From bbb4c415742baed6e3e1df21b4830cc077b2e6ea Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Wed, 24 Apr 2024 12:48:02 +0200 Subject: [PATCH] [release-v1.12] Reconcile trigger on OIDC service account changes only, if SA references a trigger for correct broker class (#592) * Use filtered informer to watch OIDC service accounts (#7527) * controller.go changed * #7320 WIP * WIP: Testing filtered informer (knative#7341) * unit test passed * Revert "Merge remote-tracking branch 'otherfork/main' into main" This reverts commit 94cd51bdbdbb026b1c3ec2b004e0e4dfd564ea19, reversing changes made to 0bf29828a296f478e47d2d3c9a992372050f15cf. * Removed comments * Changed to filtered informer for Subscription identity service account * Changed to filtered informer for Sequence service accounts * Changed to filtered informer for Parallel identity service accounts * Changed to filtered informer for APIServerSource identity service account * fixed unit tests * added label selector for mtchannel_broker * added filtered informer for sinkbinding identity service accounts * added OIDC label selector in webhook * added filtered informer for containersource service accounts * added filtered informer for pingsource service accounts * added OIDC label selector in apiserver ctx * added OIDC label selector in broker/filter * added OIDC label selector in broker/ingress * added OIDC label selector in in_memory/channel_dispatcher * added OIDC label selector in mtping * fixed unit test issues for pingsource * fixed unit test for container source * formatted files * updated service account informer in apiserversource * updated service account informers in other places * small typo fix * added actual value for OIDC label * added a valid value for OIDClabelkey * changed references of OIDCLabelKey * fixed import path problem * changed OIDCLabelSelector in all main.go files * changed instances of OIDCLabelSelector in controller and controller test files * deleted OIDC related labels from register.go * fixed formatting issues * Added value for OIDCLabelKey --------- Co-authored-by: Scott * Reconcile trigger on OIDC service account changes only, if SA references a trigger for correct broker class (#7849) * Reconcile trigger on OIDC service account changes only, if SA references a trigger for correct broker class * Run goimports and gofmt * Remove deprecated use of pointer.Bool(v) and switch to prt.Bool(v) --------- Co-authored-by: Yijie Wang <147119743+yijie-04@users.noreply.github.com> Co-authored-by: Scott --- cmd/apiserver_receive_adapter/main.go | 2 + cmd/broker/filter/main.go | 1 + cmd/broker/ingress/main.go | 1 + cmd/controller/main.go | 4 +- cmd/in_memory/channel_dispatcher/main.go | 2 + cmd/mtchannel_broker/main.go | 11 +- cmd/mtping/main.go | 2 + cmd/webhook/main.go | 2 + pkg/apis/sources/register.go | 6 - pkg/auth/serviceaccount.go | 11 ++ pkg/auth/serviceaccount_test.go | 3 + .../apiserversource/apiserversource_test.go | 6 +- pkg/reconciler/apiserversource/controller.go | 15 +- .../apiserversource/controller_test.go | 6 +- .../resources/oidc_rolebinding.go | 6 +- pkg/reconciler/broker/trigger/controller.go | 44 +++++- .../broker/trigger/controller_test.go | 148 +++++++++++++++++- pkg/reconciler/containersource/controller.go | 7 +- .../containersource/controller_test.go | 5 +- pkg/reconciler/parallel/controller.go | 10 +- pkg/reconciler/parallel/controller_test.go | 14 +- pkg/reconciler/pingsource/controller.go | 9 +- pkg/reconciler/pingsource/controller_test.go | 13 +- pkg/reconciler/sequence/controller.go | 10 +- pkg/reconciler/sequence/controller_test.go | 14 +- pkg/reconciler/sinkbinding/controller.go | 8 +- pkg/reconciler/subscription/controller.go | 10 +- .../subscription/controller_test.go | 14 +- .../v1/serviceaccount/filtered/fake/fake.go | 52 ++++++ .../serviceaccount/filtered/serviceaccount.go | 65 ++++++++ vendor/modules.txt | 2 + 31 files changed, 436 insertions(+), 67 deletions(-) create mode 100644 vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go create mode 100644 vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go index 2506789d203..736af22bc9e 100644 --- a/cmd/apiserver_receive_adapter/main.go +++ b/cmd/apiserver_receive_adapter/main.go @@ -22,6 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/apiserver" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) @@ -34,6 +35,7 @@ func main() { ctx = adapter.WithInjectorEnabled(ctx) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index 562c6d2c06f..8a699b72e22 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -81,6 +81,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index e722b56d7d0..7647805d6e9 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -103,6 +103,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/controller/main.go b/cmd/controller/main.go index d7249444633..e6e5d61cfdb 100644 --- a/cmd/controller/main.go +++ b/cmd/controller/main.go @@ -28,7 +28,7 @@ import ( "knative.dev/pkg/injection/sharedmain" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -79,7 +79,7 @@ func main() { }() ctx = filteredFactory.WithSelectors(ctx, - sources.OIDCTokenRoleLabelSelector, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go index 52d7ebfe448..116bf66f00f 100644 --- a/cmd/in_memory/channel_dispatcher/main.go +++ b/cmd/in_memory/channel_dispatcher/main.go @@ -27,6 +27,7 @@ import ( "knative.dev/pkg/injection/sharedmain" "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher" ) @@ -39,6 +40,7 @@ func main() { } ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/mtchannel_broker/main.go b/cmd/mtchannel_broker/main.go index 7126df0bcd0..1728adaf39d 100644 --- a/cmd/mtchannel_broker/main.go +++ b/cmd/mtchannel_broker/main.go @@ -22,8 +22,12 @@ import ( "context" + "knative.dev/eventing/pkg/auth" "knative.dev/pkg/injection/sharedmain" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/reconciler/broker" mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger" ) @@ -33,7 +37,12 @@ const ( ) func main() { - sharedmain.Main( + ctx := signals.NewContext() + + ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector) + + sharedmain.MainWithContext(ctx, component, broker.NewController, diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go index eb30bbc74ca..9a35d892cb1 100644 --- a/cmd/mtping/main.go +++ b/cmd/mtping/main.go @@ -22,6 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) @@ -57,6 +58,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index f0b6dbed176..1dfac21d38a 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -26,6 +26,7 @@ import ( configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -287,6 +288,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/pkg/apis/sources/register.go b/pkg/apis/sources/register.go index 3cd87d78e75..55b4a748b17 100644 --- a/pkg/apis/sources/register.go +++ b/pkg/apis/sources/register.go @@ -32,12 +32,6 @@ const ( // SourceDuckLabelValue is the label value to indicate // the CRD is a Source duck type. SourceDuckLabelValue = "true" - - //OIDCLabelKey is used to filter out all the informers that related to OIDC work - OIDCLabelKey = "oidc" - - // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers - OIDCTokenRoleLabelSelector = OIDCLabelKey ) var ( diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index 2e70c824189..b67666ef6af 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -37,6 +37,14 @@ import ( "knative.dev/pkg/ptr" ) +const ( + //OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "oidc" + + // OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers + OIDCLabelSelector = OIDCLabelKey +) + // GetOIDCServiceAccountNameForResource returns the service account name to use // for OIDC authentication for the given resource. func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string { @@ -66,6 +74,9 @@ func GetOIDCServiceAccountForResource(gvk schema.GroupVersionKind, objectMeta me Annotations: map[string]string{ "description": fmt.Sprintf("Service Account for OIDC Authentication for %s %q", gvk.GroupKind().Kind, objectMeta.Name), }, + Labels: map[string]string{ + OIDCLabelKey: "enabled", + }, }, } } diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go index 2bf53cdb836..8c9564b9d92 100644 --- a/pkg/auth/serviceaccount_test.go +++ b/pkg/auth/serviceaccount_test.go @@ -108,6 +108,9 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) { Annotations: map[string]string{ "description": "Service Account for OIDC Authentication for Broker \"my-broker\"", }, + Labels: map[string]string{ + OIDCLabelKey: "enabled", + }, }, } diff --git a/pkg/reconciler/apiserversource/apiserversource_test.go