From b77a190951b9b03c11f86d08457e435b69c7ca4d Mon Sep 17 00:00:00 2001 From: Knative Automation Date: Fri, 5 Jul 2024 01:54:07 +0000 Subject: [PATCH] upgrade to latest dependencies bumping knative.dev/hack 0914314...b979959: > b979959 Update community files (# 387) bumping knative.dev/reconciler-test de3a013...3a59c9d: > 3a59c9d Update community files (# 741) bumping knative.dev/pkg 3f6a546...7ecd548: > 7ecd548 Update community files (# 3071) bumping knative.dev/eventing 96c30bd...5f6713a: > 5f6713a fix(test): creating the knsubscribe clusterrolebinding does not cause install script to fail (# 8068) > 8e039dd Watch only our own OIDC-related secrets (# 8070) > 5a96619 Add Kubernetes Version Check to Installation Script (# 8025) > 332d974 Update TokenVerifier to verify AuthZ too (# 8063) > 3264b21 List applying EventPolicies in Brokers status (# 8060) > 657c3cd List applying policies in job sink (# 8064) > 98ed09c [main] Update community files (# 8069) > e2d782f # 7879: Changes to add filters field (# 7930) > d18595f :bug: Codecov reject any coverage drop (# 8065) > 399bb86 Reconcile EventPolicies when features configmap changes (# 8059) > 4f2b53f Set APIVersion and Kind of EventPolicy manually in OwnerReference of backing channels policy (# 8031) Signed-off-by: Knative Automation --- go.mod | 8 +- go.sum | 16 +- vendor/knative.dev/eventing/hack/install.sh | 6 + .../pkg/apis/eventing/v1/broker_lifecycle.go | 18 ++ .../pkg/apis/eventing/v1/test_helper.go | 2 + .../apis/sinks/v1alpha1/job_sink_lifecycle.go | 41 +++++ .../pkg/apis/sinks/v1alpha1/job_sink_types.go | 5 + .../pkg/apis/sinks/v1alpha1/test_helpers.go | 28 ++++ .../sinks/v1alpha1/zz_generated.deepcopy.go | 1 + .../eventing/pkg/auth/event_policy.go | 6 +- .../eventing/pkg/auth/serviceaccount.go | 32 ++-- .../eventing/pkg/auth/token_verifier.go | 154 +++++++++++++----- .../v1alpha1/eventpolicy/eventpolicy.go | 52 ++++++ .../pkg/reconciler/testing/v1/broker.go | 39 +++++ .../pkg/reconciler/testing/v1/factory.go | 3 + .../pkg/reconciler/testing/v1/listers.go | 12 ++ .../knative.dev/eventing/test/e2e-common.sh | 3 +- vendor/modules.txt | 9 +- 18 files changed, 368 insertions(+), 67 deletions(-) create mode 100644 vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/test_helpers.go create mode 100644 vendor/knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/eventpolicy.go diff --git a/go.mod b/go.mod index 71002254bb..0e2e86954d 100644 --- a/go.mod +++ b/go.mod @@ -35,10 +35,10 @@ require ( k8s.io/apiserver v0.29.2 k8s.io/client-go v0.29.2 k8s.io/utils v0.0.0-20240102154912-e7106e64919e - knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612 - knative.dev/hack v0.0.0-20240607132042-09143140a254 - knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4 - knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854 + knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5 + knative.dev/hack v0.0.0-20240704013904-b9799599afcf + knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6 + knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680 sigs.k8s.io/controller-runtime v0.12.3 sigs.k8s.io/yaml v1.4.0 ) diff --git a/go.sum b/go.sum index 1b7ef23759..33a83066bf 100644 --- a/go.sum +++ b/go.sum @@ -1213,14 +1213,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/ k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612 h1:Bs2fXBPUv+Df4YqIDNJRRRYGKrduST/AA4Foa9S23LA= -knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612/go.mod h1:3h0QrfHELs61mrTI4GDPEQh4rwsap0YYA5XgRrNgnlc= -knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8= -knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= -knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4 h1:slPKf3UKdBFZlz+hFy+KXzTgY9yOePLzRuEhKzgc5a4= -knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4/go.mod h1:Wikg4u73T6vk9TctrxZt60VXzqmGEQIx0iKfk1+9o4c= -knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854 h1:eyXZBmB8YfOzAzou00DNyS0p1g4dzISRsjGmKoDroJQ= -knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854/go.mod h1:g+5v4Zdqt/e+172sJ1pKOqu4bS58RxxWyef7g/7nV4A= +knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5 h1:RfCStuPWB5Ny2tjB8pRP5lEgyV3wiDC4SCJMS2Adrs8= +knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5/go.mod h1:3h0QrfHELs61mrTI4GDPEQh4rwsap0YYA5XgRrNgnlc= +knative.dev/hack v0.0.0-20240704013904-b9799599afcf h1:n92FmZRywgtHso7pFAku7CW0qvRAs1hXtMQqO0R6eiE= +knative.dev/hack v0.0.0-20240704013904-b9799599afcf/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= +knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6 h1:/oGRGm/csTc0sUHo00MQ3NQrJaRP7iMTGC9bXpeEuuU= +knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6/go.mod h1:Wikg4u73T6vk9TctrxZt60VXzqmGEQIx0iKfk1+9o4c= +knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680 h1:hsEXUWnfaK/PwqaRCSMFQoHYusibOMit4rDwbjTxHNM= +knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680/go.mod h1:g+5v4Zdqt/e+172sJ1pKOqu4bS58RxxWyef7g/7nV4A= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/vendor/knative.dev/eventing/hack/install.sh b/vendor/knative.dev/eventing/hack/install.sh index 8f51665c99..5f5e547984 100644 --- a/vendor/knative.dev/eventing/hack/install.sh +++ b/vendor/knative.dev/eventing/hack/install.sh @@ -21,6 +21,12 @@ set -o errexit set -o nounset set -o pipefail +go run "$(dirname "$0")/../test/version_check/check_k8s_version.go" +if [[ $? -ne 0 ]]; then + echo "Kubernetes version check failed. Exiting." + exit 1 +fi + export SCALE_CHAOSDUCK_TO_ZERO=1 export REPLICAS=1 diff --git a/vendor/knative.dev/eventing/pkg/apis/eventing/v1/broker_lifecycle.go b/vendor/knative.dev/eventing/pkg/apis/eventing/v1/broker_lifecycle.go index 9bc846e89e..ab4d0fdb25 100644 --- a/vendor/knative.dev/eventing/pkg/apis/eventing/v1/broker_lifecycle.go +++ b/vendor/knative.dev/eventing/pkg/apis/eventing/v1/broker_lifecycle.go @@ -32,6 +32,7 @@ const ( BrokerConditionFilter apis.ConditionType = "FilterReady" BrokerConditionAddressable apis.ConditionType = "Addressable" BrokerConditionDeadLetterSinkResolved apis.ConditionType = "DeadLetterSinkResolved" + BrokerConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady" ) var brokerCondSet = apis.NewLivingConditionSet( @@ -40,6 +41,7 @@ var brokerCondSet = apis.NewLivingConditionSet( BrokerConditionFilter, BrokerConditionAddressable, BrokerConditionDeadLetterSinkResolved, + BrokerConditionEventPoliciesReady, ) var brokerCondSetLock = sync.RWMutex{} @@ -118,3 +120,19 @@ func (bs *BrokerStatus) MarkDeadLetterSinkResolvedFailed(reason, messageFormat s bs.DeliveryStatus = eventingduck.DeliveryStatus{} bs.GetConditionSet().Manage(bs).MarkFalse(BrokerConditionDeadLetterSinkResolved, reason, messageFormat, messageA...) } + +func (bs *BrokerStatus) MarkEventPoliciesTrue() { + bs.GetConditionSet().Manage(bs).MarkTrue(BrokerConditionEventPoliciesReady) +} + +func (bs *BrokerStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) { + bs.GetConditionSet().Manage(bs).MarkTrueWithReason(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +func (bs *BrokerStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) { + bs.GetConditionSet().Manage(bs).MarkFalse(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +func (bs *BrokerStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) { + bs.GetConditionSet().Manage(bs).MarkUnknown(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...) +} diff --git a/vendor/knative.dev/eventing/pkg/apis/eventing/v1/test_helper.go b/vendor/knative.dev/eventing/pkg/apis/eventing/v1/test_helper.go index 9775f84dd7..e2337e9406 100644 --- a/vendor/knative.dev/eventing/pkg/apis/eventing/v1/test_helper.go +++ b/vendor/knative.dev/eventing/pkg/apis/eventing/v1/test_helper.go @@ -66,6 +66,7 @@ func (t testHelper) ReadyBrokerStatus() *BrokerStatus { URL: apis.HTTP("example.com"), }) bs.MarkDeadLetterSinkResolvedSucceeded(eventingduckv1.DeliveryStatus{}) + bs.MarkEventPoliciesTrue() return bs } @@ -77,6 +78,7 @@ func (t testHelper) ReadyBrokerStatusWithoutDLS() *BrokerStatus { bs.SetAddress(&duckv1.Addressable{ URL: apis.HTTP("example.com"), }) + bs.MarkEventPoliciesTrue() bs.MarkDeadLetterSinkNotConfigured() return bs } diff --git a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_lifecycle.go b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_lifecycle.go index b0cdea2161..bc29a41569 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_lifecycle.go +++ b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_lifecycle.go @@ -23,6 +23,7 @@ import ( "knative.dev/pkg/apis" "knative.dev/eventing/pkg/apis/sinks" + duckv1 "knative.dev/pkg/apis/duck/v1" ) const ( @@ -30,10 +31,15 @@ const ( JobSinkConditionReady = apis.ConditionReady JobSinkConditionAddressable apis.ConditionType = "Addressable" + + // JobSinkConditionEventPoliciesReady has status True when all the applying EventPolicies for this + // JobSink are ready. + JobSinkConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady" ) var JobSinkCondSet = apis.NewLivingConditionSet( JobSinkConditionAddressable, + JobSinkConditionEventPoliciesReady, ) // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface. @@ -71,8 +77,43 @@ func (s *JobSinkStatus) InitializeConditions() { JobSinkCondSet.Manage(s).InitializeConditions() } +// MarkAddressableReady marks the Addressable condition to True. +func (s *JobSinkStatus) MarkAddressableReady() { + JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionAddressable) +} + +// MarkEventPoliciesFailed marks the EventPoliciesReady condition to False with the given reason and message. +func (s *JobSinkStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) { + JobSinkCondSet.Manage(s).MarkFalse(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +// MarkEventPoliciesUnknown marks the EventPoliciesReady condition to Unknown with the given reason and message. +func (s *JobSinkStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) { + JobSinkCondSet.Manage(s).MarkUnknown(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +// MarkEventPoliciesTrue marks the EventPoliciesReady condition to True. +func (s *JobSinkStatus) MarkEventPoliciesTrue() { + JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionEventPoliciesReady) +} + +// MarkEventPoliciesTrueWithReason marks the EventPoliciesReady condition to True with the given reason and message. +func (s *JobSinkStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) { + JobSinkCondSet.Manage(s).MarkTrueWithReason(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + func (e *JobSink) SetJobStatusSelector() { if e.Spec.Job != nil { e.Status.JobStatus.Selector = fmt.Sprintf("%s=%s", sinks.JobSinkNameLabel, e.GetName()) } } + +func (s *JobSinkStatus) SetAddress(address *duckv1.Addressable) { + s.Address = address + if address == nil || address.URL.IsEmpty() { + JobSinkCondSet.Manage(s).MarkFalse(JobSinkConditionAddressable, "EmptyHostname", "hostname is the empty string") + } else { + JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionAddressable) + + } +} diff --git a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_types.go b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_types.go index 501dfdf659..18c9153d91 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_types.go +++ b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_types.go @@ -22,6 +22,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime" + eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/kmeta" ) @@ -68,6 +69,10 @@ type JobSinkStatus struct { // +optional JobStatus JobStatus `json:"job,omitempty"` + + // AppliedEventPoliciesStatus contains the list of EventPolicies which apply to this JobSink + // +optional + eventingduckv1.AppliedEventPoliciesStatus `json:",inline"` } type JobStatus struct { diff --git a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/test_helpers.go b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/test_helpers.go new file mode 100644 index 0000000000..ca14a46744 --- /dev/null +++ b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/test_helpers.go @@ -0,0 +1,28 @@ +/* +Copyright 2024 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package v1alpha1 + +import ( + "github.com/google/go-cmp/cmp/cmpopts" + "knative.dev/pkg/apis" +) + +var ( + ignoreAllButTypeAndStatus = cmpopts.IgnoreFields( + apis.Condition{}, + "LastTransitionTime", "Message", "Reason", "Severity") +) diff --git a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/zz_generated.deepcopy.go b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/zz_generated.deepcopy.go index 8aefd015fc..58c9fdfaf8 100644 --- a/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/zz_generated.deepcopy.go +++ b/vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/zz_generated.deepcopy.go @@ -114,6 +114,7 @@ func (in *JobSinkStatus) DeepCopyInto(out *JobSinkStatus) { in.Status.DeepCopyInto(&out.Status) in.AddressStatus.DeepCopyInto(&out.AddressStatus) out.JobStatus = in.JobStatus + in.AppliedEventPoliciesStatus.DeepCopyInto(&out.AppliedEventPoliciesStatus) return } diff --git a/vendor/knative.dev/eventing/pkg/auth/event_policy.go b/vendor/knative.dev/eventing/pkg/auth/event_policy.go index 56ac38021b..7d4fcb1dba 100644 --- a/vendor/knative.dev/eventing/pkg/auth/event_policy.go +++ b/vendor/knative.dev/eventing/pkg/auth/event_policy.go @@ -35,6 +35,10 @@ import ( "knative.dev/pkg/resolver" ) +const ( + kubernetesServiceAccountPrefix = "system:serviceaccount" +) + // GetEventPoliciesForResource returns the applying EventPolicies for a given resource func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error) { policies, err := lister.EventPolicies(resourceObjectMeta.GetNamespace()).List(labels.Everything()) @@ -194,7 +198,7 @@ func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, re objFullSANames := make([]string, 0, len(objSAs)) for _, sa := range objSAs { - objFullSANames = append(objFullSANames, fmt.Sprintf("system:serviceaccount:%s:%s", reference.Namespace, sa)) + objFullSANames = append(objFullSANames, fmt.Sprintf("%s:%s:%s", kubernetesServiceAccountPrefix, reference.Namespace, sa)) } return objFullSANames, nil diff --git a/vendor/knative.dev/eventing/pkg/auth/serviceaccount.go b/vendor/knative.dev/eventing/pkg/auth/serviceaccount.go index b67666ef6a..5b98d61c79 100644 --- a/vendor/knative.dev/eventing/pkg/auth/serviceaccount.go +++ b/vendor/knative.dev/eventing/pkg/auth/serviceaccount.go @@ -21,11 +21,13 @@ import ( "fmt" "strings" - "knative.dev/eventing/pkg/apis/feature" + "k8s.io/apimachinery/pkg/api/equality" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" + "knative.dev/eventing/pkg/apis/feature" + "go.uber.org/zap" v1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -38,10 +40,10 @@ import ( ) const ( - //OIDCLabelKey is used to filter out all the informers that related to OIDC work - OIDCLabelKey = "oidc" + // OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "eventing.knative.dev/oidc" - // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers + // OIDCLabelSelector is the label selector for the OIDC resources OIDCLabelSelector = OIDCLabelKey ) @@ -87,28 +89,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta) sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName) + expected := GetOIDCServiceAccountForResource(gvk, objectMeta) + // If the resource doesn't exist, we'll create it. if apierrs.IsNotFound(err) { logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err)) - expected := GetOIDCServiceAccountForResource(gvk, objectMeta) - _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{}) if err != nil { - return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } return nil } - if err != nil { - return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } - if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) { return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name) } + if !equality.Semantic.DeepDerivative(expected, sa) { + expected.ResourceVersion = sa.ResourceVersion + + _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) + } + + return nil + + } + return nil } diff --git a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go index 5571b67f2b..0d87cf11f6 100644 --- a/vendor/knative.dev/eventing/pkg/auth/token_verifier.go +++ b/vendor/knative.dev/eventing/pkg/auth/token_verifier.go @@ -22,8 +22,13 @@ import ( "fmt" "io" "net/http" + "strings" "time" + duckv1 "knative.dev/eventing/pkg/apis/duck/v1" + eventpolicyinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy" + "knative.dev/eventing/pkg/client/listers/eventing/v1alpha1" + "github.com/coreos/go-oidc/v3/oidc" "go.uber.org/zap" "k8s.io/client-go/rest" @@ -37,9 +42,10 @@ const ( ) type OIDCTokenVerifier struct { - logger *zap.SugaredLogger - restConfig *rest.Config - provider *oidc.Provider + logger *zap.SugaredLogger + restConfig *rest.Config + provider *oidc.Provider + eventPolicyLister v1alpha1.EventPolicyLister } type IDToken struct { @@ -53,8 +59,9 @@ type IDToken struct { func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier { tokenHandler := &OIDCTokenVerifier{ - logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), - restConfig: injection.GetConfig(ctx), + logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), + restConfig: injection.GetConfig(ctx), + eventPolicyLister: eventpolicyinformer.Get(ctx).Lister(), } if err := tokenHandler.initOIDCProvider(ctx); err != nil { @@ -64,13 +71,103 @@ func NewOIDCTokenVerifier(ctx context.Context) *OIDCTokenVerifier { return tokenHandler } -// VerifyJWT verifies the given JWT for the expected audience and returns the parsed ID token. -func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) { - if c.provider == nil { +// VerifyJWTFromRequest verifies if the incoming request contains a correct JWT token +// +// Deprecated: use OIDCTokenVerifier.Verify() instead to bundle AuthN and AuthZ verification +func (v *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error { + _, err := v.verifyAuthN(ctx, audience, r, response) + + return err +} + +// VerifyRequest verifies AuthN and AuthZ in the request. On verification errors, it sets the +// responses HTTP status and returns an error +func (v *OIDCTokenVerifier) VerifyRequest(ctx context.Context, features feature.Flags, requiredOIDCAudience *string, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, req *http.Request, resp http.ResponseWriter) error { + if !features.IsOIDCAuthentication() { + return nil + } + + idToken, err := v.verifyAuthN(ctx, requiredOIDCAudience, req, resp) + if err != nil { + return fmt.Errorf("authentication of request could not be verified: %w", err) + } + + err = v.verifyAuthZ(features, idToken, resourceNamespace, policyRefs, resp) + if err != nil { + return fmt.Errorf("authorization of request could not be verified: %w", err) + } + + return nil +} + +// verifyAuthN verifies if the incoming request contains a correct JWT token +func (v *OIDCTokenVerifier) verifyAuthN(ctx context.Context, audience *string, req *http.Request, resp http.ResponseWriter) (*IDToken, error) { + token := GetJWTFromHeader(req.Header) + if token == "" { + resp.WriteHeader(http.StatusUnauthorized) + return nil, fmt.Errorf("no JWT token found in request") + } + + if audience == nil { + resp.WriteHeader(http.StatusInternalServerError) + return nil, fmt.Errorf("no audience is provided") + } + + idToken, err := v.verifyJWT(ctx, token, *audience) + if err != nil { + resp.WriteHeader(http.StatusUnauthorized) + return nil, fmt.Errorf("failed to verify JWT: %w", err) + } + + return idToken, nil +} + +// verifyAuthZ verifies if the given idToken is allowed by the resources eventPolicyStatus +func (v *OIDCTokenVerifier) verifyAuthZ(features feature.Flags, idToken *IDToken, resourceNamespace string, policyRefs []duckv1.AppliedEventPolicyRef, resp http.ResponseWriter) error { + if len(policyRefs) > 0 { + subjectsFromApplyingPolicies := []string{} + for _, p := range policyRefs { + policy, err := v.eventPolicyLister.EventPolicies(resourceNamespace).Get(p.Name) + if err != nil { + resp.WriteHeader(http.StatusInternalServerError) + return fmt.Errorf("failed to get eventPolicy: %w", err) + } + + subjectsFromApplyingPolicies = append(subjectsFromApplyingPolicies, policy.Status.From...) + } + + if !SubjectContained(idToken.Subject, subjectsFromApplyingPolicies) { + resp.WriteHeader(http.StatusForbidden) + return fmt.Errorf("token is from subject %q, but only %q are part of applying event policies", idToken.Subject, subjectsFromApplyingPolicies) + } + + return nil + } else { + if features.IsAuthorizationDefaultModeDenyAll() { + resp.WriteHeader(http.StatusForbidden) + return fmt.Errorf("no event policies apply for resource and %s is set to %s", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll) + + } else if features.IsAuthorizationDefaultModeSameNamespace() { + if !strings.HasPrefix(idToken.Subject, fmt.Sprintf("%s:%s:", kubernetesServiceAccountPrefix, resourceNamespace)) { + resp.WriteHeader(http.StatusForbidden) + return fmt.Errorf("no policies apply for resource. %s is set to %s, but token is from subject %q, which is not part of %q namespace", feature.AuthorizationDefaultMode, feature.AuthorizationDenyAll, idToken.Subject, resourceNamespace) + } + + return nil + } + // else: allow all + } + + return nil +} + +// verifyJWT verifies the given JWT for the expected audience and returns the parsed ID token. +func (v *OIDCTokenVerifier) verifyJWT(ctx context.Context, jwt, audience string) (*IDToken, error) { + if v.provider == nil { return nil, fmt.Errorf("provider is nil. Is the OIDC provider config correct?") } - verifier := c.provider.Verifier(&oidc.Config{ + verifier := v.provider.Verifier(&oidc.Config{ ClientID: audience, }) @@ -89,8 +186,8 @@ func (c *OIDCTokenVerifier) VerifyJWT(ctx context.Context, jwt, audience string) }, nil } -func (c *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error { - discovery, err := c.getKubernetesOIDCDiscovery() +func (v *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error { + discovery, err := v.getKubernetesOIDCDiscovery() if err != nil { return fmt.Errorf("could not load Kubernetes OIDC discovery information: %w", err) } @@ -100,25 +197,25 @@ func (c *OIDCTokenVerifier) initOIDCProvider(ctx context.Context) error { ctx = oidc.InsecureIssuerURLContext(ctx, discovery.Issuer) } - httpClient, err := c.getHTTPClientForKubeAPIServer() + httpClient, err := v.getHTTPClientForKubeAPIServer() if err != nil { return fmt.Errorf("could not get HTTP client with TLS certs of API server: %w", err) } ctx = oidc.ClientContext(ctx, httpClient) // get OIDC provider - c.provider, err = oidc.NewProvider(ctx, kubernetesOIDCDiscoveryBaseURL) + v.provider, err = oidc.NewProvider(ctx, kubernetesOIDCDiscoveryBaseURL) if err != nil { return fmt.Errorf("could not get OIDC provider: %w", err) } - c.logger.Debug("updated OIDC provider config", zap.Any("discovery-config", discovery)) + v.logger.Debug("updated OIDC provider config", zap.Any("discovery-config", discovery)) return nil } -func (c *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) { - client, err := rest.HTTPClientFor(c.restConfig) +func (v *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error) { + client, err := rest.HTTPClientFor(v.restConfig) if err != nil { return nil, fmt.Errorf("could not create HTTP client from rest config: %w", err) } @@ -126,8 +223,8 @@ func (c *OIDCTokenVerifier) getHTTPClientForKubeAPIServer() (*http.Client, error return client, nil } -func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) { - client, err := c.getHTTPClientForKubeAPIServer() +func (v *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error) { + client, err := v.getHTTPClientForKubeAPIServer() if err != nil { return nil, fmt.Errorf("could not get HTTP client for API server: %w", err) } @@ -151,27 +248,6 @@ func (c *OIDCTokenVerifier) getKubernetesOIDCDiscovery() (*openIDMetadata, error return openIdConfig, nil } -// VerifyJWTFromRequest will verify the incoming request contains the correct JWT token -func (tokenVerifier *OIDCTokenVerifier) VerifyJWTFromRequest(ctx context.Context, r *http.Request, audience *string, response http.ResponseWriter) error { - token := GetJWTFromHeader(r.Header) - if token == "" { - response.WriteHeader(http.StatusUnauthorized) - return fmt.Errorf("no JWT token found in request") - } - - if audience == nil { - response.WriteHeader(http.StatusInternalServerError) - return fmt.Errorf("no audience is provided") - } - - if _, err := tokenVerifier.VerifyJWT(ctx, token, *audience); err != nil { - response.WriteHeader(http.StatusUnauthorized) - return fmt.Errorf("failed to verify JWT: %w", err) - } - - return nil -} - type openIDMetadata struct { Issuer string `json:"issuer"` JWKSURI string `json:"jwks_uri"` diff --git a/vendor/knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/eventpolicy.go b/vendor/knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/eventpolicy.go new file mode 100644 index 0000000000..c6da95f0a0 --- /dev/null +++ b/vendor/knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy/eventpolicy.go @@ -0,0 +1,52 @@ +/* +Copyright 2021 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by injection-gen. DO NOT EDIT. + +package eventpolicy + +import ( + context "context" + + v1alpha1 "knative.dev/eventing/pkg/client/informers/externalversions/eventing/v1alpha1" + factory "knative.dev/eventing/pkg/client/injection/informers/factory" + controller "knative.dev/pkg/controller" + injection "knative.dev/pkg/injection" + logging "knative.dev/pkg/logging" +) + +func init() { + injection.Default.RegisterInformer(withInformer) +} + +// Key is used for associating the Informer inside the context.Context. +type Key struct{} + +func withInformer(ctx context.Context) (context.Context, controller.Informer) { + f := factory.Get(ctx) + inf := f.Eventing().V1alpha1().EventPolicies() + return context.WithValue(ctx, Key{}, inf), inf.Informer() +} + +// Get extracts the typed informer from the context. +func Get(ctx context.Context) v1alpha1.EventPolicyInformer { + untyped := ctx.Value(Key{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch knative.dev/eventing/pkg/client/informers/externalversions/eventing/v1alpha1.EventPolicyInformer from context.") + } + return untyped.(v1alpha1.EventPolicyInformer) +} diff --git a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/broker.go b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/broker.go index d7ddbd31c9..96b4f9d9f4 100644 --- a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/broker.go +++ b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/broker.go @@ -18,10 +18,14 @@ import ( "fmt" "time" + eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1" + "knative.dev/eventing/pkg/apis/feature" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/apis" duckv1 "knative.dev/pkg/apis/duck/v1" + eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1" eventingv1 "knative.dev/eventing/pkg/apis/duck/v1" "knative.dev/eventing/pkg/apis/eventing" v1 "knative.dev/eventing/pkg/apis/eventing/v1" @@ -288,3 +292,38 @@ func WithBrokersAddresses(addresses []duckv1.Addressable) BrokerOption { b.GetConditionSet().Manage(b.GetStatus()).MarkTrue(v1.BrokerConditionAddressable) } } + +func WithBrokerEventPoliciesReady() BrokerOption { + return func(b *v1.Broker) { + b.Status.MarkEventPoliciesTrue() + } +} + +func WithBrokerEventPoliciesNotReady(reason, message string) BrokerOption { + return func(b *v1.Broker) { + b.Status.MarkEventPoliciesFailed(reason, message) + } +} + +func WithBrokerEventPoliciesListed(policyNames ...string) BrokerOption { + return func(b *v1.Broker) { + for _, name := range policyNames { + b.Status.Policies = append(b.Status.Policies, eventingduckv1.AppliedEventPolicyRef{ + APIVersion: eventingv1alpha1.SchemeGroupVersion.String(), + Name: name, + }) + } + } +} + +func WithBrokerEventPoliciesReadyBecauseOIDCDisabled() BrokerOption { + return func(b *v1.Broker) { + b.Status.MarkEventPoliciesTrueWithReason("OIDCDisabled", "Feature %q must be enabled to support Authorization", feature.OIDCAuthentication) + } +} + +func WithBrokerEventPoliciesReadyBecauseNoPolicyAndOIDCEnabled() BrokerOption { + return func(b *v1.Broker) { + b.Status.MarkEventPoliciesTrueWithReason("DefaultAuthorizationMode", "Default authz mode is %q", feature.AuthorizationAllowSameNamespace) + } +} diff --git a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/factory.go b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/factory.go index 0481c6cdfb..ded0d6684b 100644 --- a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/factory.go +++ b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/factory.go @@ -41,6 +41,7 @@ import ( ktesting "k8s.io/client-go/testing" "knative.dev/pkg/controller" + "knative.dev/eventing/pkg/apis/sinks" fakeeventingclient "knative.dev/eventing/pkg/client/injection/client/fake" fakekubeclient "knative.dev/pkg/client/injection/kube/client/fake" fakedynamicclient "knative.dev/pkg/injection/clients/dynamicclient/fake" @@ -76,6 +77,8 @@ func MakeFactory(ctor Ctor, unstructured bool, logger *zap.SugaredLogger) Factor ctx, dynamicClient := fakedynamicclient.With(ctx, NewScheme(), ToUnstructured(t, r.Objects)...) + ctx = sinks.WithConfig(ctx, &sinks.Config{KubeClient: kubeClient}) + // The dynamic client's support for patching is BS. Implement it // here via PrependReactor (this can be overridden below by the // provided reactors). diff --git a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/listers.go b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/listers.go index 0c7c3546d2..ecc91831ec 100644 --- a/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/listers.go +++ b/vendor/knative.dev/eventing/pkg/reconciler/testing/v1/listers.go @@ -18,6 +18,7 @@ package testing import ( appsv1 "k8s.io/api/apps/v1" + batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1" @@ -26,6 +27,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" fakekubeclientset "k8s.io/client-go/kubernetes/fake" appsv1listers "k8s.io/client-go/listers/apps/v1" + batchv1listers "k8s.io/client-go/listers/batch/v1" corev1listers "k8s.io/client-go/listers/core/v1" rbacv1listers "k8s.io/client-go/listers/rbac/v1" "k8s.io/client-go/tools/cache" @@ -35,6 +37,7 @@ import ( eventingv1beta2 "knative.dev/eventing/pkg/apis/eventing/v1beta2" flowsv1 "knative.dev/eventing/pkg/apis/flows/v1" messagingv1 "knative.dev/eventing/pkg/apis/messaging/v1" + sinksv1alpha1 "knative.dev/eventing/pkg/apis/sinks/v1alpha1" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" fakeeventingclientset "knative.dev/eventing/pkg/client/clientset/versioned/fake" eventinglisters "knative.dev/eventing/pkg/client/listers/eventing/v1" @@ -42,6 +45,7 @@ import ( eventingv1beta2listers "knative.dev/eventing/pkg/client/listers/eventing/v1beta2" flowslisters "knative.dev/eventing/pkg/client/listers/flows/v1" messaginglisters "knative.dev/eventing/pkg/client/listers/messaging/v1" + sinkslisters "knative.dev/eventing/pkg/client/listers/sinks/v1alpha1" sourcelisters "knative.dev/eventing/pkg/client/listers/sources/v1" testscheme "knative.dev/eventing/pkg/reconciler/testing/scheme" duckv1 "knative.dev/pkg/apis/duck/v1" @@ -118,6 +122,10 @@ func (l *Listers) GetEventPolicyLister() eventingv1alpha1listers.EventPolicyList return eventingv1alpha1listers.NewEventPolicyLister(l.indexerFor(&eventingv1alpha1.EventPolicy{})) } +func (l *Listers) GetJobSinkLister() sinkslisters.JobSinkLister { + return sinkslisters.NewJobSinkLister(l.indexerFor(&sinksv1alpha1.JobSink{})) +} + func (l *Listers) GetPingSourceLister() sourcelisters.PingSourceLister { return sourcelisters.NewPingSourceLister(l.indexerFor(&sourcesv1.PingSource{})) } @@ -213,3 +221,7 @@ func (l *Listers) GetNodeLister() corev1listers.NodeLister { func (l *Listers) GetPodLister() corev1listers.PodLister { return corev1listers.NewPodLister(l.indexerFor(&corev1.Pod{})) } + +func (l *Listers) GetJobLister() batchv1listers.JobLister { + return batchv1listers.NewJobLister(l.indexerFor(&batchv1.Job{})) +} diff --git a/vendor/knative.dev/eventing/test/e2e-common.sh b/vendor/knative.dev/eventing/test/e2e-common.sh index 2b02dbbe31..0716dd05c1 100644 --- a/vendor/knative.dev/eventing/test/e2e-common.sh +++ b/vendor/knative.dev/eventing/test/e2e-common.sh @@ -92,7 +92,7 @@ function knative_setup() { install_feature_cm || fail_test "Could not install features configmap" - create_knsubscribe_rolebinding || fail_test "Could not create knsusbcribe rolebinding" + create_knsubscribe_rolebinding || fail_test "Could not create knsubscribe rolebinding" } function scale_controlplane() { @@ -107,6 +107,7 @@ function scale_controlplane() { } function create_knsubscribe_rolebinding() { + kubectl delete clusterrolebinding knsubscribe-test-rb --ignore-not-found=true kubectl create clusterrolebinding knsubscribe-test-rb --user=$(kubectl auth whoami -ojson | jq .status.userInfo.username -r) --clusterrole=crossnamespace=subscriber } diff --git a/vendor/modules.txt b/vendor/modules.txt index 182a566fe7..13de0d1204 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1142,7 +1142,7 @@ k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612 +# knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5 ## explicit; go 1.22 knative.dev/eventing/cmd/event_display knative.dev/eventing/cmd/heartbeats @@ -1219,6 +1219,7 @@ knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake +knative.dev/eventing/pkg/client/injection/informers/eventing/v1alpha1/eventpolicy knative.dev/eventing/pkg/client/injection/informers/factory knative.dev/eventing/pkg/client/injection/informers/factory/fake knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription @@ -1320,10 +1321,10 @@ knative.dev/eventing/test/upgrade/prober/wathola/fetcher knative.dev/eventing/test/upgrade/prober/wathola/forwarder knative.dev/eventing/test/upgrade/prober/wathola/receiver knative.dev/eventing/test/upgrade/prober/wathola/sender -# knative.dev/hack v0.0.0-20240607132042-09143140a254 +# knative.dev/hack v0.0.0-20240704013904-b9799599afcf ## explicit; go 1.18 knative.dev/hack -# knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4 +# knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6 ## explicit; go 1.22 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1437,7 +1438,7 @@ knative.dev/pkg/webhook/json knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854 +# knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680 ## explicit; go 1.22 knative.dev/reconciler-test/cmd/eventshub knative.dev/reconciler-test/pkg/environment