Enable TLS for OIDC e2e tests (#7551)

* Enable the TLS feature for BrokerSendEventWithOIDCTokenToSubscriber

Signed-off-by: Leo Li <[email protected]>

* Enable the TLS feature for BrokerSendEventWithOIDCTokenToReply

Signed-off-by: Leo Li <[email protected]>

* Save the progress on adding TLS support for BrokerSendEventWithOIDCTokenToDLS

Signed-off-by: Leo Li <[email protected]>

* Still couldn't figure out. Will leave a comment there

Signed-off-by: Leo Li <[email protected]>

* Update more test to enable TLS

Signed-off-by: Leo Li <[email protected]>

* Fix the review comments

Signed-off-by: Leo Li <[email protected]>

* Fix the review comments by using destination object

Signed-off-by: Leo Li <[email protected]>

* Enable TLS in the CI

Signed-off-by: Leo Li <[email protected]>

* comment out all the other tests to validate my assumption

Signed-off-by: Leo Li <[email protected]>

* Revert "comment out all the other tests to validate my assumption"

This reverts commit ee4d57e.

* fix the wrong indentation for the cacert format

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestParallelTwoBranchesWithOIDCSupport

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestSequenceSendsEventsWithOIDCSupport

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestApiserversourceSendEventWithJWT

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestContainerSourceSendsEventsWithOIDCSupport

Signed-off-by: Leo Li <[email protected]>

* Update test/rekt/resources/sequence/sequence.go

Co-authored-by: Christoph Stäbler <[email protected]>

* Update test/auth/features/oidc/broker.go

Co-authored-by: Christoph Stäbler <[email protected]>

* Update test/auth/features/oidc/broker.go

Co-authored-by: Christoph Stäbler <[email protected]>

* Update test/auth/features/oidc/parallel.go

Co-authored-by: Christoph Stäbler <[email protected]>

* Update test/auth/features/oidc/broker.go

Co-authored-by: Christoph Stäbler <[email protected]>

* enable the TLS for TestSequenceSendsEventsWithOIDCSupport

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestPingSourceSendsEventsWithOIDC

Signed-off-by: Leo Li <[email protected]>

* enable the TLS for TestChannelDispatcherAuthenticatesWithOIDC

Signed-off-by: Leo Li <[email protected]>

* add the audience field

Signed-off-by: Leo Li <[email protected]>

* Code clean up

Signed-off-by: Leo Li <[email protected]>

---------

Signed-off-by: Leo Li <[email protected]>
Co-authored-by: Christoph Stäbler <[email protected]>

test/auth/config/features.yaml

@@ -19,3 +19,5 @@ metadata:
   namespace: knative-eventing
 data:
   authentication-oidc: "enabled"
+  transport-encryption: "strict"
+

test/auth/features/oidc/addressable_oidc_conformance.go

@@ -85,7 +85,7 @@ func addressableRejectInvalidAudience(gvr schema.GroupVersionResource, kind, nam
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCInvalidAudience(),
 		eventshub.InputEvent(event),
 	))
@@ -109,7 +109,7 @@ func addressableRejectExpiredToken(gvr schema.GroupVersionResource, kind, name s
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCExpiredToken(),
 		eventshub.InputEvent(event),
 	))
@@ -133,7 +133,7 @@ func addressableRejectCorruptedSignature(gvr schema.GroupVersionResource, kind,
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCCorruptedSignature(),
 		eventshub.InputEvent(event),
 	))
@@ -157,7 +157,7 @@ func addressableAllowsValidRequest(gvr schema.GroupVersionResource, kind, name s
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.InputEvent(event),
 	))
 

test/auth/features/oidc/apiserversource.go

@@ -19,6 +19,9 @@ package oidc
 import (
 	"context"
 
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/features/source"
+
 	"github.com/cloudevents/sdk-go/v2/test"
 	rbacv1 "k8s.io/api/rbac/v1"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
@@ -44,8 +47,11 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 
 	f := feature.NewFeatureNamed("ApiServerSource send events with OIDC authentication")
 
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	f.Setup("deploy receiver", eventshub.Install(sink,
-		eventshub.StartReceiver,
+		eventshub.StartReceiverTLS,
 		eventshub.OIDCReceiverAudience(audience)))
 
 	f.Setup("Create Service Account for ApiServerSource with RBAC for v1.Event resources",
@@ -63,6 +69,7 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 	f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) {
 		d := service.AsDestinationRef(sink)
 		d.Audience = &audience
+		d.CACerts = eventshub.GetCaCerts(ctx)
 
 		cfg = append(cfg, apiserversource.WithSink(d))
 		apiserversource.Install(src, cfg...)(ctx, t)
@@ -81,7 +88,8 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 				Match(eventassert.MatchKind(eventshub.EventReceived)).
 				MatchEvent(test.HasType("dev.knative.apiserver.resource.update")).
 				AtLeast(1),
-		)
+		).Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)).
+		Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(apiserversource.Gvr(), src))
 
 	return f
 }

test/auth/features/oidc/broker.go

@@ -17,8 +17,13 @@ limitations under the License.
 package oidc
 
 import (
+	"context"
+
+	"knative.dev/pkg/apis"
+
 	"github.com/cloudevents/sdk-go/v2/test"
 	"github.com/google/uuid"
+	"knative.dev/eventing/test/rekt/features/featureflags"
 	"knative.dev/eventing/test/rekt/resources/broker"
 	"knative.dev/eventing/test/rekt/resources/delivery"
 	"knative.dev/eventing/test/rekt/resources/trigger"
@@ -43,6 +48,10 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet {
 func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 	f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens")
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	source := feature.MakeRandomK8sName("source")
 	brokerName := feature.MakeRandomK8sName("broker")
 	sink := feature.MakeRandomK8sName("sink")
@@ -59,24 +68,22 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 	// Install the sink
 	f.Setup("install sink", eventshub.Install(
 		sink,
+		eventshub.StartReceiverTLS,
 		eventshub.OIDCReceiverAudience(sinkAudience),
-		eventshub.StartReceiver))
-
-	// Install the trigger and Point the Trigger subscriber to the sink svc.
-	f.Setup("install trigger", trigger.Install(
-		triggerName,
-		brokerName,
-		trigger.WithSubscriberFromDestination(&duckv1.Destination{
-			Ref:      service.AsKReference(sink),
-			Audience: &sinkAudience,
-		}),
 	))
+
+	f.Setup("Install the trigger", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(sink)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.Audience = &sinkAudience
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t)
+	})
 	f.Setup("trigger goes ready", trigger.IsReady(triggerName))
 
 	// Send event
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 
@@ -89,6 +96,10 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 	f := feature.NewFeature()
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	brokerName := feature.MakeRandomK8sName("broker")
 	dls := feature.MakeRandomK8sName("dls")
 	triggerName := feature.MakeRandomK8sName("trigger")
@@ -101,27 +112,34 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 	// Install DLS sink
 	f.Setup("install dead letter sink", eventshub.Install(dls,
 		eventshub.OIDCReceiverAudience(dlsAudience),
-		eventshub.StartReceiver))
-
-	// Install broker with DLS config
-	brokerConfig := append(
-		broker.WithEnvConfig(),
-		delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{
-			Ref:      service.AsKReference(dls),
-			Audience: &dlsAudience,
-		}),
-	)
-	f.Setup("install broker", broker.Install(brokerName, brokerConfig...))
+		eventshub.StartReceiverTLS))
+
+	f.Setup("install broker", func(ctx context.Context, t feature.T) {
+		brokerConfig := append(broker.WithEnvConfig(),
+			delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{
+				Ref:      service.AsKReference(dls),
+				Audience: &dlsAudience,
+				CACerts:  eventshub.GetCaCerts(ctx),
+			}))
+		broker.Install(brokerName, brokerConfig...)(ctx, t)
+	})
+
 	f.Setup("Broker is ready", broker.IsReady(brokerName))
 
-	// Install Trigger
-	f.Setup("install trigger", trigger.Install(triggerName, brokerName,
-		trigger.WithSubscriber(nil, "bad://uri")))
+	f.Setup("Install the trigger", func(ctx context.Context, t feature.T) {
+		// create an empty destination ref
+		d := duckv1.Destination{}
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.URI, _ = apis.ParseURL("bad://uri")
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t)
+
+	})
+
 	f.Setup("trigger is ready", trigger.IsReady(triggerName))
 
 	// Send events after data plane is ready.
 	f.Requirement("install source", eventshub.Install(source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 
@@ -133,8 +151,17 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 }
 
 func BrokerSendEventWithOIDCTokenToReply() *feature.Feature {
+	//1. An event is sent to a broker.
+	//2. A trigger routes this event to a subscriber.
+	//3. The subscriber processes and replies to the event.
+	//4. A helper trigger routes the reply to a designated sink.
+	//5. The test verifies that the reply reaches the sink with the expected modifications.
 	f := feature.NewFeature()
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	brokerName := feature.MakeRandomK8sName("broker")
 	subscriber := feature.MakeRandomK8sName("subscriber")
 	reply := feature.MakeRandomK8sName("reply")
@@ -151,38 +178,40 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature {
 	// Install subscriber
 	f.Setup("install subscriber", eventshub.Install(subscriber,
 		eventshub.ReplyWithTransformedEvent(replyEventType, replyEventSource, ""),
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
 
 	// Install sink for reply
 	// Hint: we don't need to require OIDC auth at the reply sink, because the
 	// actual reply is sent to the broker ingress, which must support OIDC. This
-	// reply sink is only to check that the reply as sent and routed correctly.
+	// reply sink is only to check that the reply was sent and routed correctly.
 	f.Setup("install sink for reply", eventshub.Install(reply,
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
 
 	// Install broker
 	f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...))
 	f.Setup("Broker is ready", broker.IsReady(brokerName))
 
-	// Install Trigger
-	f.Setup("install trigger", trigger.Install(triggerName, brokerName,
-		trigger.WithSubscriber(service.AsKReference(subscriber), ""),
-		trigger.WithFilter(map[string]string{
+	f.Setup("install the trigger", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(subscriber)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{
 			"type": event.Type(),
-		})))
+		}))(ctx, t)
+	})
+
 	f.Setup("trigger is ready", trigger.IsReady(triggerName))
 
-	// Install helper trigger to route replys to reply-sink
-	f.Setup("install helper trigger", trigger.Install(helperTriggerName, brokerName,
-		trigger.WithSubscriber(service.AsKReference(reply), ""),
-		trigger.WithFilter(map[string]string{
+	f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(reply)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		trigger.Install(helperTriggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{
 			"type": replyEventType,
-		})))
-	f.Setup("helper trigger is ready", trigger.IsReady(helperTriggerName))
+		}))(ctx, t)
+	})
 
 	// Send events after data plane is ready.
 	f.Requirement("install source", eventshub.Install(source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 

test/auth/features/oidc/channel.go

@@ -17,7 +17,10 @@ limitations under the License.
 package oidc
 
 import (
+	"context"
+
 	"github.com/cloudevents/sdk-go/v2/test"
+	"knative.dev/eventing/test/rekt/features/featureflags"
 	"knative.dev/eventing/test/rekt/resources/channel_impl"
 	"knative.dev/eventing/test/rekt/resources/subscription"
 	"knative.dev/reconciler-test/pkg/eventshub"
@@ -29,6 +32,9 @@ import (
 func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature {
 	f := feature.NewFeatureNamed("Channel dispatcher authenticates requests with OIDC")
 
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	source := feature.MakeRandomK8sName("source")
 	channelName := feature.MakeRandomK8sName("channel")
 	sink := feature.MakeRandomK8sName("sink")
@@ -37,12 +43,21 @@ func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature {
 
 	f.Setup("install channel", channel_impl.Install(channelName))
 	f.Setup("channel is ready", channel_impl.IsReady(channelName))
-	f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiver))
-	f.Setup("install subscription", subscription.Install(subscriptionName, subscription.WithChannel(channel_impl.AsRef(channelName)), subscription.WithSubscriber(service.AsKReference(sink), "", receiverAudience)))
+	f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiverTLS))
+
+	f.Setup("install subscription", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(sink)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.Audience = &receiverAudience
+		subscription.Install(subscriptionName,
+			subscription.WithChannel(channel_impl.AsRef(channelName)),
+			subscription.WithSubscriberFromDestination(d))(ctx, t)
+	})
+
 	f.Setup("subscription is ready", subscription.IsReady(subscriptionName))
 
 	event := test.FullEvent()
-	f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResource(channel_impl.GVR(), channelName)))
+	f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResourceTLS(channel_impl.GVR(), channelName, nil)))
 
 	f.Alpha("channel dispatcher").Must("authenticate requests with OIDC", assert.OnStore(sink).MatchReceivedEvent(test.HasId(event.ID())).AtLeast(1))
 

test/auth/features/oidc/containersource.go

@@ -17,35 +17,45 @@ limitations under the License.
 package oidc
 
 import (
+	"context"
+
 	"github.com/cloudevents/sdk-go/v2/test"
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/features/source"
 	"knative.dev/eventing/test/rekt/resources/containersource"
-	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/reconciler-test/pkg/eventshub"
 	"knative.dev/reconciler-test/pkg/eventshub/assert"
 	"knative.dev/reconciler-test/pkg/feature"
 	"knative.dev/reconciler-test/pkg/resources/service"
 )
 
 func SendsEventsWithSinkRefOIDC() *feature.Feature {
-	source := feature.MakeRandomK8sName("containersource")
+	src := feature.MakeRandomK8sName("containersource")
 	sink := feature.MakeRandomK8sName("sink")
 	sinkAudience := "audience"
 	f := feature.NewFeature()
 
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	f.Setup("install sink", eventshub.Install(sink,
 		eventshub.OIDCReceiverAudience(sinkAudience),
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
+
+	f.Requirement("install ContainerSource", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(sink)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.Audience = &sinkAudience
 
-	f.Requirement("install containersource", containersource.Install(source,
-		containersource.WithSink(&duckv1.Destination{
-			Ref:      service.AsKReference(sink),
-			Audience: &sinkAudience,
-		})))
-	f.Requirement("containersource goes ready", containersource.IsReady(source))
+		containersource.Install(src, containersource.WithSink(d))(ctx, t)
+	})
+
+	f.Requirement("containersource goes ready", containersource.IsReady(src))
 
 	f.Stable("containersource as event source").
 		Must("delivers events",
-			assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1))
-
+			assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)).
+		Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(containersource.Gvr(), src)).
+		Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(containersource.Gvr(), src))
 	return f
 }