b/pkg/reconciler/apiserversource/apiserversource_test.go index 30612fcd43e..d455f627570 100644 --- a/pkg/reconciler/apiserversource/apiserversource_test.go +++ b/pkg/reconciler/apiserversource/apiserversource_test.go @@ -21,8 +21,6 @@ import ( "fmt" "testing" - "knative.dev/eventing/pkg/apis/sources" - "knative.dev/pkg/kmeta" rbacv1 "k8s.io/api/rbac/v1" @@ -1356,7 +1354,7 @@ func makeOIDCRole() *rbacv1.Role { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), @@ -1386,7 +1384,7 @@ func makeOIDCRoleBinding() *rbacv1.RoleBinding { "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", sourceName), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(src), diff --git a/pkg/reconciler/apiserversource/controller.go b/pkg/reconciler/apiserversource/controller.go index 7d944e444b9..cfddfc7be6b 100644 --- a/pkg/reconciler/apiserversource/controller.go +++ b/pkg/reconciler/apiserversource/controller.go @@ -22,7 +22,7 @@ import ( configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" "knative.dev/pkg/system" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" eventingreconciler "knative.dev/eventing/pkg/reconciler" @@ -42,7 +42,8 @@ import ( deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment" "knative.dev/pkg/client/injection/kube/informers/core/v1/namespace" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" + roleinformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered" rolebindinginformer "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered" @@ -67,11 +68,11 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) apiServerSourceInformer := apiserversourceinformer.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) // Create a selector string - roleInformer := roleinformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) - rolebindingInformer := rolebindinginformer.Get(ctx, sources.OIDCTokenRoleLabelSelector) + roleInformer := roleinformer.Get(ctx, auth.OIDCLabelSelector) + rolebindingInformer := rolebindinginformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) @@ -89,7 +90,7 @@ func NewController( ceSource: GetCfgHost(ctx), configs: reconcilersource.WatchConfigurations(ctx, component, cmw), namespaceLister: namespaceInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), roleLister: roleInformer.Lister(), roleBindingLister: rolebindingInformer.Lister(), trustBundleConfigMapLister: trustBundleConfigMapInformer.Lister(), @@ -142,7 +143,7 @@ func NewController( }) // Reconciler ApiServerSource when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.ApiServerSource{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/apiserversource/controller_test.go b/pkg/reconciler/apiserversource/controller_test.go index fce6d240672..497d150f619 100644 --- a/pkg/reconciler/apiserversource/controller_test.go +++ b/pkg/reconciler/apiserversource/controller_test.go @@ -23,7 +23,7 @@ import ( filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" "knative.dev/eventing/pkg/apis/feature" @@ -42,7 +42,7 @@ import ( // Fake injection informers _ "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/role/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/filtered/fake" @@ -98,6 +98,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, sources.OIDCTokenRoleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector, auth.OIDCLabelSelector) return ctx } diff --git a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go index 0b486cb1526..1c38c5ef4c1 100644 --- a/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go +++ b/pkg/reconciler/apiserversource/resources/oidc_rolebinding.go @@ -19,7 +19,7 @@ package resources import ( "fmt" - "knative.dev/eventing/pkg/apis/sources" + "knative.dev/eventing/pkg/auth" "knative.dev/pkg/kmeta" @@ -54,7 +54,7 @@ func MakeOIDCRole(source *v1.ApiServerSource) (*rbacv1.Role, error) { "description": fmt.Sprintf("Role for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source), @@ -92,7 +92,7 @@ func MakeOIDCRoleBinding(source *v1.ApiServerSource) (*rbacv1.RoleBinding, error "description": fmt.Sprintf("Role Binding for OIDC Authentication for ApiServerSource %q", source.GetName()), }, Labels: map[string]string{ - sources.OIDCLabelKey: "", + auth.OIDCLabelKey: "enabled", }, OwnerReferences: []metav1.OwnerReference{ *kmeta.NewControllerRef(source), diff --git a/pkg/reconciler/broker/trigger/controller.go