From 8e039dd3b71d88e6e983bb449afbb2c21fc5f6a5 Mon Sep 17 00:00:00 2001 From: Pierangelo Di Pilato Date: Thu, 4 Jul 2024 19:21:35 +0200 Subject: [PATCH] Watch only our own OIDC-related secrets (#8070) Filter OIDC secrets Signed-off-by: Pierangelo Di Pilato --- pkg/auth/serviceaccount.go | 32 +++++++++++----- pkg/reconciler/sinkbinding/controller.go | 4 +- pkg/reconciler/sinkbinding/sinkbinding.go | 3 ++ .../core/v1/secret/{ => filtered}/secret.go | 37 +++++++++++++------ vendor/modules.txt | 2 +- 5 files changed, 53 insertions(+), 25 deletions(-) rename vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/{ => filtered}/secret.go (55%) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index b67666ef6af..5b98d61c79a 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -21,11 +21,13 @@ import ( "fmt" "strings" - "knative.dev/eventing/pkg/apis/feature" + "k8s.io/apimachinery/pkg/api/equality" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" + "knative.dev/eventing/pkg/apis/feature" + "go.uber.org/zap" v1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -38,10 +40,10 @@ import ( ) const ( - //OIDCLabelKey is used to filter out all the informers that related to OIDC work - OIDCLabelKey = "oidc" + // OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "eventing.knative.dev/oidc" - // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers + // OIDCLabelSelector is the label selector for the OIDC resources OIDCLabelSelector = OIDCLabelKey ) @@ -87,28 +89,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta) sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName) + expected := GetOIDCServiceAccountForResource(gvk, objectMeta) + // If the resource doesn't exist, we'll create it. if apierrs.IsNotFound(err) { logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err)) - expected := GetOIDCServiceAccountForResource(gvk, objectMeta) - _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{}) if err != nil { - return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } return nil } - if err != nil { - return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } - if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) { return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name) } + if !equality.Semantic.DeepDerivative(expected, sa) { + expected.ResourceVersion = sa.ResourceVersion + + _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) + } + + return nil + + } + return nil } diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index 573b3c737e6..1e6836089dc 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -44,7 +44,7 @@ import ( "knative.dev/pkg/apis/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" - secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret" + secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered" serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" @@ -80,7 +80,7 @@ func NewController( psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) - secretInformer := secretinformer.Get(ctx) + secretInformer := secretinformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := trustBundleConfigMapInformer.Lister() diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go index 74744d24453..6f314f66694 100644 --- a/pkg/reconciler/sinkbinding/sinkbinding.go +++ b/pkg/reconciler/sinkbinding/sinkbinding.go @@ -193,6 +193,9 @@ func (s *SinkBindingSubResourcesReconciler) renewOIDCTokenSecret(ctx context.Con apiVersion := fmt.Sprintf("%s/%s", v1.SchemeGroupVersion.Group, v1.SchemeGroupVersion.Version) applyConfig := new(applyconfigurationcorev1.SecretApplyConfiguration). + WithLabels(map[string]string{ + auth.OIDCLabelKey: "enabled", + }). WithName(secretName). WithNamespace(sb.Namespace). WithType(corev1.SecretTypeOpaque). diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go similarity index 55% rename from vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go rename to vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go index 22ddeb56426..80d46c400c3 100644 --- a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go @@ -16,37 +16,50 @@ limitations under the License. // Code generated by injection-gen. DO NOT EDIT. -package secret +package filtered import ( context "context" v1 "k8s.io/client-go/informers/core/v1" - factory "knative.dev/pkg/client/injection/kube/informers/factory" + filtered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" controller "knative.dev/pkg/controller" injection "knative.dev/pkg/injection" logging "knative.dev/pkg/logging" ) func init() { - injection.Default.RegisterInformer(withInformer) + injection.Default.RegisterFilteredInformers(withInformer) } // Key is used for associating the Informer inside the context.Context. -type Key struct{} +type Key struct { + Selector string +} -func withInformer(ctx context.Context) (context.Context, controller.Informer) { - f := factory.Get(ctx) - inf := f.Core().V1().Secrets() - return context.WithValue(ctx, Key{}, inf), inf.Informer() +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(filtered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := filtered.Get(ctx, selector) + inf := f.Core().V1().Secrets() + ctx = context.WithValue(ctx, Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs } // Get extracts the typed informer from the context. -func Get(ctx context.Context) v1.SecretInformer { - untyped := ctx.Value(Key{}) +func Get(ctx context.Context, selector string) v1.SecretInformer { + untyped := ctx.Value(Key{Selector: selector}) if untyped == nil { - logging.FromContext(ctx).Panic( - "Unable to fetch k8s.io/client-go/informers/core/v1.SecretInformer from context.") + logging.FromContext(ctx).Panicf( + "Unable to fetch k8s.io/client-go/informers/core/v1.SecretInformer with selector %s from context.", selector) } return untyped.(v1.SecretInformer) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 07b2b0163a6..b79831716c8 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1109,7 +1109,7 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake knative.dev/pkg/client/injection/kube/informers/core/v1/namespace knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake knative.dev/pkg/client/injection/kube/informers/core/v1/pod -knative.dev/pkg/client/injection/kube/informers/core/v1/secret +knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered knative.dev/pkg/client/injection/kube/informers/core/v1/service knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount