04 Jan 6, 2024
de30fc5
Changed to filtered informer for Subscription identity service account
yijie-04 Jan 6, 2024
ce5a778
Changed to filtered informer for Sequence service accounts
yijie-04 Jan 6, 2024
2ae1090
Changed to filtered informer for Parallel identity service accounts
yijie-04 Jan 6, 2024
695e58c
Changed to filtered informer for APIServerSource identity service acc…
yijie-04 Jan 6, 2024
efc1cc3
fixed unit tests
yijie-04 Jan 10, 2024
37f0dff
Merge branch 'main' into main
yijie-04 Jan 10, 2024
a414f3e
added label selector for mtchannel_broker
yijie-04 Jan 10, 2024
de787c6
added filtered informer for sinkbinding identity service accounts
yijie-04 Jan 11, 2024
c365d4a
added OIDC label selector in webhook
yijie-04 Jan 12, 2024
7d73360
added filtered informer for containersource service accounts
yijie-04 Jan 12, 2024
c048610
added filtered informer for pingsource service accounts
yijie-04 Jan 12, 2024
3d3bd2c
added OIDC label selector in apiserver ctx
yijie-04 Jan 12, 2024
f5d583f
added OIDC label selector in broker/filter
yijie-04 Jan 12, 2024
d934231
added OIDC label selector in broker/ingress
yijie-04 Jan 12, 2024
08dbe1e
added OIDC label selector in in_memory/channel_dispatcher
yijie-04 Jan 12, 2024
d3205ab
added OIDC label selector in mtping
yijie-04 Jan 12, 2024
a31fc39
fixed unit test issues for pingsource
yijie-04 Jan 12, 2024
b69cc29
fixed unit test for container source
yijie-04 Jan 12, 2024
51befc7
Merge branch 'knative:main' into main
yijie-04 Jan 13, 2024
e95329e
formatted files
yijie-04 Jan 19, 2024
e76634a
Merge remote-tracking branch 'upstream/main' into main
yijie-04 Jan 19, 2024
8e112d8
updated service account informer in apiserversource
yijie-04 Jan 22, 2024
c04375a
updated service account informers in other places
yijie-04 Jan 22, 2024
d7f6e43
small typo fix
yijie-04 Jan 22, 2024
f2fe553
added actual value for OIDC label
yijie-04 Jan 24, 2024
b2941ac
added a valid value for OIDClabelkey
yijie-04 Jan 26, 2024
5244f19
Merge remote-tracking branch 'upstream/main' into main
yijie-04 Jan 26, 2024
2c94ec7
changed references of OIDCLabelKey
yijie-04 Jan 26, 2024
3d0d399
fixed import path problem
yijie-04 Jan 26, 2024
8c30426
changed OIDCLabelSelector in all main.go files
yijie-04 Jan 26, 2024
bee47f4
changed instances of OIDCLabelSelector in controller and controller t…
yijie-04 Jan 26, 2024
5c25449
deleted OIDC related labels from register.go
yijie-04 Jan 26, 2024
63346a6
fixed formatting issues
yijie-04 Jan 27, 2024
9a44a73
Added value for OIDCLabelKey
yijie-04 Jan 29, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions cmd/apiserver_receive_adapter/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (

"knative.dev/eventing/pkg/adapter/apiserver"
"knative.dev/eventing/pkg/adapter/v2"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"
)

Expand All @@ -34,6 +35,7 @@ func main() {
ctx = adapter.WithInjectorEnabled(ctx)

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
1 change: 1 addition & 0 deletions cmd/broker/filter/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@ func main() {
log.Printf("Registering %d informers", len(injection.Default.GetInformers()))

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
1 change: 1 addition & 0 deletions cmd/broker/ingress/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ func main() {
log.Printf("Registering %d informers", len(injection.Default.GetInformers()))

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
4 changes: 2 additions & 2 deletions cmd/controller/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ import (

"knative.dev/pkg/injection/sharedmain"

"knative.dev/eventing/pkg/apis/sources"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
Expand Down Expand Up @@ -79,7 +79,7 @@ func main() {
}()

ctx = filteredFactory.WithSelectors(ctx,
sources.OIDCTokenRoleLabelSelector,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
2 changes: 2 additions & 0 deletions cmd/in_memory/channel_dispatcher/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ import (
"knative.dev/pkg/injection/sharedmain"
"knative.dev/pkg/signals"

"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"
inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher"
)
Expand All @@ -39,6 +40,7 @@ func main() {
}

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
11 changes: 10 additions & 1 deletion cmd/mtchannel_broker/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,8 +22,12 @@ import (

"context"

"knative.dev/eventing/pkg/auth"
"knative.dev/pkg/injection/sharedmain"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
"knative.dev/pkg/signals"

"knative.dev/eventing/pkg/reconciler/broker"
mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger"
)
Expand All @@ -33,7 +37,12 @@ const (
)

func main() {
sharedmain.Main(
ctx := signals.NewContext()

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector)

sharedmain.MainWithContext(ctx,
component,

broker.NewController,
Expand Down
2 changes: 2 additions & 0 deletions cmd/mtping/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@ import (