b/pkg/reconciler/broker/trigger/controller.go index afc7a2a7ffb..8e92136d93a 100644 --- a/pkg/reconciler/broker/trigger/controller.go +++ b/pkg/reconciler/broker/trigger/controller.go @@ -19,12 +19,16 @@ package mttrigger import ( "context" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + + "knative.dev/eventing/pkg/auth" + "go.uber.org/zap" "k8s.io/apimachinery/pkg/labels" "k8s.io/client-go/tools/cache" "knative.dev/pkg/client/injection/ducks/duck/v1/source" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -45,6 +49,8 @@ import ( eventinglisters "knative.dev/eventing/pkg/client/listers/eventing/v1" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" + + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" ) // NewController initializes the controller and is called by the generated code @@ -59,7 +65,7 @@ func NewController( subscriptionInformer := subscriptioninformer.Get(ctx) configmapInformer := configmapinformer.Get(ctx) secretInformer := secretinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store")) featureStore.WatchConfigs(cmw) @@ -74,7 +80,7 @@ func NewController( triggerLister: triggerLister, configmapLister: configmapInformer.Lister(), secretLister: secretInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := triggerreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { return controller.Options{ @@ -112,14 +118,42 @@ func NewController( }) // Reconciler Trigger when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ - FilterFunc: controller.FilterController(&eventing.Trigger{}), + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + FilterFunc: filterOIDCServiceAccounts(triggerInformer.Lister(), brokerInformer.Lister()), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) return impl } +// filterOIDCServiceAccounts returns a function that returns true if the resource passed +// is a service account, which is owned by a trigger pointing to a MTChannelBased broker. +func filterOIDCServiceAccounts(triggerLister eventinglisters.TriggerLister, brokerLister eventinglisters.BrokerLister) func(interface{}) bool { + return func(obj interface{}) bool { + controlledByTrigger := controller.FilterController(&eventing.Trigger{})(obj) + if !controlledByTrigger { + return false + } + + sa, ok := obj.(*corev1.ServiceAccount) + if !ok { + return false + } + + owner := metav1.GetControllerOf(sa) + if owner == nil { + return false + } + + trigger, err := triggerLister.Triggers(sa.Namespace).Get(owner.Name) + if err != nil { + return false + } + + return filterTriggers(brokerLister)(trigger) + } +} + // filterTriggers returns a function that returns true if the resource passed // is a trigger pointing to a MTChannelBroker. func filterTriggers(lister eventinglisters.BrokerLister) func(interface{}) bool { diff --git a/pkg/reconciler/broker/trigger/controller_test.go b/pkg/reconciler/broker/trigger/controller_test.go index 86bf267d939..f9f090e5ba6 100644 --- a/pkg/reconciler/broker/trigger/controller_test.go +++ b/pkg/reconciler/broker/trigger/controller_test.go @@ -17,9 +17,17 @@ limitations under the License. package mttrigger import ( + "context" "fmt" "testing" + "knative.dev/pkg/ptr" + + triggerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger" + + "knative.dev/eventing/pkg/auth" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + "github.com/stretchr/testify/assert" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -44,11 +52,12 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker/fake" _ "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher(&corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: "config-features"}})) @@ -57,8 +66,141 @@ func TestNew(t *testing.T) { } } +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) + return ctx +} + +func TestFilterOIDCServiceAccounts(t *testing.T) { + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) + + tt := []struct { + name string + sa *corev1.ServiceAccount + trigger *eventing.Trigger + brokers []*eventing.Broker + pass bool + }{{ + name: "matching owner reference", + sa: &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "sa", + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: eventing.SchemeGroupVersion.String(), + Kind: "Trigger", + Name: "tr", + Controller: ptr.Bool(true), + }, + }, + }, + }, + trigger: &eventing.Trigger{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "tr", + }, + Spec: eventing.TriggerSpec{ + Broker: "br", + }, + }, + brokers: []*eventing.Broker{{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "br", + Annotations: map[string]string{ + eventing.BrokerClassAnnotationKey: apiseventing.MTChannelBrokerClassValue, + }, + }, + }}, + pass: true, + }, { + name: "references trigger for wrong broker class", + sa: &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "sa", + OwnerReferences: []metav1.OwnerReference{ + { + APIVersion: eventing.SchemeGroupVersion.String(), + Kind: "Trigger", + Name: "tr", + Controller: ptr.Bool(true), + }, + }, + }, + }, + trigger: &eventing.Trigger{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "tr", + }, + Spec: eventing.TriggerSpec{ + Broker: "br", + }, + }, + brokers: []*eventing.Broker{{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "br", + Annotations: map[string]string{ + eventing.BrokerClassAnnotationKey: "another-broker-class", + }, + }, + }}, + pass: false, + }, { + name: "no owner reference", + sa: &corev1.ServiceAccount{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "sa", + }, + }, + trigger: &eventing.Trigger{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "tr", + }, + Spec: eventing.TriggerSpec{ + Broker: "br", + }, + }, + brokers: []*eventing.Broker{{ + ObjectMeta: metav1.ObjectMeta{ + Namespace: "ns", + Name: "br", + Annotations: map[string]string{ + eventing.BrokerClassAnnotationKey: apiseventing.MTChannelBrokerClassValue, + }, + }, + }}, + pass: false, + }} + + for _, tc := range tt { + tc := tc + t.Run(tc.name, func(t *testing.T) { + brokerInformer := brokerinformer.Get(ctx) + for _, obj := range tc.brokers { + err := brokerInformer.Informer().GetStore().Add(obj) + assert.NoError(t, err) + } + + triggerInformer := triggerinformer.Get(ctx) + err := triggerInformer.Informer().GetStore().Add(tc.trigger) + assert.NoError(t, err) + + filter := filterOIDCServiceAccounts(triggerInformer.Lister(), brokerInformer.Lister()) + pass := filter(tc.sa) + assert.Equal(t, tc.pass, pass) + }) + } +} + func TestFilterTriggers(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) tt := []struct { name string diff --git a/pkg/reconciler/containersource/controller.go b/pkg/reconciler/containersource/controller.go index 4b09697aec1..49ff5a6e5c1 100644 --- a/pkg/reconciler/containersource/controller.go +++ b/pkg/reconciler/containersource/controller.go @@ -25,6 +25,7 @@ import ( "knative.dev/eventing/pkg/apis/feature" v1 "knative.dev/eventing/pkg/apis/sources/v1" + "knative.dev/eventing/pkg/auth" eventingclient "knative.dev/eventing/pkg/client/injection/client" containersourceinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/containersource" sinkbindinginformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/sinkbinding" @@ -34,7 +35,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/logging" @@ -51,7 +52,7 @@ func NewController( containersourceInformer := containersourceinformer.Get(ctx) sinkbindingInformer := sinkbindinginformer.Get(ctx) deploymentInformer := deploymentinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) var globalResync func(obj interface{}) @@ -69,7 +70,7 @@ func NewController( containerSourceLister: containersourceInformer.Lister(), deploymentLister: deploymentInformer.Lister(), sinkBindingLister: sinkbindingInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), trustBundleConfigMapLister: trustBundleConfigMapInformer.Lister(), } impl := v1containersource.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { diff --git a/pkg/reconciler/containersource/controller_test.go b/pkg/reconciler/containersource/controller_test.go index 834c9818694..21d4d9b7149 100644 --- a/pkg/reconciler/containersource/controller_test.go +++ b/pkg/reconciler/containersource/controller_test.go @@ -22,6 +22,7 @@ import ( corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "knative.dev/eventing/pkg/auth" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" . "knative.dev/pkg/reconciler/testing" @@ -29,7 +30,7 @@ import ( // Fake injection informers _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" _ "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/injection/clients/dynamicclient/fake" @@ -56,6 +57,6 @@ func TestNew(t *testing.T) { } func