Authenticate Requests from ApiServerSources

[creydr]

As the Eventing OIDC feature track describes, sources must authenticate their requests. Therefor the ApiServerSource must request a JWT and add it as a Bearer Token to its Authentication header.

When having #7175, we need to update the ApiServerSource to add the Authentication header with a JWT to all outgoing requests.

In particular this means for the ApiServerSource:

• when the sink has no audience defined:
  • no change in behavior
• when the the sink has an audience defined:
  • Request a JWT via Provide a library for OIDC token management #7175
  • Add it as an http header to the cloudeventsSDK client via something like

    headers := http.HeaderFrom(ctx)
    headers.Set("Authentication", fmt.Sprintf("Bearer %s", jwt))
    ctx = http.WithCustomHeader(ctx, headers)
    
    client.Send(ctx, event)
    

Additional Information:

• Requires Provide a library for OIDC token management #7175
• Requires Support auto generation of ApiServerSource identity service account and expose in AuthStatus #7226
• This also requires an update on the ApiServerSource controller, to expose the sinks audience in .status.SinkAudience (required Add SinkAudience to SourceStatus pkg#2844).

[JRS296]

Hello @creydr, I'd like to help if that's alright

[karthikmurali60]

/assign

[karthikmurali60]

@creydr I can pick up this issue, is it ready to be worked on or there is some other issue which is blocking this ?

[creydr]

Hello @karthikmurali60,
Thanks for offering your help 🎉
This issue is currently in the "Backlog" status, as it requires #7227 to be completed first. When all the referenced issues from the description are done, this issue should be ready to be worked on.

Anyhow, you should clarify with @JRS296 too, because according to #7321 (comment) he wanted to help too (but didn't assign the issue)

[creydr]

#7175 and #7226 are done, so this issue should be ready to be worked on

[creydr]

@JRS296, @karthikmurali60: anyone wants to provide a PR for this the next days? Otherwise I would unassign you, to give other contributors a chance to work on this.

[JRS296]

Hello @creydr , I'm currently caught up with some work, please un-assign me at the earliest 👍