Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added EventPolicy Webhook #8091

Merged
merged 4 commits into from
Jul 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions cmd/webhook/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ import (
kubeclient "knative.dev/pkg/client/injection/kube/client"
configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"

eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
eventingv1beta3 "knative.dev/eventing/pkg/apis/eventing/v1beta3"
"knative.dev/eventing/pkg/apis/feature"
"knative.dev/eventing/pkg/apis/sinks"
Expand Down Expand Up @@ -75,6 +76,8 @@ func init() {

var ourTypes = map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
// For group eventing.knative.dev.
// v1alpha1
eventingv1alpha1.SchemeGroupVersion.WithKind("EventPolicy"): &eventingv1alpha1.EventPolicy{},
// v1beta1
eventingv1beta1.SchemeGroupVersion.WithKind("EventType"): &eventingv1beta1.EventType{},
// v1beta2
Expand Down
8 changes: 8 additions & 0 deletions pkg/apis/eventing/v1alpha1/eventpolicy_validation.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,10 +20,18 @@ import (
"context"
"strings"

"knative.dev/eventing/pkg/apis/feature"
"knative.dev/pkg/apis"
)

func (ep *EventPolicy) Validate(ctx context.Context) *apis.FieldError {
// To not allow creation or spec updates of EventPolicy CRs
// if the oidc-authentication feature is not enabled
if apis.IsInCreate(ctx) || (apis.IsInUpdate(ctx) && apis.IsInSpec(ctx)) {
if !feature.FromContext(ctx).IsOIDCAuthentication() {
return apis.ErrGeneric("oidc-authentication feature not enabled")
}
}
return ep.Spec.Validate(ctx).ViaField("spec")
}

Expand Down
57 changes: 53 additions & 4 deletions pkg/apis/eventing/v1alpha1/eventpolicy_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,11 +21,57 @@ import (
"testing"

"github.com/google/go-cmp/cmp"
"knative.dev/eventing/pkg/apis/feature"
"knative.dev/pkg/apis"
"knative.dev/pkg/ptr"
)

func TestEventPolicySpecValidation(t *testing.T) {
func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagDisabled(t *testing.T) {
tests := []struct {
name string
ep *EventPolicy
want *apis.FieldError
}{
{
name: "valid, from.sub exactly '*'",
ep: &EventPolicy{
Spec: EventPolicySpec{
From: []EventPolicySpecFrom{{
Sub: ptr.String("*"),
}},
},
},
want: func() *apis.FieldError {
return apis.ErrGeneric("oidc-authentication feature not enabled")
}(),
},
{
name: "invalid, missing from.ref and from.sub",
ep: &EventPolicy{
Spec: EventPolicySpec{
From: []EventPolicySpecFrom{{}},
},
},
want: func() *apis.FieldError {
return apis.ErrGeneric("oidc-authentication feature not enabled")
}(),
},
}
for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
ctx := feature.ToContext(context.TODO(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
})
ctx = apis.WithinCreate(ctx)
got := test.ep.Validate(ctx)
if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
}
})
}
}

func TestEventPolicySpecValidationWithOIDCAuthenticationFeatureFlagEnabled(t *testing.T) {
tests := []struct {
name string
ep *EventPolicy
Expand Down Expand Up @@ -100,7 +146,7 @@ func TestEventPolicySpecValidation(t *testing.T) {
}(),
},
{
name: "invalid, bot from.ref and from.sub set",
name: "invalid, both from.ref and from.sub set for the same list element",
ep: &EventPolicy{
Spec: EventPolicySpec{
From: []EventPolicySpecFrom{{
Expand Down Expand Up @@ -129,7 +175,7 @@ func TestEventPolicySpecValidation(t *testing.T) {
}(),
},
{
name: "invalid, both to.ref and to.selector set",
name: "invalid, both to.ref and to.selector set for the same list element",
ep: &EventPolicy{
Spec: EventPolicySpec{
To: []EventPolicySpecTo{
Expand Down Expand Up @@ -252,7 +298,10 @@ func TestEventPolicySpecValidation(t *testing.T) {

for _, test := range tests {
t.Run(test.name, func(t *testing.T) {
got := test.ep.Validate(context.TODO())
ctx := feature.ToContext(context.TODO(), feature.Flags{
feature.OIDCAuthentication: feature.Enabled,
})
got := test.ep.Validate(ctx)
if diff := cmp.Diff(test.want.Error(), got.Error()); diff != "" {
t.Errorf("%s: Validate EventPolicySpec (-want, +got) = %v", test.name, diff)
}
Expand Down
19 changes: 19 additions & 0 deletions pkg/reconciler/channel/channel_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ import (
"testing"

eventingv1alpha1 "knative.dev/eventing/pkg/apis/eventing/v1alpha1"
"knative.dev/eventing/pkg/apis/feature"

v1 "knative.dev/eventing/pkg/apis/messaging/v1"

Expand Down Expand Up @@ -167,6 +168,9 @@ func TestReconcile(t *testing.T) {
WithChannelAddress(&backingChannelAddressable),
WithChannelEventPoliciesReadyBecauseOIDCDisabled()),
}},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Already reconciled",
Key: testKey,
Expand All @@ -190,6 +194,9 @@ func TestReconcile(t *testing.T) {
WithInMemoryChannelDLSUnknown(),
WithInMemoryChannelEventPoliciesReady()),
},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Backing channel created",
Key: testKey,
Expand All @@ -214,6 +221,9 @@ func TestReconcile(t *testing.T) {
WithBackingChannelUnknown("BackingChannelNotConfigured", "BackingChannel has not yet been reconciled."),
WithChannelEventPoliciesReadyBecauseOIDCDisabled()),
}},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Backing channel created with delivery",
Key: testKey,
Expand Down Expand Up @@ -265,6 +275,9 @@ func TestReconcile(t *testing.T) {
WithBackingChannelUnknown("BackingChannelNotConfigured", "BackingChannel has not yet been reconciled."),
WithChannelEventPoliciesReadyBecauseOIDCDisabled()),
}},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Generation Bump",
Key: testKey,
Expand Down Expand Up @@ -300,6 +313,9 @@ func TestReconcile(t *testing.T) {
WithChannelObservedGeneration(42),
WithChannelEventPoliciesReadyBecauseOIDCDisabled()),
}},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Updating subscribers statuses",
Key: testKey,
Expand Down Expand Up @@ -335,6 +351,9 @@ func TestReconcile(t *testing.T) {
WithChannelDLSUnknown(),
WithChannelEventPoliciesReadyBecauseOIDCDisabled()),
}},
Ctx: feature.ToContext(context.Background(), feature.Flags{
feature.OIDCAuthentication: feature.Disabled,
}),
}, {
Name: "Should provision applying EventPolicies",
Key: testKey,
Expand Down
Loading