SetUpInformerSelector(ctx context.Context) context.Context { - ctx = filteredFactory.WithSelectors(ctx, eventingtls.TrustBundleLabelSelector) + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector) return ctx } diff --git a/pkg/reconciler/parallel/controller.go b/pkg/reconciler/parallel/controller.go index 86522c21244..524b968836d 100644 --- a/pkg/reconciler/parallel/controller.go +++ b/pkg/reconciler/parallel/controller.go @@ -19,12 +19,14 @@ package parallel import ( "context" + "knative.dev/eventing/pkg/auth" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" v1 "knative.dev/eventing/pkg/apis/flows/v1" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -46,7 +48,7 @@ func NewController( parallelInformer := parallel.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { @@ -59,7 +61,7 @@ func NewController( r := &Reconciler{ parallelLister: parallelInformer.Lister(), subscriptionLister: subscriptionInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), kubeclient: kubeclient.Get(ctx), dynamicClientSet: dynamicclient.Get(ctx), eventingClientSet: eventingclient.Get(ctx), @@ -84,7 +86,7 @@ func NewController( Handler: controller.HandleAll(impl.EnqueueControllerOf), }) // Reconcile Parallel when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.Parallel{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/parallel/controller_test.go b/pkg/reconciler/parallel/controller_test.go index 57f214a68ae..3af5abc8a1c 100644 --- a/pkg/reconciler/parallel/controller_test.go +++ b/pkg/reconciler/parallel/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package parallel import ( + "context" "testing" + "knative.dev/eventing/pkg/auth" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -29,11 +33,12 @@ import ( _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/parallel/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -47,3 +52,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) + return ctx +} diff --git a/pkg/reconciler/pingsource/controller.go b/pkg/reconciler/pingsource/controller.go index 724908e6a67..be0d30f2a90 100644 --- a/pkg/reconciler/pingsource/controller.go +++ b/pkg/reconciler/pingsource/controller.go @@ -20,8 +20,9 @@ import ( "context" sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1" + "knative.dev/eventing/pkg/auth" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "go.uber.org/zap" @@ -77,13 +78,13 @@ func NewController( deploymentInformer := deploymentinformer.Get(ctx) pingSourceInformer := pingsourceinformer.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) r := &Reconciler{ kubeClientSet: kubeclient.Get(ctx), leConfig: leConfig, configAcc: reconcilersource.WatchConfigurations(ctx, component, cmw), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := pingsourcereconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { @@ -113,7 +114,7 @@ func NewController( )), }) - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&sourcesv1.PingSource{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/pingsource/controller_test.go b/pkg/reconciler/pingsource/controller_test.go index 33b740443e0..2c9a373328d 100644 --- a/pkg/reconciler/pingsource/controller_test.go +++ b/pkg/reconciler/pingsource/controller_test.go @@ -17,12 +17,15 @@ limitations under the License. package pingsource import ( + "context" "testing" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/auth" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/logging" "knative.dev/pkg/metrics" @@ -33,13 +36,14 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/sources/v1/pingsource/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" _ "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" _ "knative.dev/pkg/client/injection/kube/informers/rbac/v1/rolebinding/fake" . "knative.dev/pkg/reconciler/testing" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ @@ -90,3 +94,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) + return ctx +} diff --git a/pkg/reconciler/sequence/controller.go b/pkg/reconciler/sequence/controller.go index 6d8a8fe71f6..2ba64da960c 100644 --- a/pkg/reconciler/sequence/controller.go +++ b/pkg/reconciler/sequence/controller.go @@ -19,6 +19,8 @@ package sequence import ( "context" + "knative.dev/eventing/pkg/auth" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" v1 "knative.dev/eventing/pkg/apis/flows/v1" @@ -33,7 +35,7 @@ import ( "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription" sequencereconciler "knative.dev/eventing/pkg/client/injection/reconciler/flows/v1/sequence" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -46,7 +48,7 @@ func NewController( sequenceInformer := sequence.Get(ctx) subscriptionInformer := subscription.