From d811415dad874df4ef770d2e0ed1de7126d32d90 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Tue, 20 Feb 2024 16:28:02 +0100 Subject: [PATCH] [release-1.13] Create SinkBindings token-secret only if sink has an audience set (#7706) (#539) * Create SinkBindings token-secret only if sink has audience set. * Run goimports --------- Co-authored-by: Knative Prow Robot --- pkg/reconciler/sinkbinding/sinkbinding.go | 47 ++++++++++++----------- 1 file changed, 25 insertions(+), 22 deletions(-) diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go index 2ded3d8fee4..687c8500841 100644 --- a/pkg/reconciler/sinkbinding/sinkbinding.go +++ b/pkg/reconciler/sinkbinding/sinkbinding.go @@ -22,6 +22,8 @@ import ( "fmt" "time" + duckv1 "knative.dev/pkg/apis/duck/v1" + "k8s.io/apimachinery/pkg/runtime/schema" "knative.dev/pkg/kmeta" "knative.dev/pkg/resolver" @@ -35,7 +37,6 @@ import ( "k8s.io/client-go/kubernetes" corev1listers "k8s.io/client-go/listers/core/v1" "k8s.io/utils/pointer" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/logging" "knative.dev/pkg/tracker" "knative.dev/pkg/webhook/psbinding" @@ -91,24 +92,30 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb featureFlags := s.featureStore.Load() if featureFlags.IsOIDCAuthentication() { - saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta) - sb.Status.Auth = &duckv1.AuthStatus{ - ServiceAccountName: &saName, - } - - if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta); err != nil { - sb.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err) - return err + if sb.Status.SinkAudience != nil { + saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta) + sb.Status.Auth = &duckv1.AuthStatus{ + ServiceAccountName: &saName, + } + + if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta); err != nil { + sb.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err) + return err + } + sb.Status.MarkOIDCIdentityCreatedSucceeded() + + err := s.reconcileOIDCTokenSecret(ctx, sb) + if err != nil { + sb.Status.MarkOIDCTokenSecretCreatedFailed("Unable to reconcile OIDC token secret", "%v", err) + return err + } + sb.Status.MarkOIDCTokenSecretCreatedSuccceeded() + } else { + // sink has no audience set -> don't create token secret + sb.Status.MarkOIDCIdentityCreatedSucceededWithReason("Sink has no audience defined", "") + sb.Status.MarkOIDCTokenSecretCreatedSuccceededWithReason("Sink has no audience defined", "") + sb.Status.OIDCTokenSecretName = nil } - sb.Status.MarkOIDCIdentityCreatedSucceeded() - - err := s.reconcileOIDCTokenSecret(ctx, sb) - if err != nil { - sb.Status.MarkOIDCTokenSecretCreatedFailed("Unable to reconcile OIDC token secret", "%v", err) - return err - } - sb.Status.MarkOIDCTokenSecretCreatedSuccceeded() - } else { sb.Status.Auth = nil sb.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "") @@ -132,10 +139,6 @@ func (s *SinkBindingSubResourcesReconciler) reconcileOIDCTokenSecret(ctx context logger := logging.FromContext(ctx) secretName := s.oidcTokenSecretName(sb) - if sb.Status.SinkAudience == nil { - return fmt.Errorf("sinkAudience must be set on %s/%s to generate a OIDC token secret", sb.Name, sb.Namespace) - } - secret, err := s.secretLister.Secrets(sb.Namespace).Get(secretName) if err != nil { if apierrs.IsNotFound(err) {