[release-1.13] Create SinkBindings token-secret only if sink has an a…

…udience set (knative#7706) (#539) * Create SinkBindings token-secret only if sink has audience set. * Run goimports --------- Co-authored-by: Knative Prow Robot <[email protected]>
openshift-knative · Feb 20, 2024 · d811415 · d811415
1 parent aa20ab9
commit d811415
Showing 1 changed file with 25 additions and 22 deletions.
diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go
@@ -22,6 +22,8 @@ import (
 	"fmt"
 	"time"
 
+	duckv1 "knative.dev/pkg/apis/duck/v1"
+
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"knative.dev/pkg/kmeta"
 	"knative.dev/pkg/resolver"
@@ -35,7 +37,6 @@ import (
 	"k8s.io/client-go/kubernetes"
 	corev1listers "k8s.io/client-go/listers/core/v1"
 	"k8s.io/utils/pointer"
-	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/logging"
 	"knative.dev/pkg/tracker"
 	"knative.dev/pkg/webhook/psbinding"
@@ -91,24 +92,30 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 
 	featureFlags := s.featureStore.Load()
 	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta)
-		sb.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta); err != nil {
-			sb.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
+		if sb.Status.SinkAudience != nil {
+			saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta)
+			sb.Status.Auth = &duckv1.AuthStatus{
+				ServiceAccountName: &saName,
+			}
+
+			if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta); err != nil {
+				sb.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
+				return err
+			}
+			sb.Status.MarkOIDCIdentityCreatedSucceeded()
+
+			err := s.reconcileOIDCTokenSecret(ctx, sb)
+			if err != nil {
+				sb.Status.MarkOIDCTokenSecretCreatedFailed("Unable to reconcile OIDC token secret", "%v", err)
+				return err
+			}
+			sb.Status.MarkOIDCTokenSecretCreatedSuccceeded()
+		} else {
+			// sink has no audience set -> don't create token secret
+			sb.Status.MarkOIDCIdentityCreatedSucceededWithReason("Sink has no audience defined", "")
+			sb.Status.MarkOIDCTokenSecretCreatedSuccceededWithReason("Sink has no audience defined", "")
+			sb.Status.OIDCTokenSecretName = nil
 		}
-		sb.Status.MarkOIDCIdentityCreatedSucceeded()
-
-		err := s.reconcileOIDCTokenSecret(ctx, sb)
-		if err != nil {
-			sb.Status.MarkOIDCTokenSecretCreatedFailed("Unable to reconcile OIDC token secret", "%v", err)
-			return err
-		}
-		sb.Status.MarkOIDCTokenSecretCreatedSuccceeded()
-
 	} else {
 		sb.Status.Auth = nil
 		sb.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
@@ -132,10 +139,6 @@ func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context
 	logger := logging.FromContext(ctx)
 	secretName := s.oidcTokenSecretName(sb)
 
-	if sb.Status.SinkAudience == nil {
-		return fmt.Errorf("sinkAudience must be set on %s/%s to generate a OIDC token secret", sb.Name, sb.Namespace)
-	}
-
 	secret, err := s.secretLister.Secrets(sb.Namespace).Get(secretName)
 	if err != nil {
 		if apierrs.IsNotFound(err) {