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) { @@ -61,7 +63,7 @@ func NewController( subscriptionLister: subscriptionInformer.Lister(), dynamicClientSet: dynamicclient.Get(ctx), eventingClientSet: eventingclient.Get(ctx), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), kubeclient: kubeclient.Get(ctx), } @@ -86,7 +88,7 @@ func NewController( }) // Reconcile Sequence when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.Sequence{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/sequence/controller_test.go b/pkg/reconciler/sequence/controller_test.go index 2e93479d5ba..ee62360a68d 100644 --- a/pkg/reconciler/sequence/controller_test.go +++ b/pkg/reconciler/sequence/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package sequence import ( + "context" "testing" + "knative.dev/eventing/pkg/auth" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -29,11 +33,12 @@ import ( _ "knative.dev/eventing/pkg/client/injection/ducks/duck/v1/channelable/fake" _ "knative.dev/eventing/pkg/client/injection/informers/flows/v1/sequence/fake" _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -46,3 +51,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) + return ctx +} diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index b8da07abcad..946c25bdf72 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -44,7 +44,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" "knative.dev/pkg/injection/clients/dynamicclient" @@ -80,7 +80,7 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) secretInformer := secretinformer.Get(ctx) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() @@ -136,7 +136,7 @@ func NewController( res: sbResolver, tracker: impl.Tracker, kubeclient: kubeclient.Get(ctx), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), secretLister: secretInformer.Lister(), featureStore: featureStore, tokenProvider: auth.NewOIDCTokenProvider(ctx), @@ -155,7 +155,7 @@ func NewController( } // Reconcile SinkBinding when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.SinkBinding{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/subscription/controller.go b/pkg/reconciler/subscription/controller.go index f4f4a0da9bd..6f5d96b3849 100644 --- a/pkg/reconciler/subscription/controller.go +++ b/pkg/reconciler/subscription/controller.go @@ -19,6 +19,8 @@ package subscription import ( "context" + "knative.dev/eventing/pkg/auth" + "k8s.io/client-go/tools/cache" "knative.dev/eventing/pkg/apis/feature" "knative.dev/pkg/client/injection/apiextensions/informers/apiextensions/v1/customresourcedefinition" @@ -35,7 +37,7 @@ import ( subscriptionreconciler "knative.dev/eventing/pkg/client/injection/reconciler/messaging/v1/subscription" "knative.dev/eventing/pkg/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" - serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" + serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" "knative.dev/pkg/injection/clients/dynamicclient" ) @@ -48,7 +50,7 @@ func NewController( subscriptionInformer := subscription.Get(ctx) channelInformer := channel.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector) var globalResync func(obj interface{}) @@ -65,7 +67,7 @@ func NewController( kreferenceResolver: kref.NewKReferenceResolver(customresourcedefinition.Get(ctx).Lister()), subscriptionLister: subscriptionInformer.Lister(), channelLister: channelInformer.Lister(), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), } impl := subscriptionreconciler.NewImpl(ctx, r, func(impl *controller.Impl) controller.Options { return controller.Options{ @@ -97,7 +99,7 @@ func NewController( )) // Reconciler Subscription when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&messagingv1.Subscription{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/subscription/controller_test.go b/pkg/reconciler/subscription/controller_test.go index dcddd2611bb..19416e1ef32 100644 --- a/pkg/reconciler/subscription/controller_test.go +++ b/pkg/reconciler/subscription/controller_test.go @@ -17,8 +17,12 @@ limitations under the License. package subscription import ( + "context" "testing" + "knative.dev/eventing/pkg/auth" + filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "knative.dev/pkg/configmap" @@ -32,11 +36,12 @@ import ( _ "knative.dev/eventing/pkg/client/injection/informers/messaging/v1/subscription/fake" _ "knative.dev/pkg/client/injection/apiextensions/informers/apiextensions/v1/customresourcedefinition/fake" _ "knative.dev/pkg/client/injection/ducks/duck/v1/addressable/fake" - _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake" + _ "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake" + _ "knative.dev/pkg/client/injection/kube/informers/factory/filtered/fake" ) func TestNew(t *testing.T) { - ctx, _ := SetupFakeContext(t) + ctx, _ := SetupFakeContext(t, SetUpInformerSelector) c := NewController(ctx, configmap.NewStaticWatcher( &corev1.ConfigMap{ @@ -50,3 +55,8 @@ func TestNew(t *testing.T) { t.Fatal("Expected NewController to return a non-nil value") } } + +func SetUpInformerSelector(ctx context.Context) context.Context { + ctx = filteredFactory.WithSelectors(ctx, auth.OIDCLabelSelector) + return ctx +} diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go new file mode 100644 index 00000000000..4a89f8b5d30 --- /dev/null +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake/fake.go @@ -0,0 +1,52 @@ +/* +Copyright 2022 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by injection-gen. DO NOT EDIT. + +package fake + +import ( + context "context" + + filtered "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered" + factoryfiltered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + controller "knative.dev/pkg/controller" + injection "knative.dev/pkg/injection" + logging "knative.dev/pkg/logging" +) + +var Get = filtered.Get + +func init() { + injection.Fake.RegisterFilteredInformers(withInformer) +} + +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(factoryfiltered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := factoryfiltered.Get(ctx, selector) + inf := f.Core().V1().ServiceAccounts() + ctx = context.WithValue(ctx, filtered.Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs +} diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go new file mode 100644 index 00000000000..58cb4fc80bb --- /dev/null +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/serviceaccount.go @@ -0,0 +1,65 @@ +/* +Copyright 2022 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +// Code generated by injection-gen. DO NOT EDIT. + +package filtered + +import ( + context "context" + + v1 "k8s.io/client-go/informers/core/v1" + filtered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" + controller "knative.dev/pkg/controller" + injection "knative.dev/pkg/injection" + logging "knative.dev/pkg/logging" +) + +func init() { + injection.Default.RegisterFilteredInformers(withInformer) +} + +// Key is used for associating the Informer inside the context.Context. +type Key struct { + Selector string +} + +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(filtered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := filtered.Get(ctx, selector) + inf := f.Core().V1().ServiceAccounts() + ctx = context.WithValue(ctx, Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs +} + +// Get extracts the typed informer from the context. +func Get(ctx context.Context, selector string) v1.ServiceAccountInformer { + untyped := ctx.Value(Key{Selector: selector}) + if untyped == nil { + logging.FromContext(ctx).Panicf( + "Unable to fetch k8s.io/client-go/informers/core/v1.ServiceAccountInformer with selector %s from context.", selector) + } + return untyped.(v1.ServiceAccountInformer) +} diff --git a/vendor/modules.txt b/vendor/modules.txt index c5d6735161b..78b43269de5 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1288,6 +1288,8 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/service knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/fake +knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered +knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered/fake knative.dev/pkg/client/injection/kube/informers/factory knative.dev/pkg/client/injection/kube/informers/factory/fake knative.dev/pkg/client/injection/kube/informers/factory/filtered