Skip to content

Commit

Permalink
[release-1.14] Watch only our own OIDC-related secrets (#8071)
Browse files Browse the repository at this point in the history
Filter OIDC secrets

Signed-off-by: Pierangelo Di Pilato <[email protected]>
Co-authored-by: Pierangelo Di Pilato <[email protected]>
  • Loading branch information
knative-prow-robot and pierDipi authored Jul 5, 2024
1 parent 5f92164 commit 413a29d
Show file tree
Hide file tree
Showing 5 changed files with 53 additions and 25 deletions.
32 changes: 22 additions & 10 deletions pkg/auth/serviceaccount.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,13 @@ import (
"fmt"
"strings"

"knative.dev/eventing/pkg/apis/feature"
"k8s.io/apimachinery/pkg/api/equality"
duckv1 "knative.dev/pkg/apis/duck/v1"
"knative.dev/pkg/kmeta"
pkgreconciler "knative.dev/pkg/reconciler"

"knative.dev/eventing/pkg/apis/feature"

"go.uber.org/zap"
v1 "k8s.io/api/core/v1"
apierrs "k8s.io/apimachinery/pkg/api/errors"
Expand All @@ -38,10 +40,10 @@ import (
)

const (
//OIDCLabelKey is used to filter out all the informers that related to OIDC work
OIDCLabelKey = "oidc"
// OIDCLabelKey is used to filter out all the informers that related to OIDC work
OIDCLabelKey = "eventing.knative.dev/oidc"

// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
// OIDCLabelSelector is the label selector for the OIDC resources
OIDCLabelSelector = OIDCLabelKey
)

Expand Down Expand Up @@ -87,28 +89,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName)

expected := GetOIDCServiceAccountForResource(gvk, objectMeta)

// If the resource doesn't exist, we'll create it.
if apierrs.IsNotFound(err) {
logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err))

expected := GetOIDCServiceAccountForResource(gvk, objectMeta)

_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{})
if err != nil {
return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
}

return nil
}

if err != nil {
return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
}

if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) {
return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name)
}

if !equality.Semantic.DeepDerivative(expected, sa) {
expected.ResourceVersion = sa.ResourceVersion

_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{})
if err != nil {
return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
}

return nil

}

return nil
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/reconciler/sinkbinding/controller.go
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ import (
"knative.dev/pkg/apis/duck"
kubeclient "knative.dev/pkg/client/injection/kube/client"
configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered"
serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered"
"knative.dev/pkg/configmap"
"knative.dev/pkg/controller"
Expand Down Expand Up @@ -80,7 +80,7 @@ func NewController(
psInformerFactory := podspecable.Get(ctx)
namespaceInformer := namespace.Get(ctx)
oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector)
secretInformer := secretinformer.Get(ctx)
secretInformer := secretinformer.Get(ctx, auth.OIDCLabelSelector)
trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector)
trustBundleConfigMapLister := trustBundleConfigMapInformer.Lister()

Expand Down
3 changes: 3 additions & 0 deletions pkg/reconciler/sinkbinding/sinkbinding.go
Original file line number Diff line number Diff line change
Expand Up @@ -193,6 +193,9 @@ func (s *SinkBindingSubResourcesReconciler) renewOIDCTokenSecret(ctx context.Con

apiVersion := fmt.Sprintf("%s/%s", v1.SchemeGroupVersion.Group, v1.SchemeGroupVersion.Version)
applyConfig := new(applyconfigurationcorev1.SecretApplyConfiguration).
WithLabels(map[string]string{
auth.OIDCLabelKey: "enabled",
}).
WithName(secretName).
WithNamespace(sb.Namespace).
WithType(corev1.SecretTypeOpaque).
Expand Down

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion vendor/modules.txt
Original file line number Diff line number Diff line change
Expand Up @@ -1277,7 +1277,7 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake
knative.dev/pkg/client/injection/kube/informers/core/v1/namespace
knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake
knative.dev/pkg/client/injection/kube/informers/core/v1/pod
knative.dev/pkg/client/injection/kube/informers/core/v1/secret
knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered
knative.dev/pkg/client/injection/kube/informers/core/v1/service
knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake
knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount
Expand Down

0 comments on commit 413a29d

Please sign in to comment.