Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

support auto generation of SinkBindings identity service account #7327

Merged
merged 11 commits into from
Oct 11, 2023

Conversation

rahulii
Copy link
Contributor

@rahulii rahulii commented Oct 2, 2023

Fixes #7324

Proposed Changes

  • 🎁 Expose the name of the OIDC service account in the SinkBinding .status.auth.serviceAccountName
  • 🎁 Create the OIDC service account of the SinkBinding

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

Release Note

Expose the SinkBinding OIDC service account name in the SinkBinding .status.auth.serviceAccountName

@knative-prow
Copy link

knative-prow bot commented Oct 2, 2023

Welcome @rahulii! It looks like this is your first PR to knative/eventing 🎉

@knative-prow knative-prow bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 2, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 2, 2023

Hi @rahulii. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@knative-prow knative-prow bot requested review from lionelvillard and matzew October 2, 2023 10:55
@rahulii
Copy link
Contributor Author

rahulii commented Oct 2, 2023

@creydr please review.
Thanks!

Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @rahulii,
Thanks a lot for your PR. I left 2 comments so far.
Besides of them, I am getting a crashloop backoff when running your PR locally. Seems like some insufficient permissions. Can you check on them?

pkg/reconciler/sinkbinding/controller.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/controller.go Outdated Show resolved Hide resolved
@creydr
Copy link
Member

creydr commented Oct 4, 2023

/ok-to-test

@knative-prow knative-prow bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Oct 4, 2023
@rahulii
Copy link
Contributor Author

rahulii commented Oct 4, 2023

status:
    auth:
      serviceAccountName: oidc-sources.knative.dev-sinkbinding-heartbeat
    conditions:
    - lastTransitionTime: "2023-10-04T12:04:51Z"
      status: "True"
      type: OIDCIdentityCreated
    - lastTransitionTime: "2023-10-04T12:04:52Z"
      message: Addressable could not be extracted from destination
      reason: NoAddressable
      status: "False"
      type: Ready
    - lastTransitionTime: "2023-10-04T12:04:51Z"
      status: Unknown
      type: SinkProvided

here is the o/p - @creydr

@rahulii rahulii requested a review from creydr October 4, 2023 12:07
pkg/reconciler/sinkbinding/controller.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/controller.go Outdated Show resolved Hide resolved
pkg/reconciler/sinkbinding/controller.go Show resolved Hide resolved
Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you also fix the goformat/style issues?

config/core/roles/webhook-clusterrole.yaml Show resolved Hide resolved
config/core/roles/webhook-clusterrole.yaml Outdated Show resolved Hide resolved
@creydr
Copy link
Member

creydr commented Oct 5, 2023

@rahulii Thanks for the update. Can you fix the unit tests?
Can we also add some reconciler tests, to check if the service account was created and the AuthStatus field set correctly? Something like we did in 0eaf9e8:

{
Name: "OIDC: creates OIDC service account",
Key: testKey,
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Enabled,
}),
Objects: allBrokerObjectsReadyPlus([]runtime.Object{
makeReadySubscriptionWithAudience(testNS),
NewTrigger(triggerName, testNS, brokerName,
WithTriggerUID(triggerUID),
WithTriggerSubscriberURI(subscriberURI),
WithInitTriggerConditions,
)}...),
WantErr: false,
WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
Object: NewTrigger(triggerName, testNS, brokerName,
WithTriggerUID(triggerUID),
WithTriggerSubscriberURI(subscriberURI),
WithTriggerBrokerReady(),
// The first reconciliation will initialize the status conditions.
WithInitTriggerConditions,
WithTriggerDependencyReady(),
WithTriggerSubscribed(),
WithTriggerStatusSubscriberURI(subscriberURI),
WithTriggerSubscriberResolvedSucceeded(),
WithTriggerDeadLetterSinkNotConfigured(),
WithTriggerOIDCIdentityCreatedSucceeded(),
WithTriggerOIDCServiceAccountName(makeTriggerOIDCServiceAccount().Name),
),
}},
WantCreates: []runtime.Object{
makeTriggerOIDCServiceAccount(),
},
},
{
Name: "OIDC: Trigger not ready on invalid OIDC service account",
Key: testKey,
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Enabled,
}),
Objects: allBrokerObjectsReadyPlus([]runtime.Object{
makeReadySubscriptionWithAudience(testNS),
makeTriggerOIDCServiceAccountWithoutOwnerRef(),
NewTrigger(triggerName, testNS, brokerName,
WithTriggerUID(triggerUID),
WithTriggerSubscriberURI(subscriberURI),
WithInitTriggerConditions,
)}...),
WantErr: true,
WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
Object: NewTrigger(triggerName, testNS, brokerName,
WithTriggerUID(triggerUID),
WithTriggerSubscriberURI(subscriberURI),
WithTriggerBrokerReady(),
// The first reconciliation will initialize the status conditions.
WithInitTriggerConditions,
WithTriggerDependencyUnknown("", ""),
WithTriggerSubscribed(),
WithTriggerStatusSubscriberURI(subscriberURI),
WithTriggerSubscriberResolvedSucceeded(),
WithTriggerDeadLetterSinkNotConfigured(),
WithTriggerOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", fmt.Sprintf("service account %s not owned by Trigger %s", makeTriggerOIDCServiceAccountWithoutOwnerRef().Name, triggerName)),
WithTriggerOIDCServiceAccountName(makeTriggerOIDCServiceAccountWithoutOwnerRef().Name),
WithTriggerSubscribedUnknown("", ""),
),
}},
WantEvents: []string{
Eventf(corev1.EventTypeWarning, "InternalError", fmt.Sprintf("service account %s not owned by Trigger %s", makeTriggerOIDCServiceAccountWithoutOwnerRef().Name, triggerName)),
},
},

