diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go index 2506789d203..736af22bc9e 100644 --- a/cmd/apiserver_receive_adapter/main.go +++ b/cmd/apiserver_receive_adapter/main.go @@ -22,6 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/apiserver" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) @@ -34,6 +35,7 @@ func main() { ctx = adapter.WithInjectorEnabled(ctx) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go index 562c6d2c06f..8a699b72e22 100644 --- a/cmd/broker/filter/main.go +++ b/cmd/broker/filter/main.go @@ -81,6 +81,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go index e722b56d7d0..7647805d6e9 100644 --- a/cmd/broker/ingress/main.go +++ b/cmd/broker/ingress/main.go @@ -103,6 +103,7 @@ func main() { log.Printf("Registering %d informers", len(injection.Default.GetInformers())) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go index 52d7ebfe448..116bf66f00f 100644 --- a/cmd/in_memory/channel_dispatcher/main.go +++ b/cmd/in_memory/channel_dispatcher/main.go @@ -27,6 +27,7 @@ import ( "knative.dev/pkg/injection/sharedmain" "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher" ) @@ -39,6 +40,7 @@ func main() { } ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/mtchannel_broker/main.go b/cmd/mtchannel_broker/main.go index 7126df0bcd0..b6034ed3ac6 100644 --- a/cmd/mtchannel_broker/main.go +++ b/cmd/mtchannel_broker/main.go @@ -22,8 +22,11 @@ import ( "context" + filteredfactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" "knative.dev/pkg/injection/sharedmain" + "knative.dev/pkg/signals" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/reconciler/broker" mttrigger "knative.dev/eventing/pkg/reconciler/broker/trigger" ) @@ -33,7 +36,11 @@ const ( ) func main() { - sharedmain.Main( + ctx := signals.NewContext() + + ctx = filteredfactory.WithSelectors(ctx, auth.OIDCLabelSelector) + + sharedmain.MainWithContext(ctx, component, broker.NewController, diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go index eb30bbc74ca..9a35d892cb1 100644 --- a/cmd/mtping/main.go +++ b/cmd/mtping/main.go @@ -22,6 +22,7 @@ import ( "knative.dev/eventing/pkg/adapter/mtping" "knative.dev/eventing/pkg/adapter/v2" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" ) @@ -57,6 +58,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go index f0b6dbed176..1dfac21d38a 100644 --- a/cmd/webhook/main.go +++ b/cmd/webhook/main.go @@ -26,6 +26,7 @@ import ( configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" "knative.dev/eventing/pkg/apis/feature" + "knative.dev/eventing/pkg/auth" "knative.dev/eventing/pkg/eventingtls" filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered" @@ -287,6 +288,7 @@ func main() { }) ctx = filteredFactory.WithSelectors(ctx, + auth.OIDCLabelSelector, eventingtls.TrustBundleLabelSelector, ) diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go index 2e70c824189..87d55edfd0b 100644 --- a/pkg/auth/serviceaccount.go +++ b/pkg/auth/serviceaccount.go @@ -21,11 +21,13 @@ import ( "fmt" "strings" - "knative.dev/eventing/pkg/apis/feature" + "k8s.io/apimachinery/pkg/api/equality" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/pkg/kmeta" pkgreconciler "knative.dev/pkg/reconciler" + "knative.dev/eventing/pkg/apis/feature" + "go.uber.org/zap" v1 "k8s.io/api/core/v1" apierrs "k8s.io/apimachinery/pkg/api/errors" @@ -37,6 +39,14 @@ import ( "knative.dev/pkg/ptr" ) +const ( + // OIDCLabelKey is used to filter out all the informers that related to OIDC work + OIDCLabelKey = "eventing.knative.dev/oidc" + + // OIDCLabelSelector is the label selector for the OIDC resources + OIDCLabelSelector = OIDCLabelKey +) + // GetOIDCServiceAccountNameForResource returns the service account name to use // for OIDC authentication for the given resource. func GetOIDCServiceAccountNameForResource(gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta) string { @@ -76,28 +86,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta) sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName) + expected := GetOIDCServiceAccountForResource(gvk, objectMeta) + // If the resource doesn't exist, we'll create it. if apierrs.IsNotFound(err) { logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err)) - expected := GetOIDCServiceAccountForResource(gvk, objectMeta) - _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{}) if err != nil { - return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } return nil } - if err != nil { - return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err) + return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) } - if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) { return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name) } + if !equality.Semantic.DeepDerivative(expected, sa) { + expected.ResourceVersion = sa.ResourceVersion + + _, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{}) + if err != nil { + return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err) + } + + return nil + + } + return nil } diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go index b8da07abcad..053322d7276 100644 --- a/pkg/reconciler/sinkbinding/controller.go +++ b/pkg/reconciler/sinkbinding/controller.go @@ -43,7 +43,7 @@ import ( "knative.dev/pkg/apis/duck" kubeclient "knative.dev/pkg/client/injection/kube/client" configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered" - secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret" + secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered" serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount" "knative.dev/pkg/configmap" "knative.dev/pkg/controller" @@ -80,8 +80,8 @@ func NewController( dc := dynamicclient.Get(ctx) psInformerFactory := podspecable.Get(ctx) namespaceInformer := namespace.Get(ctx) - serviceaccountInformer := serviceaccountinformer.Get(ctx) - secretInformer := secretinformer.Get(ctx) + oidcServiceaccountInformer := serviceaccountinformer.Get(ctx) + secretInformer := secretinformer.Get(ctx, auth.OIDCLabelSelector) trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector) trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister() @@ -136,7 +136,7 @@ func NewController( res: sbResolver, tracker: impl.Tracker, kubeclient: kubeclient.Get(ctx), - serviceAccountLister: serviceaccountInformer.Lister(), + serviceAccountLister: oidcServiceaccountInformer.Lister(), secretLister: secretInformer.Lister(), featureStore: featureStore, tokenProvider: auth.NewOIDCTokenProvider(ctx), @@ -155,7 +155,7 @@ func NewController( } // Reconcile SinkBinding when the OIDC service account changes - serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ + oidcServiceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{ FilterFunc: controller.FilterController(&v1.SinkBinding{}), Handler: controller.HandleAll(impl.EnqueueControllerOf), }) diff --git a/pkg/reconciler/sinkbinding/sinkbinding.go b/pkg/reconciler/sinkbinding/sinkbinding.go index 74744d24453..6f314f66694 100644 --- a/pkg/reconciler/sinkbinding/sinkbinding.go +++ b/pkg/reconciler/sinkbinding/sinkbinding.go @@ -193,6 +193,9 @@ func (s *SinkBindingSubResourcesReconciler) renewOIDCTokenSecret(ctx context.Con apiVersion := fmt.Sprintf("%s/%s", v1.SchemeGroupVersion.Group, v1.SchemeGroupVersion.Version) applyConfig := new(applyconfigurationcorev1.SecretApplyConfiguration). + WithLabels(map[string]string{ + auth.OIDCLabelKey: "enabled", + }). WithName(secretName). WithNamespace(sb.Namespace). WithType(corev1.SecretTypeOpaque). diff --git a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go similarity index 55% rename from vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go rename to vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go index 22ddeb56426..80d46c400c3 100644 --- a/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go +++ b/vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go @@ -16,37 +16,50 @@ limitations under the License. // Code generated by injection-gen. DO NOT EDIT. -package secret +package filtered import ( context "context" v1 "k8s.io/client-go/informers/core/v1" - factory "knative.dev/pkg/client/injection/kube/informers/factory" + filtered "knative.dev/pkg/client/injection/kube/informers/factory/filtered" controller "knative.dev/pkg/controller" injection "knative.dev/pkg/injection" logging "knative.dev/pkg/logging" ) func init() { - injection.Default.RegisterInformer(withInformer) + injection.Default.RegisterFilteredInformers(withInformer) } // Key is used for associating the Informer inside the context.Context. -type Key struct{} +type Key struct { + Selector string +} -func withInformer(ctx context.Context) (context.Context, controller.Informer) { - f := factory.Get(ctx) - inf := f.Core().V1().Secrets() - return context.WithValue(ctx, Key{}, inf), inf.Informer() +func withInformer(ctx context.Context) (context.Context, []controller.Informer) { + untyped := ctx.Value(filtered.LabelKey{}) + if untyped == nil { + logging.FromContext(ctx).Panic( + "Unable to fetch labelkey from context.") + } + labelSelectors := untyped.([]string) + infs := []controller.Informer{} + for _, selector := range labelSelectors { + f := filtered.Get(ctx, selector) + inf := f.Core().V1().Secrets() + ctx = context.WithValue(ctx, Key{Selector: selector}, inf) + infs = append(infs, inf.Informer()) + } + return ctx, infs } // Get extracts the typed informer from the context. -func Get(ctx context.Context) v1.SecretInformer { - untyped := ctx.Value(Key{}) +func Get(ctx context.Context, selector string) v1.SecretInformer { + untyped := ctx.Value(Key{Selector: selector}) if untyped == nil { - logging.FromContext(ctx).Panic( - "Unable to fetch k8s.io/client-go/informers/core/v1.SecretInformer from context.") + logging.FromContext(ctx).Panicf( + "Unable to fetch k8s.io/client-go/informers/core/v1.SecretInformer with selector %s from context.", selector) } return untyped.(v1.SecretInformer) } diff --git a/vendor/modules.txt b/vendor/modules.txt index e61c782e79a..aaac80f3dd9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1283,7 +1283,7 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake knative.dev/pkg/client/injection/kube/informers/core/v1/namespace knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake knative.dev/pkg/client/injection/kube/informers/core/v1/pod -knative.dev/pkg/client/injection/kube/informers/core/v1/secret +knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered knative.dev/pkg/client/injection/kube/informers/core/v1/service knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount