From ad51fee74b2df6823b53cea9d9acfb91ebf08226 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 18:16:21 -0500 Subject: [PATCH] Enable TLS for OIDC e2e tests (#7551) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Enable the TLS feature for BrokerSendEventWithOIDCTokenToSubscriber Signed-off-by: Leo Li * Enable the TLS feature for BrokerSendEventWithOIDCTokenToReply Signed-off-by: Leo Li * Save the progress on adding TLS support for BrokerSendEventWithOIDCTokenToDLS Signed-off-by: Leo Li * Still couldn't figure out. Will leave a comment there Signed-off-by: Leo Li * Update more test to enable TLS Signed-off-by: Leo Li * Fix the review comments Signed-off-by: Leo Li * Fix the review comments by using destination object Signed-off-by: Leo Li * Enable TLS in the CI Signed-off-by: Leo Li * comment out all the other tests to validate my assumption Signed-off-by: Leo Li * Revert "comment out all the other tests to validate my assumption" This reverts commit ee4d57e26bedd00a799909df3185182c68689c3d. * fix the wrong indentation for the cacert format Signed-off-by: Leo Li * enable the TLS for TestParallelTwoBranchesWithOIDCSupport Signed-off-by: Leo Li * enable the TLS for TestSequenceSendsEventsWithOIDCSupport Signed-off-by: Leo Li * enable the TLS for TestApiserversourceSendEventWithJWT Signed-off-by: Leo Li * enable the TLS for TestContainerSourceSendsEventsWithOIDCSupport Signed-off-by: Leo Li * Update test/rekt/resources/sequence/sequence.go Co-authored-by: Christoph Stäbler * Update test/auth/features/oidc/broker.go Co-authored-by: Christoph Stäbler * Update test/auth/features/oidc/broker.go Co-authored-by: Christoph Stäbler * Update test/auth/features/oidc/parallel.go Co-authored-by: Christoph Stäbler * Update test/auth/features/oidc/broker.go Co-authored-by: Christoph Stäbler * enable the TLS for TestSequenceSendsEventsWithOIDCSupport Signed-off-by: Leo Li * enable the TLS for TestPingSourceSendsEventsWithOIDC Signed-off-by: Leo Li * enable the TLS for TestChannelDispatcherAuthenticatesWithOIDC Signed-off-by: Leo Li * add the audience field Signed-off-by: Leo Li * Code clean up Signed-off-by: Leo Li --------- Signed-off-by: Leo Li Co-authored-by: Christoph Stäbler --- test/auth/config/features.yaml | 2 + .../oidc/addressable_oidc_conformance.go | 8 +- test/auth/features/oidc/apiserversource.go | 12 +- test/auth/features/oidc/broker.go | 111 +++++++++++------- test/auth/features/oidc/channel.go | 21 +++- test/auth/features/oidc/containersource.go | 32 +++-- test/auth/features/oidc/parallel.go | 22 +++- test/auth/features/oidc/pingsource.go | 22 ++-- test/auth/features/oidc/sequence.go | 97 +++++++++------ test/auth/oidc_test.go | 10 ++ test/rekt/resources/delivery/delivery.go | 2 +- test/rekt/resources/sequence/sequence.go | 2 +- .../resources/subscription/subscription.go | 4 + 13 files changed, 232 insertions(+), 113 deletions(-) diff --git a/test/auth/config/features.yaml b/test/auth/config/features.yaml index b93aa837079..a0873f50574 100644 --- a/test/auth/config/features.yaml +++ b/test/auth/config/features.yaml @@ -19,3 +19,5 @@ metadata: namespace: knative-eventing data: authentication-oidc: "enabled" + transport-encryption: "strict" + diff --git a/test/auth/features/oidc/addressable_oidc_conformance.go b/test/auth/features/oidc/addressable_oidc_conformance.go index a5e7378b6c8..d86eb142e80 100644 --- a/test/auth/features/oidc/addressable_oidc_conformance.go +++ b/test/auth/features/oidc/addressable_oidc_conformance.go @@ -85,7 +85,7 @@ func addressableRejectInvalidAudience(gvr schema.GroupVersionResource, kind, nam f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCInvalidAudience(), eventshub.InputEvent(event), )) @@ -109,7 +109,7 @@ func addressableRejectExpiredToken(gvr schema.GroupVersionResource, kind, name s f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCExpiredToken(), eventshub.InputEvent(event), )) @@ -133,7 +133,7 @@ func addressableRejectCorruptedSignature(gvr schema.GroupVersionResource, kind, f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCCorruptedSignature(), eventshub.InputEvent(event), )) @@ -157,7 +157,7 @@ func addressableAllowsValidRequest(gvr schema.GroupVersionResource, kind, name s f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.InputEvent(event), )) diff --git a/test/auth/features/oidc/apiserversource.go b/test/auth/features/oidc/apiserversource.go index 658449a25e7..162303ce1f1 100644 --- a/test/auth/features/oidc/apiserversource.go +++ b/test/auth/features/oidc/apiserversource.go @@ -19,6 +19,9 @@ package oidc import ( "context" + "knative.dev/eventing/test/rekt/features/featureflags" + "knative.dev/eventing/test/rekt/features/source" + "github.com/cloudevents/sdk-go/v2/test" rbacv1 "k8s.io/api/rbac/v1" v1 "knative.dev/eventing/pkg/apis/sources/v1" @@ -44,8 +47,11 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { f := feature.NewFeatureNamed("ApiServerSource send events with OIDC authentication") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("deploy receiver", eventshub.Install(sink, - eventshub.StartReceiver, + eventshub.StartReceiverTLS, eventshub.OIDCReceiverAudience(audience))) f.Setup("Create Service Account for ApiServerSource with RBAC for v1.Event resources", @@ -63,6 +69,7 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) { d := service.AsDestinationRef(sink) d.Audience = &audience + d.CACerts = eventshub.GetCaCerts(ctx) cfg = append(cfg, apiserversource.WithSink(d)) apiserversource.Install(src, cfg...)(ctx, t) @@ -81,7 +88,8 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { Match(eventassert.MatchKind(eventshub.EventReceived)). MatchEvent(test.HasType("dev.knative.apiserver.resource.update")). AtLeast(1), - ) + ).Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)). + Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(apiserversource.Gvr(), src)) return f } diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 7069d0c058d..40cb57f2453 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -17,8 +17,13 @@ limitations under the License. package oidc import ( + "context" + + "knative.dev/pkg/apis" + "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" + "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/eventing/test/rekt/resources/delivery" "knative.dev/eventing/test/rekt/resources/trigger" @@ -43,6 +48,10 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens") + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + source := feature.MakeRandomK8sName("source") brokerName := feature.MakeRandomK8sName("broker") sink := feature.MakeRandomK8sName("sink") @@ -59,24 +68,22 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { // Install the sink f.Setup("install sink", eventshub.Install( sink, + eventshub.StartReceiverTLS, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) - - // Install the trigger and Point the Trigger subscriber to the sink svc. - f.Setup("install trigger", trigger.Install( - triggerName, - brokerName, - trigger.WithSubscriberFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }), )) + + f.Setup("Install the trigger", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) + }) f.Setup("trigger goes ready", trigger.IsReady(triggerName)) // Send event f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) @@ -89,6 +96,10 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f := feature.NewFeature() + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + brokerName := feature.MakeRandomK8sName("broker") dls := feature.MakeRandomK8sName("dls") triggerName := feature.MakeRandomK8sName("trigger") @@ -101,27 +112,34 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { // Install DLS sink f.Setup("install dead letter sink", eventshub.Install(dls, eventshub.OIDCReceiverAudience(dlsAudience), - eventshub.StartReceiver)) - - // Install broker with DLS config - brokerConfig := append( - broker.WithEnvConfig(), - delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(dls), - Audience: &dlsAudience, - }), - ) - f.Setup("install broker", broker.Install(brokerName, brokerConfig...)) + eventshub.StartReceiverTLS)) + + f.Setup("install broker", func(ctx context.Context, t feature.T) { + brokerConfig := append(broker.WithEnvConfig(), + delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(dls), + Audience: &dlsAudience, + CACerts: eventshub.GetCaCerts(ctx), + })) + broker.Install(brokerName, brokerConfig...)(ctx, t) + }) + f.Setup("Broker is ready", broker.IsReady(brokerName)) - // Install Trigger - f.Setup("install trigger", trigger.Install(triggerName, brokerName, - trigger.WithSubscriber(nil, "bad://uri"))) + f.Setup("Install the trigger", func(ctx context.Context, t feature.T) { + // create an empty destination ref + d := duckv1.Destination{} + d.CACerts = eventshub.GetCaCerts(ctx) + d.URI, _ = apis.ParseURL("bad://uri") + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t) + + }) + f.Setup("trigger is ready", trigger.IsReady(triggerName)) // Send events after data plane is ready. f.Requirement("install source", eventshub.Install(source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) @@ -133,8 +151,17 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { } func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { + //1. An event is sent to a broker. + //2. A trigger routes this event to a subscriber. + //3. The subscriber processes and replies to the event. + //4. A helper trigger routes the reply to a designated sink. + //5. The test verifies that the reply reaches the sink with the expected modifications. f := feature.NewFeature() + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + brokerName := feature.MakeRandomK8sName("broker") subscriber := feature.MakeRandomK8sName("subscriber") reply := feature.MakeRandomK8sName("reply") @@ -151,38 +178,40 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { // Install subscriber f.Setup("install subscriber", eventshub.Install(subscriber, eventshub.ReplyWithTransformedEvent(replyEventType, replyEventSource, ""), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install sink for reply // Hint: we don't need to require OIDC auth at the reply sink, because the // actual reply is sent to the broker ingress, which must support OIDC. This - // reply sink is only to check that the reply as sent and routed correctly. + // reply sink is only to check that the reply was sent and routed correctly. f.Setup("install sink for reply", eventshub.Install(reply, - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install broker f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) f.Setup("Broker is ready", broker.IsReady(brokerName)) - // Install Trigger - f.Setup("install trigger", trigger.Install(triggerName, brokerName, - trigger.WithSubscriber(service.AsKReference(subscriber), ""), - trigger.WithFilter(map[string]string{ + f.Setup("install the trigger", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(subscriber) + d.CACerts = eventshub.GetCaCerts(ctx) + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ "type": event.Type(), - }))) + }))(ctx, t) + }) + f.Setup("trigger is ready", trigger.IsReady(triggerName)) - // Install helper trigger to route replys to reply-sink - f.Setup("install helper trigger", trigger.Install(helperTriggerName, brokerName, - trigger.WithSubscriber(service.AsKReference(reply), ""), - trigger.WithFilter(map[string]string{ + f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(reply) + d.CACerts = eventshub.GetCaCerts(ctx) + trigger.Install(helperTriggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ "type": replyEventType, - }))) - f.Setup("helper trigger is ready", trigger.IsReady(helperTriggerName)) + }))(ctx, t) + }) // Send events after data plane is ready. f.Requirement("install source", eventshub.Install(source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) diff --git a/test/auth/features/oidc/channel.go b/test/auth/features/oidc/channel.go index 2512d357cce..2cc1819f3d7 100644 --- a/test/auth/features/oidc/channel.go +++ b/test/auth/features/oidc/channel.go @@ -17,7 +17,10 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/channel_impl" "knative.dev/eventing/test/rekt/resources/subscription" "knative.dev/reconciler-test/pkg/eventshub" @@ -29,6 +32,9 @@ import ( func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature { f := feature.NewFeatureNamed("Channel dispatcher authenticates requests with OIDC") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + source := feature.MakeRandomK8sName("source") channelName := feature.MakeRandomK8sName("channel") sink := feature.MakeRandomK8sName("sink") @@ -37,12 +43,21 @@ func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature { f.Setup("install channel", channel_impl.Install(channelName)) f.Setup("channel is ready", channel_impl.IsReady(channelName)) - f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiver)) - f.Setup("install subscription", subscription.Install(subscriptionName, subscription.WithChannel(channel_impl.AsRef(channelName)), subscription.WithSubscriber(service.AsKReference(sink), "", receiverAudience))) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiverTLS)) + + f.Setup("install subscription", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &receiverAudience + subscription.Install(subscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithSubscriberFromDestination(d))(ctx, t) + }) + f.Setup("subscription is ready", subscription.IsReady(subscriptionName)) event := test.FullEvent() - f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResource(channel_impl.GVR(), channelName))) + f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResourceTLS(channel_impl.GVR(), channelName, nil))) f.Alpha("channel dispatcher").Must("authenticate requests with OIDC", assert.OnStore(sink).MatchReceivedEvent(test.HasId(event.ID())).AtLeast(1)) diff --git a/test/auth/features/oidc/containersource.go b/test/auth/features/oidc/containersource.go index 861aaa2a927..8efb053b01c 100644 --- a/test/auth/features/oidc/containersource.go +++ b/test/auth/features/oidc/containersource.go @@ -17,9 +17,12 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" + "knative.dev/eventing/test/rekt/features/source" "knative.dev/eventing/test/rekt/resources/containersource" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" @@ -27,25 +30,32 @@ import ( ) func SendsEventsWithSinkRefOIDC() *feature.Feature { - source := feature.MakeRandomK8sName("containersource") + src := feature.MakeRandomK8sName("containersource") sink := feature.MakeRandomK8sName("sink") sinkAudience := "audience" f := feature.NewFeature() + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + + f.Requirement("install ContainerSource", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience - f.Requirement("install containersource", containersource.Install(source, - containersource.WithSink(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }))) - f.Requirement("containersource goes ready", containersource.IsReady(source)) + containersource.Install(src, containersource.WithSink(d))(ctx, t) + }) + + f.Requirement("containersource goes ready", containersource.IsReady(src)) f.Stable("containersource as event source"). Must("delivers events", - assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)) - + assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(containersource.Gvr(), src)). + Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(containersource.Gvr(), src)) return f } diff --git a/test/auth/features/oidc/parallel.go b/test/auth/features/oidc/parallel.go index 6cd5db62afa..cf2ab49e0f2 100644 --- a/test/auth/features/oidc/parallel.go +++ b/test/auth/features/oidc/parallel.go @@ -20,6 +20,8 @@ import ( "context" "strconv" + "knative.dev/eventing/test/rekt/features/featureflags" + cloudevents "github.com/cloudevents/sdk-go/v2" "github.com/cloudevents/sdk-go/v2/test" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -55,6 +57,9 @@ func ParallelHasAudienceOfInputChannel(parallelName, parallelNamespace string, c func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplate) *feature.Feature { f := feature.NewFeatureNamed("Parallel test.") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + parallelName := feature.MakeRandomK8sName("parallel1") source := feature.MakeRandomK8sName("source1") sink := feature.MakeRandomK8sName("sink1") @@ -80,23 +85,23 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install Subscribers for both branches. f.Setup("install subscriber1", eventshub.Install(subscriber1, eventshub.ReplyWithAppendedData("appended data 1"), eventshub.OIDCReceiverAudience(subscriber1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install subscriber2", eventshub.Install(subscriber2, eventshub.ReplyWithAppendedData("appended data 2"), eventshub.OIDCReceiverAudience(subscriber2Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install Filter only for first branch. f.Setup("install filter1", eventshub.Install(filter1, eventshub.ReplyWithTransformedEvent(event.Type(), event.Source(), string(event.Data())), eventshub.OIDCReceiverAudience(filter1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install a Parallel with two branches f.Setup("install Parallel", func(ctx context.Context, t feature.T) { @@ -104,24 +109,31 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat parallel.WithReply(&duckv1.Destination{ Ref: service.AsKReference(sink), Audience: &sinkAudience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithSubscriberAt(branch1Num, &duckv1.Destination{ Ref: service.AsKReference(subscriber1), Audience: &subscriber1Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithSubscriberAt(branch2Num, &duckv1.Destination{ Ref: service.AsKReference(subscriber2), Audience: &subscriber2Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithFilterAt(branch1Num, &duckv1.Destination{ Ref: service.AsKReference(filter1), Audience: &filter1Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithReplyAt(branch1Num, nil), + parallel.WithReplyAt(branch2Num, nil), + // The Reply for second branch is same as global reply. parallel.WithReplyAt(branch2Num, &duckv1.Destination{ Ref: service.AsKReference(sink), Audience: &sinkAudience, + CACerts: eventshub.GetCaCerts(ctx), }), ) @@ -132,7 +144,7 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(parallel.GVR(), parallelName), + eventshub.StartSenderToResourceTLS(parallel.GVR(), parallelName, nil), eventshub.InputEvent(event), )) diff --git a/test/auth/features/oidc/pingsource.go b/test/auth/features/oidc/pingsource.go index feee5821f53..7c0192d2698 100644 --- a/test/auth/features/oidc/pingsource.go +++ b/test/auth/features/oidc/pingsource.go @@ -17,9 +17,11 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/pingsource" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" @@ -32,15 +34,21 @@ func PingSourceSendEventWithSinkRefOIDC() *feature.Feature { sinkAudience := "audience" f := feature.NewFeature() + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + + f.Requirement("Install pingsource", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience + + pingsource.Install(source, pingsource.WithSink(d))(ctx, t) + }) - f.Requirement("install pingsource", - pingsource.Install(source, pingsource.WithSink(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }))) f.Requirement("pingsource goes ready", pingsource.IsReady(source)) f.Stable("pingsource as event source"). diff --git a/test/auth/features/oidc/sequence.go b/test/auth/features/oidc/sequence.go index e126e8da2c8..bbe0d7e0bae 100644 --- a/test/auth/features/oidc/sequence.go +++ b/test/auth/features/oidc/sequence.go @@ -17,6 +17,10 @@ limitations under the License. package oidc import ( + "context" + + "knative.dev/eventing/test/rekt/features/featureflags" + "github.com/cloudevents/sdk-go/v2/test" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -62,6 +66,9 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { f := feature.NewFeatureNamed("Sequence supports OIDC in internal flow between steps") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + channelTemplate := channel_template.ChannelTemplate{ TypeMeta: channel_impl.TypeMeta(), Spec: map[string]interface{}{}, @@ -81,31 +88,36 @@ func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { f.Setup("install step 1", eventshub.Install(step1Name, eventshub.ReplyWithAppendedData(step1Append), eventshub.OIDCReceiverAudience(step1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install step 2", eventshub.Install(step2Name, eventshub.ReplyWithAppendedData(step2Append), eventshub.OIDCReceiverAudience(step2Audience), - eventshub.StartReceiver)) - - cfg := []manifest.CfgFn{ - sequence.WithChannelTemplate(channelTemplate), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step1Name), - Audience: &step1Audience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step2Name), - Audience: &step2Audience, - }), - } + eventshub.StartReceiverTLS)) + + f.Setup("Install Sequence", func(ctx context.Context, t feature.T) { + cfg := []manifest.CfgFn{ + sequence.WithChannelTemplate(channelTemplate), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step1Name), + Audience: &step1Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step2Name), + Audience: &step2Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + } + + sequence.Install(sequenceName, cfg...)(ctx, t) + }) - f.Setup("Install Sequence", sequence.Install(sequenceName, cfg...)) f.Setup("Sequence goes ready", sequence.IsReady(sequenceName)) event := test.FullEvent() event.SetData("text/plain", "hello") f.Requirement("install source", eventshub.Install(sourceName, - eventshub.StartSenderToResource(sequence.GVR(), sequenceName), + eventshub.StartSenderToResourceTLS(sequence.GVR(), sequenceName, nil), eventshub.InputEvent(event))) expectedMsg := string(event.Data()) @@ -122,6 +134,9 @@ func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { func SequenceSendsEventWithOIDCTokenToReply() *feature.Feature { f := feature.NewFeatureNamed("Sequence supports OIDC for reply") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + channelTemplate := channel_template.ChannelTemplate{ TypeMeta: channel_impl.TypeMeta(), Spec: map[string]interface{}{}, @@ -143,38 +158,44 @@ func SequenceSendsEventWithOIDCTokenToReply() *feature.Feature { f.Setup("install step 1", eventshub.Install(step1Name, eventshub.ReplyWithAppendedData(step1Append), eventshub.OIDCReceiverAudience(step1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install step 2", eventshub.Install(step2Name, eventshub.ReplyWithAppendedData(step2Append), eventshub.OIDCReceiverAudience(step2Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + f.Setup("install sink", eventshub.Install(replySinkName, eventshub.OIDCReceiverAudience(replySinkAudience), - eventshub.StartReceiver)) - - cfg := []manifest.CfgFn{ - sequence.WithChannelTemplate(channelTemplate), - sequence.WithReplyFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(replySinkName), - Audience: &replySinkAudience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step1Name), - Audience: &step1Audience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step2Name), - Audience: &step2Audience, - }), - } - - f.Setup("Install Sequence", sequence.Install(sequenceName, cfg...)) + eventshub.StartReceiverTLS)) + + f.Setup("Install Sequence", func(ctx context.Context, t feature.T) { + cfg := []manifest.CfgFn{ + sequence.WithChannelTemplate(channelTemplate), + sequence.WithReplyFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(replySinkName), + Audience: &replySinkAudience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step1Name), + Audience: &step1Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step2Name), + Audience: &step2Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + } + + sequence.Install(sequenceName, cfg...)(ctx, t) + }) f.Setup("Sequence goes ready", sequence.IsReady(sequenceName)) event := test.FullEvent() event.SetData("text/plain", "hello") f.Requirement("install source", eventshub.Install(sourceName, - eventshub.StartSenderToResource(sequence.GVR(), sequenceName), + eventshub.StartSenderToResourceTLS(sequence.GVR(), sequenceName, nil), eventshub.InputEvent(event))) expectedMsg := string(event.Data()) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 13e7f0ee4aa..a12e109e92f 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -23,6 +23,8 @@ import ( "testing" "time" + "knative.dev/reconciler-test/pkg/eventshub" + "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/feature" @@ -51,6 +53,7 @@ func TestBrokerSupportsOIDC(t *testing.T) { k8s.WithEventListener, environment.Managed(t), environment.WithPollTimings(4*time.Second, 12*time.Minute), + eventshub.WithTLS(t), ) name := feature.MakeRandomK8sName("broker") @@ -68,6 +71,7 @@ func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.TestSet(ctx, t, oidc.BrokerSendEventWithOIDC()) @@ -120,6 +124,7 @@ func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) @@ -154,6 +159,7 @@ func TestApiserversourceSendEventWithJWT(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) @@ -168,6 +174,7 @@ func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) @@ -182,6 +189,7 @@ func TestPingSourceSendsEventsWithOIDC(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.PingSourceSendEventWithSinkRefOIDC()) @@ -195,6 +203,7 @@ func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) @@ -209,6 +218,7 @@ func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go index 8348e5647d7..626b62c6063 100644 --- a/test/rekt/resources/delivery/delivery.go +++ b/test/rekt/resources/delivery/delivery.go @@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn if dest.CACerts != nil { // This is a multi-line string and should be indented accordingly. // Replace "new line" with "new line + spaces". - dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") + dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } if dest.Audience != nil { diff --git a/test/rekt/resources/sequence/sequence.go b/test/rekt/resources/sequence/sequence.go index d740fe98092..a034486779e 100644 --- a/test/rekt/resources/sequence/sequence.go +++ b/test/rekt/resources/sequence/sequence.go @@ -127,7 +127,7 @@ func WithStepFromDestination(dest *duckv1.Destination) manifest.CfgFn { if dest.CACerts != nil { // This is a multi-line string and should be indented accordingly. // Replace "new line" with "new line + spaces". - step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") + step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } if dest.Audience != nil { diff --git a/test/rekt/resources/subscription/subscription.go b/test/rekt/resources/subscription/subscription.go index 3521d0d4bba..9d30702fc30 100644 --- a/test/rekt/resources/subscription/subscription.go +++ b/test/rekt/resources/subscription/subscription.go @@ -153,6 +153,10 @@ func WithSubscriberFromDestination(dest *duckv1.Destination) manifest.CfgFn { subscriber["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } + if dest.Audience != nil { + subscriber["audience"] = *dest.Audience + } + if uri != nil { subscriber["uri"] = uri.String() }