Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[release-1.12] Add OIDC support #994

Merged
merged 19 commits into from
Apr 3, 2024
Merged

[release-1.12] Add OIDC support #994

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
19 commits
Select commit Hold shift + click to select a range
de56921
Update contract with fields for OIDC information (#3632)
creydr Jan 28, 2024
1e4aa5e
Expose OIDC audience of KafkaChannel in its status (#3622)
creydr Jan 31, 2024
5a38f19
Auto generate Triggers OIDC identity service account and expose in it…
xiangpingjiang Feb 1, 2024
34a8ad9
Create KafkaSources OIDC service account and expose in its status (#3…
creydr Feb 2, 2024
ad89a1a
Provision contract with OIDC information (#3646)
creydr Feb 2, 2024
1ec0180
[data-plane] Add the caching for OIDC JWT token to tokenprovider (#3663)
Leo6Leo Feb 6, 2024
097bff2
Receiver reject requests for wrong audience (#3675)
creydr Feb 8, 2024
a6d4cab
Dispatcher authenticate requests (#3677)
creydr Feb 8, 2024
77ce7e2
Support exposing the Audience of a Broker (#3600)
gunishmatta Feb 9, 2024
ec3ad81
Add broker OIDC e2e tests (#3685)
creydr Feb 10, 2024
4d784ac
Remove unneeded check when setting broker audience (#3708)
creydr Feb 20, 2024
04e4f8a
Check status code of OIDC discovery response (#3707)
creydr Feb 20, 2024
38263cb
Run update-deps.sh
creydr Feb 20, 2024
bc1857e
Add OIDC tests to encryption/auth test suite
creydr Feb 21, 2024
2162121
run make generate-release
creydr Feb 22, 2024
59a4503
TokenVerifier: execute blocking calls in parallel (#3728)
parth721 Mar 4, 2024
b2ba6b4
Cancel receiver pod start on invalid OIDC config only if authenticati…
creydr Mar 18, 2024
8132872
Add unit test for FeaturesConfig class (#3771)
creydr Mar 19, 2024
8f07cd3
Run make generate-release again
creydr Apr 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions control-plane/config/eventing-kafka-broker/100-channel/100-kafka-channel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,9 @@ spec:
type: string
CACerts:
type: string
audience:
description: Audience is the OIDC audience for the deadLetterSink.
type: string
retry:
description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink.
type: integer
Expand Down Expand Up @@ -132,6 +135,9 @@ spec:
type: string
CACerts:
type: string
audience:
description: Audience is the OIDC audience for the deadLetterSink.
type: string
retry:
description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink.
type: integer
Expand All @@ -147,15 +153,28 @@ spec:
replyCACerts:
description: replyCACerts is the CA certs to trust for the reply.
type: string
replyAudience:
description: ReplyAudience is the OIDC audience for the replyUri.
type: string
subscriberUri:
description: SubscriberURI is the endpoint for the subscriber
type: string
subscriberCACerts:
description: SubscriberCACerts is the CA certs to trust for the subscriber.
type: string
subscriberAudience:
description: SubscriberAudience is the OIDC audience for the subscriberUri.
type: string
uid:
description: UID is used to understand the origin of the subscriber.
type: string
auth:
description: Auth provides the relevant information for OIDC authentication.
type: object
properties:
serviceAccountName:
description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
type: string
status:
description: Status represents the current state of the KafkaChannel. This data may be out of date.
type: object
Expand Down Expand Up @@ -239,6 +258,9 @@ spec:
type: string
deadLetterSinkCACerts:
type: string
deadLetterSinkAudience:
description: OIDC audience of the dead letter sink.
type: string
observedGeneration:
description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
type: integer
Expand All @@ -262,6 +284,13 @@ spec:
uid:
description: UID is used to understand the origin of the subscriber.
type: string
auth:
description: Auth provides the relevant information for OIDC authentication.
type: object
properties:
serviceAccountName:
description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
type: string
additionalPrinterColumns:
- name: Ready
type: string
Expand Down
28 changes: 22 additions & 6 deletions control-plane/config/eventing-kafka-broker/100-source/100-kafka-source.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,6 @@ spec:
description: DeadLetterSink is the sink receiving event that could not be sent to a destination.
type: object
properties:
CACerts:
description: CACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. If set, these CAs are appended to the set of CAs provided by the Addressable target, if any.
type: string
ref:
description: Ref points to an Addressable.
type: object
Expand Down Expand Up @@ -118,6 +115,12 @@ spec:
uri:
description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
type: string
CACerts:
description: CACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. If set, these CAs are appended to the set of CAs provided by the Addressable target, if any.
type: string
audience:
description: Audience is the OIDC audience for the deadLetterSink.
type: string
retry:
description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink.
type: integer
Expand Down Expand Up @@ -271,9 +274,6 @@ spec:
description: Sink is a reference to an object that will resolve to a uri to use as the sink.
type: object
properties:
CACerts:
description: CACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. If set, these CAs are appended to the set of CAs provided by the Addressable target, if any.
type: string
ref:
description: Ref points to an Addressable.
type: object
Expand Down Expand Up @@ -302,6 +302,12 @@ spec:
uri:
description: URI can be an absolute URL(non-empty scheme and non-empty host) pointing to the target or a relative URI. Relative URIs will be resolved using the base URI retrieved from Ref.
type: string
CACerts:
description: CACerts are Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. If set, these CAs are appended to the set of CAs provided by the Addressable target, if any.
type: string
audience:
description: Audience is the OIDC audience for the sink.
type: string
topics:
description: Topic topics to consume messages from
type: array
Expand Down Expand Up @@ -392,6 +398,16 @@ spec:
sinkUri:
description: SinkURI is the current active sink URI that has been configured for the Source.
type: string
sinkAudience:
description: SinkAudience is the OIDC audience of the sink.
type: string
auth:
description: Auth provides the relevant information for OIDC authentication.
type: object
properties:
serviceAccountName:
description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
type: string
subresources:
status: {}
scale:
Expand Down
7 changes: 7 additions & 0 deletions control-plane/config/eventing-kafka-broker/200-controller/200-controller-cluster-role.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -140,6 +140,13 @@ rules:
- update
- create
- delete
# To grant NamespacedBroker permissions to create OIDC tokens
- apiGroups:
- ""
resources:
- serviceaccounts/token
verbs:
- create