@rahulii
Copy link
Contributor Author

rahulii commented Oct 5, 2023

Can we also add some reconciler tests, to check if the service account was created and the AuthStatus field set correctly?

@creydr there are no tests implemented currently for SB reconciler, should I go ahead and create it (a new _test.go file) ?

@codecov
Copy link

codecov bot commented Oct 5, 2023

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (ba02f4a) 76.90% compared to head (fdda99e) 76.92%.
Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #7327      +/-   ##
==========================================
+ Coverage   76.90%   76.92%   +0.02%     
==========================================
  Files         252      252              
  Lines       13693    13701       +8     
==========================================
+ Hits        10530    10539       +9     
  Misses       2637     2637              
+ Partials      526      525       -1     
Files Coverage Δ
pkg/apis/sources/v1/sinkbinding_types.go 100.00% <ø> (ø)
pkg/apis/sources/v1/sinkbinding_lifecycle.go 89.28% <75.00%> (-1.10%) ⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

sb.Status.MarkOIDCIdentityCreatedSucceeded()
} else {
sb.Status.Auth = nil
sb.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we have a constant string we can use across the board for this reason? /cc @creydr

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not yet. But makes sense to introduce one, as we have this at multiple places 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that can be a part of seperate PR!

Comment on lines +138 to +146
// Reconcile SinkBinding when the OIDC service account changes
serviceaccountInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
FilterFunc: controller.FilterController(&v1.SinkBinding{}),
Handler: controller.HandleAll(impl.EnqueueControllerOf),
})

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@creydr it's a general common not specific to this PR, but we should evaluate if it makes sense to label all of our service accounts and use a "filtered informer" so that we're not watching all service accounts into a cluster which could be quite large but only "ours"

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it makes sense to label the service account 👍🏼

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point @pierDipi. I think we can do this in a separate PR

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

created #7341

Comment on lines +144 to +153
// reconcile sinkindings on changes on the features configmap
configmapInformer.Informer().AddEventHandler(cache.FilteringResourceEventHandler{
FilterFunc: controller.FilterWithNameAndNamespace(system.Namespace(), feature.FlagsConfigName),
Handler: controller.HandleAll(func(i interface{}) {
impl.GlobalResync(sbInformer.Informer())
}),
})
Copy link
Member

@pierDipi pierDipi Oct 9, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Instead of using a cluster-wide configmap informer, we can configure a callback function when calling NewStore, that saves quite a bit of memory since that watcher is watching only configmaps in the system namespace as opposed to watching every configmap in the cluster /cc @creydr

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see example in pkg/reconciler/broker/controller.go

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

like featureStore.WatchConfigs(cmw) , right ?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes. featureStore.WatchConfigs(cmw) takes additional callback functions which get called on configmap updates. E.g.:

var globalResync func(obj interface{})
featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
	if globalResync != nil {
		globalResync(nil)
	}
})

with globalResync being something like:

globalResync = func(obj interface{}) {
	impl.GlobalResync(sbInformer.Informer())
}

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @creydr

@rahulii rahulii force-pushed the support-oidc-sinkbinding branch from f214983 to 9800d17 Compare October 9, 2023 20:06
@rahulii rahulii requested a review from creydr October 9, 2023 20:08
@rahulii
Copy link
Contributor Author

rahulii commented Oct 10, 2023

/ok-to-test

@creydr
Copy link
Member

creydr commented Oct 10, 2023

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

@rahulii
Copy link
Contributor Author

rahulii commented Oct 10, 2023

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ?
quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

@creydr
Copy link
Member

creydr commented Oct 10, 2023

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ? quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

I see. Works for me.

@rahulii
Copy link
Contributor Author

rahulii commented Oct 10, 2023

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ? quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

I see. Works for me.

thanks @creydr , LMK if you need any more changes on this PR! Thanks!

@creydr
Copy link
Member

creydr commented Oct 10, 2023

@rahulii the verify job failed. Probably because some relevant changes got merged into main in the meantime. Can you rerun ./hack/update-codegen.sh.?

@rahulii
Copy link
Contributor Author

rahulii commented Oct 11, 2023

@creydr is the e2e test failure because of this PR changes ? 🤔
doen't looks like ! If no, is this PR good to go ?

Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot @rahulii for your work in this PR and your patience!

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 11, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 11, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, rahulii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 11, 2023
@knative-prow knative-prow bot merged commit c46bdd3 into knative:main Oct 11, 2023
28 of 32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support auto generation of SinkBindings identity service account and expose in AuthStatus
3 participants