"knative.dev/eventing/pkg/adapter/mtping"
"knative.dev/eventing/pkg/adapter/v2"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"
)

Expand Down Expand Up @@ -57,6 +58,7 @@ func main() {
})

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
2 changes: 2 additions & 0 deletions cmd/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"

"knative.dev/eventing/pkg/apis/feature"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
Expand Down Expand Up @@ -287,6 +288,7 @@ func main() {
})

ctx = filteredFactory.WithSelectors(ctx,
auth.OIDCLabelSelector,
eventingtls.TrustBundleLabelSelector,
)

Expand Down
6 changes: 0 additions & 6 deletions pkg/apis/sources/register.go
Original file line number Diff line number Diff line change
Expand Up @@ -32,12 +32,6 @@ const (
// SourceDuckLabelValue is the label value to indicate
// the CRD is a Source duck type.
SourceDuckLabelValue = "true"

//OIDCLabelKey is used to filter out all the informers that related to OIDC work
OIDCLabelKey = "oidc"

// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
OIDCTokenRoleLabelSelector = OIDCLabelKey
)

var (
Expand Down
11 changes: 11 additions & 0 deletions pkg/auth/serviceaccount.go
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,14 @@ import (
"knative.dev/pkg/ptr"
)

const (
//OIDCLabelKey is used to filter out all the informers that related to OIDC work
OIDCLabelKey = "oidc"

// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
OIDCLabelSelector = OIDCLabelKey
)

// GetOIDCServiceAccountNameForResource returns the service account name to use
// for OIDC authentication for the given resource.
func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string {
Expand Down Expand Up @@ -66,6 +74,9 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me
Annotations: map[string]string{
"description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name),
},
Labels: map[string]string{
OIDCLabelKey: "enabled",
},
},
}
}
Expand Down
3 changes: 3 additions & 0 deletions pkg/auth/serviceaccount_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -108,6 +108,9 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) {
Annotations: map[string]string{
"description": "Service Account for OIDC Authentication for Broker \"my-broker\"",
},
Labels: map[string]string{
OIDCLabelKey: "enabled",
},
},
}

Expand Down
6 changes: 2 additions & 4 deletions pkg/reconciler/apiserversource/apiserversource_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@ import (
"fmt"
"testing"

"knative.dev/eventing/pkg/apis/sources"

"knative.dev/pkg/kmeta"

rbacv1 "k8s.io/api/rbac/v1"
Expand Down Expand Up @@ -1425,7 +1423,7 @@ func makeOIDCRole() *rbacv1.Role {
"description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", sourceName),
},
Labels: map[string]string{
sources.OIDCLabelKey: "",
auth.OIDCLabelKey: "enabled",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(src),
Expand Down Expand Up @@ -1455,7 +1453,7 @@ func makeOIDCRoleBinding() *rbacv1.RoleBinding {
"description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", sourceName),
},
Labels: map[string]string{
sources.OIDCLabelKey: "",
auth.OIDCLabelKey: "enabled",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(src),
Expand Down
15 changes: 8 additions & 7 deletions pkg/reconciler/apiserversource/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ import (
configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
"knative.dev/pkg/system"

"knative.dev/eventing/pkg/apis/sources"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"
eventingreconciler "knative.dev/eventing/pkg/reconciler"

Expand All @@ -42,7 +42,8 @@ import (
deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment"
"knative.dev/pkg/client/injection/kube/informers/core/v1/namespace"

serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount"
serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered"

roleinformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered"
rolebindinginformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered"

Expand All @@ -67,11 +68,11 @@ func NewController(
deploymentInformer := deploymentinformer.Get(ctx)
apiServerSourceInformer := apiserversourceinformer.Get(ctx)
namespaceInformer := namespace.Get(ctx)
serviceaccountInformer := serviceaccountinformer.Get(ctx)
oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector)

// Create a selector string
roleInformer := roleinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector)
rolebindingInformer := rolebindinginformer.Get(ctx, sources.OIDCTokenRoleLabelSelector)
roleInformer := roleinformer.Get(ctx, auth.OIDCLabelSelector)
rolebindingInformer := rolebindinginformer.Get(ctx, auth.OIDCLabelSelector)

trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector)

Expand All @@ -89,7 +90,7 @@ func NewController(
ceSource: GetCfgHost(ctx),
configs: reconcilersource.WatchConfigurations(ctx, component, cmw),
namespaceLister: namespaceInformer.Lister(),
serviceAccountLister: serviceaccountInformer.Lister(),
serviceAccountLister: oidcServiceaccountInformer.Lister(),
roleLister: roleInformer.Lister(),
roleBindingLister: rolebindingInformer.Lister(),
trustBundleConfigMapLister: trustBundleConfigMapInformer.Lister(),
Expand Down Expand Up @@ -142,7 +143,7 @@ func NewController(
})

