Update the APIRule and webhook configs for EventMesh to allow validating the presented token.

[k15r]

Description

Use the credentials based on IAS, if corresponding secret exists in the cluster.

Tasks:

• Use the credentials from new secret in Webhook configs provided to EventMesh Subscriptions. (eventing-webhook-auth in kyma-system)
• Create/Update the APIRule with correct accessStrategies. More info here.
• NOTE: There is a POC PR for reference.

Acceptance criteria

• APIRules can be created / updated to use credentials based on IAS.
• EventMesh subscription Webhook configs can be created to use credentials based on IAS.

Acceptance criteria blocked

• EventMesh subscription Webhook configs can be updated to use credentials based on IAS. This is Blocked. However, it should be done as part of Use Patch request to update EventMesh subscriptions Webhook Auth in Eventing controller #17370 when it's unblocked.

[muralov]

eventing-webhook-auth secret fields can be seen here

[k15r]

Rollout of the new feature:

1. update control plane with eventing-auth-manager to install the new secret on every cluster
2. update eventing controller to use the new functionality

That way we can remove all ory dependencies with the rollout and to not have to implement a switching logic between old and new secret

Requires:

• feature flag in ec to enable the new feature
• secret to be used by prow / local dev setup

[k15r]

Switch behaviour based on the newly introduced feature switch

[friedrichwilken]

What is IAS? Can you provide a link? Where can I find the "new secret in Webhook configs"? How can I access it? Where can I find the API-Rule that is supposed to be updated? What is the "presented token"? Why doesn't the ticket mention that it has a parent ticket and that it is part of an epic? Why are the parent and the epic not linked?

[friedrichwilken]

IAS - Identity Authentication Service by SAP.
The aforementioned secret is the eventing-webhook-auth in the kyma-system namespace.