Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update kncloudevents.Dispatcher to add a JWT #7328

Merged
merged 1 commit into from
Oct 11, 2023
Merged

Update kncloudevents.Dispatcher to add a JWT #7328

merged 1 commit into from
Oct 11, 2023

Conversation

creydr
Copy link
Member

@creydr creydr commented Oct 2, 2023
edited
Loading

Proposed Changes

@knative-prow knative-prow bot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. area/test-and-release Test infrastructure, tests or release labels Oct 2, 2023
@codecov
Copy link

codecov bot commented Oct 2, 2023
edited
Loading

Codecov Report

Attention: 122 lines in your changes are missing coverage. Please review.

Comparison is base (ce67d85) 77.52% compared to head (edfef92) 76.88%.
Report is 10 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #7328      +/-   ##
==========================================
- Coverage   77.52%   76.88%   -0.64%     
==========================================
  Files         250      252       +2     
  Lines       13573    13704     +131     
==========================================
+ Hits        10522    10537      +15     
- Misses       2525     2641     +116     
  Partials      526      526
Files Coverage Δ
pkg/broker/filter/filter_handler.go 69.09% <100.00%> (+0.09%) ⬆️
pkg/broker/ingress/ingress_handler.go 56.92% <100.00%> (+0.22%) ⬆️
pkg/channel/fanout/fanout_event_handler.go 79.34% <100.00%> (+0.11%) ⬆️
...hannelfanout/multi_channel_fanout_event_handler.go 86.88% <100.00%> (ø)
...econciler/inmemorychannel/dispatcher/controller.go 84.74% <100.00%> (+3.00%) ⬆️
...iler/inmemorychannel/dispatcher/inmemorychannel.go 64.86% <100.00%> (+0.73%) ⬆️
pkg/kncloudevents/event_dispatcher.go 59.67% <45.16%> (-2.57%) ⬇️
pkg/auth/token_provider.go 0.00% <0.00%> (ø)
pkg/auth/token_verifier.go 0.00% <0.00%> (ø)

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@creydr creydr force-pushed the switch-kncloudevents-dispatcher-to-use-tokenlib-2 branch from f52e92a to b432c31 Compare October 4, 2023 15:28
@knative-prow knative-prow bot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. labels Oct 4, 2023
@creydr creydr changed the title [WIP] Update kncloudevents.Dispatcher to add a JWT Update kncloudevents.Dispatcher to add a JWT Oct 4, 2023
@knative-prow knative-prow bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 4, 2023
Cali0707
Cali0707 reviewed Oct 4, 2023
View reviewed changes
pkg/broker/filter/filter_handler.go Outdated Show resolved Hide resolved
pkg/broker/ingress/ingress_handler.go Outdated Show resolved Hide resolved
pkg/channel/event_receiver.go Outdated Show resolved Hide resolved
@creydr creydr force-pushed the switch-kncloudevents-dispatcher-to-use-tokenlib-2 branch from b432c31 to edfef92 Compare October 5, 2023 05:33
@creydr creydr requested a review from Cali0707 October 5, 2023 08:25
Cali0707
Cali0707 reviewed Oct 5, 2023
View reviewed changes
pkg/kncloudevents/event_dispatcher.go
Comment on lines +348 to +352
jwt, err := d.oidcTokenProvider.GetJWT(*oidcServiceAccount, *target.Audience)
if err != nil {
return nil, fmt.Errorf("could not get JWT: %w", err)
}
request.Header.Set("Authorization", fmt.Sprintf("Bearer: %s", jwt))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@creydr sorry if this is a dumb question, I still don't 100% understand the full OIDC flow. In this code, why do we fail if we can't get a JWT, instead of just sending an event without an authorization header?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see it as a contract between the caller and the dispatcher here. When the caller set an oidcServiceAccount (via the WithOIDCAuthentication(sa) option), we assume that they want to use authentication. If we fail to request a token then, then we should report this back to the caller IMO.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this help?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah that makes sense to me!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for clarifying @creydr !!

Cali0707
Cali0707 approved these changes Oct 6, 2023
View reviewed changes
Copy link
Member

@Cali0707 Cali0707 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@knative-prow knative-prow bot added the lgtm Indicates that a PR is ready to be merged. label Oct 6, 2023
@knative-prow
Copy link

knative-prow bot commented Oct 6, 2023

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@Cali0707
Copy link
Member

Cali0707 commented Oct 6, 2023
edited
Loading

/hold
in case you want more reviews - feel free to unhold!

@knative-prow knative-prow bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 6, 2023
@creydr
Copy link
Member Author

creydr commented Oct 11, 2023

/unhold

@knative-prow knative-prow bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Oct 11, 2023
@knative-prow knative-prow bot merged commit a0e4c18 into knative:main Oct 11, 2023
24 of 32 checks passed
This was referenced Oct 11, 2023
Merged
Merged
@creydr creydr linked an issue Oct 13, 2023 that may be closed by this pull request
Adjust kncloudevents dispatcher to add Auth header #7178
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Cali0707 Cali0707 Cali0707 approved these changes

@evankanderson evankanderson Awaiting requested review from evankanderson

@pierDipi pierDipi Awaiting requested review from pierDipi

Assignees

@Cali0707 Cali0707

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/test-and-release Test infrastructure, tests or release lgtm Indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adjust kncloudevents dispatcher to add Auth header
2 participants
@creydr @Cali0707