# Scheduler permissions
- apiGroups:
Expand Down
8 changes: 8 additions & 0 deletions control-plane/pkg/apis/internals/kafka/eventing/v1alpha1/consumer_group_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,10 @@ type ConsumerGroupSpec struct {
// More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors
// +optional
Selector map[string]string `json:"selector,omitempty" protobuf:"bytes,2,rep,name=selector"`

// OIDCServiceAccountName is the name of service account used for this components
// OIDC authentication.
OIDCServiceAccountName *string `json:"oidcServiceAccountName,omitempty"`
}

type ConsumerGroupStatus struct {
Expand All @@ -120,6 +124,10 @@ type ConsumerGroupStatus struct {
// +optional
SubscriberCACerts *string `json:"subscriberCACerts,omitempty"`

// SubscriberAudience is the OIDC audience for the resolved URI
// +optional
SubscriberAudience *string `json:"subscriberAudience,omitempty"`

// DeliveryStatus contains a resolved URL to the dead letter sink address, and any other
// resolved delivery options.
eventingduckv1.DeliveryStatus `json:",inline"`
Expand Down
8 changes: 8 additions & 0 deletions control-plane/pkg/apis/internals/kafka/eventing/v1alpha1/consumer_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,10 @@ type ConsumerSpec struct {

// PodBind represents a reference to the pod in which the consumer should be placed.
PodBind *PodBind `json:"podBind"`

// OIDCServiceAccountName is the name of the generated service account
// used for this components OIDC authentication.
OIDCServiceAccountName *string `json:"oidcServiceAccountName,omitempty"`
}

type ReplyStrategy struct {
Expand Down Expand Up @@ -208,6 +212,10 @@ type ConsumerStatus struct {
// +optional
SubscriberCACerts *string `json:"subscriberCACerts,omitempty"`

// SubscriberAudience is the OIDC audience for the resolved URI
// +optional
SubscriberAudience *string `json:"subscriberAudience,omitempty"`

// DeliveryStatus contains a resolved URL to the dead letter sink address, and any other
// resolved delivery options.
eventingduck.DeliveryStatus `json:",inline"`
Expand Down
20 changes: 20 additions & 0 deletions control-plane/pkg/apis/internals/kafka/eventing/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

21 changes: 21 additions & 0 deletions control-plane/pkg/apis/sources/v1beta1/kafka_lifecycle.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ const (
// KafkaConditionInitialOffsetsCommitted is True when the KafkaSource has committed the
// initial offset of all claims
KafkaConditionInitialOffsetsCommitted apis.ConditionType = "InitialOffsetsCommitted"

// KafkaConditionOIDCIdentityCreated has status True when the KafkaSource has created an OIDC identity.
KafkaConditionOIDCIdentityCreated apis.ConditionType = "OIDCIdentityCreated"
)

var (
Expand All @@ -54,6 +57,7 @@ var (
KafkaConditionDeployed,
KafkaConditionConnectionEstablished,
KafkaConditionInitialOffsetsCommitted,
KafkaConditionOIDCIdentityCreated,
)

kafkaCondSetLock = sync.RWMutex{}
Expand Down Expand Up @@ -91,6 +95,7 @@ func (s *KafkaSourceStatus) MarkSink(addr *duckv1.Addressable) {
if addr.URL != nil && !addr.URL.IsEmpty() {
s.SinkURI = addr.URL
s.SinkCACerts = addr.CACerts
s.SinkAudience = addr.Audience
KafkaSourceCondSet.Manage(s).MarkTrue(KafkaConditionSinkProvided)
} else {
KafkaSourceCondSet.Manage(s).MarkUnknown(KafkaConditionSinkProvided, "SinkEmpty", "Sink has resolved to empty.%s", "")
Expand Down Expand Up @@ -160,6 +165,22 @@ func (s *KafkaSourceStatus) MarkInitialOffsetNotCommitted(reason, messageFormat
KafkaSourceCondSet.Manage(s).MarkFalse(KafkaConditionInitialOffsetsCommitted, reason, messageFormat, messageA...)
}

func (s *KafkaSourceStatus) MarkOIDCIdentityCreatedSucceeded() {
KafkaSourceCondSet.Manage(s).MarkTrue(KafkaConditionOIDCIdentityCreated)
}

func (s *KafkaSourceStatus) MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{}) {
KafkaSourceCondSet.Manage(s).MarkTrueWithReason(KafkaConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
}

func (s *KafkaSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{}) {
KafkaSourceCondSet.Manage(s).MarkFalse(KafkaConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
}

func (s *KafkaSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
KafkaSourceCondSet.Manage(s).MarkUnknown(KafkaConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
}

func (s *KafkaSourceStatus) UpdateConsumerGroupStatus(status string) {
s.Claims = status
}
Loading