// Reconciler ApiServerSource when the OIDC service account changes
serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
FilterFunc: controller.FilterController(&v1.ApiServerSource{}),
Handler: controller.HandleAll(impl.EnqueueControllerOf),
})
Expand Down
6 changes: 3 additions & 3 deletions pkg/reconciler/apiserversource/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ import (

filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"

"knative.dev/eventing/pkg/apis/sources"
"knative.dev/eventing/pkg/auth"
"knative.dev/eventing/pkg/eventingtls"

"knative.dev/eventing/pkg/apis/feature"
Expand All @@ -42,7 +42,7 @@ import (
// Fake injection informers
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered/fake"
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake"
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake"
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake"
_ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake"
_ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered/fake"
_ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered/fake"
Expand Down Expand Up @@ -98,6 +98,6 @@ func TestNew(t *testing.T) {
}

func SetUpInformerSelector(ctx context.Context) context.Context {
ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, sources.OIDCTokenRoleLabelSelector)
ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, auth.OIDCLabelSelector)
return ctx
}
6 changes: 3 additions & 3 deletions pkg/reconciler/apiserversource/resources/oidc_rolebinding.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ package resources
import (
"fmt"

"knative.dev/eventing/pkg/apis/sources"
"knative.dev/eventing/pkg/auth"

"knative.dev/pkg/kmeta"

Expand Down Expand Up @@ -54,7 +54,7 @@ func MakeOIDCRole(source *v1.ApiServerSource) (*rbacv1.Role, error) {
"description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", source.GetName()),
},
Labels: map[string]string{
sources.OIDCLabelKey: "",
auth.OIDCLabelKey: "enabled",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(source),
Expand Down Expand Up @@ -92,7 +92,7 @@ func MakeOIDCRoleBinding(source *v1.ApiServerSource) (*rbacv1.RoleBinding, error
"description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", source.GetName()),
},
Labels: map[string]string{
sources.OIDCLabelKey: "",
auth.OIDCLabelKey: "enabled",
},
OwnerReferences: []metav1.OwnerReference{
*kmeta.NewControllerRef(source),
Expand Down
11 changes: 7 additions & 4 deletions pkg/reconciler/broker/trigger/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,13 @@ package mttrigger
import (
"context"

"knative.dev/eventing/pkg/auth"

"go.uber.org/zap"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/client-go/tools/cache"
"knative.dev/pkg/client/injection/ducks/duck/v1/source"
configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap"
serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount"
"knative.dev/pkg/configmap"
"knative.dev/pkg/controller"
"knative.dev/pkg/injection/clients/dynamicclient"
Expand All @@ -45,6 +46,8 @@ import (
eventinglisters "knative.dev/eventing/pkg/client/listers/eventing/v1"
"knative.dev/eventing/pkg/duck"
kubeclient "knative.dev/pkg/client/injection/kube/client"

serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered"
)

// NewController initializes the controller and is called by the generated code
Expand All @@ -59,7 +62,7 @@ func NewController(
subscriptionInformer := subscriptioninformer.Get(ctx)
configmapInformer := configmapinformer.Get(ctx)
secretInformer := secretinformer.Get(ctx)
serviceaccountInformer := serviceaccountinformer.Get(ctx)
oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector)

featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"))
featureStore.WatchConfigs(cmw)
Expand All @@ -74,7 +77,7 @@ func NewController(
triggerLister: triggerLister,
configmapLister: configmapInformer.Lister(),
secretLister: secretInformer.Lister(),
serviceAccountLister: serviceaccountInformer.Lister(),
serviceAccountLister: oidcServiceaccountInformer.Lister(),
}
impl := triggerreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options {
return controller.Options{
Expand Down Expand Up @@ -112,7 +115,7 @@ func NewController(
})

// Reconciler Trigger when the OIDC service account changes
serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
FilterFunc: controller.FilterController(&eventing.Trigger{}),
Handler: controller.HandleAll(impl.EnqueueControllerOf),
})
Expand Down
16 changes: 13 additions & 3 deletions pkg/reconciler/broker/trigger/controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,9 +17,13 @@ limitations under the License.
package mttrigger

import (
"context"
"fmt"
"testing"

"knative.dev/eventing/pkg/auth"
filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"

"github.com/stretchr/testify/assert"
corev1 "k8s.io/api/core/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -44,11 +48,12 @@ import (
_ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake"
_ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake"
_ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake"
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake"
_ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake"
_ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake"
)

func TestNew(t *testing.T) {
ctx, _ := SetupFakeContext(t)
ctx, _ := SetupFakeContext(t, SetUpInformerSelector)

c := NewController(ctx, configmap.NewStaticWatcher(&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "config-features"}}))

Expand All @@ -57,8 +62,13 @@ func TestNew(t *testing.T) {
}
}

func SetUpInformerSelector(ctx context.Context) context.Context {
ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector)
return ctx
}

func TestFilterTriggers(t *testing.T) {
ctx, _ := SetupFakeContext(t)
ctx, _ := SetupFakeContext(t, SetUpInformerSelector)

tt := []struct {
name string
Expand Down
Loading
Loading