-
Notifications
You must be signed in to change notification settings - Fork 38
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support OIDC in eventshub sender #595
Support OIDC in eventshub sender #595
Conversation
/cc @pierDipi |
01575c3
to
3830c15
Compare
a59e8bd
to
233843f
Compare
Rebased to get changes from #596 to get tests green |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
By having the sender creating the OIDC token, it will be hard to test what happens when sending an invalid token because it will be always valid, how do you plan to test failure cases?
IMHO, better to pass the token to the sender and have eventshub options that encapsulate the provisioning in order to:
- send invalid tokens for various reasons
- expired
- issued by a different issuer
- for a different audience
- etc
- send valid token
All of the failure or success cases could be options on eventshub sender and encapsulate the logic to provision the expected token valid or invalid token
The API for the raw sender could be similar to the SinkBinding contract, a directory from where to get the token, and then the eventshub options could configure what value goes into that directory but on the test side |
I didn't want to do the token generation in the test/feature. For that I added for example the Alternatively we could also add some kind of "TokenBuilder", which then gets passed to the eventshub sender as an option, which could be easier to extend 🤷 |
How do we test the other cases like expired tokens? |
We could add another option e.g. to specify the expiry of a token, which then gets taken into account in |
That has the problem that every option needs to be built into the sender, I think sender should offer low level APIs, higher level logic can be offered as functions/options. That also helps with test debugging, errors in the sender are not visible in the test output/logs |
I updated it to let the user specify the token via the Can be used like in the following:
IMO it would be better, if we have an additional eventhub option, which allows to pass a token generator callback, which gets the context, the Audience of the Sink and the namespace of the source passed, so that we could do something like following:
But not sure, how this can be done with the current EventhubOption signature 🤔 |
b99de41
to
8280857
Compare
8280857
to
c56fceb
Compare
Are you planning to have e2e tests for this feature in https://github.com/knative-extensions/reconciler-test/tree/main/test/e2e/eventshub ? |
Good point. We should add it, as soon as we have OIDC support in the receiver too (I'll create an issue for tracking it) |
a4682db
to
d64579f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: creydr, pierDipi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
5622ca3
into
knative-extensions:main
Fixes knative/eventing#7333
Changes
OIDCValidToken()
adds a valid OIDC token to the request of the senderOIDCExpiredToken()
adds an OIDC token, which will expire in 10 minutes (allowed minimum) and adds a delay of 11 Minutes to sending to the request (viaInitialSenderDelay()
)OIDCInvalidAudience()
adds an OIDC token to the request but with an audience which differs from the sinks audienceOIDCCorruptedSignature()
adds an OIDC token to the request with a corrupted tokens signatureOIDCToken(token)
adds the given token to the request (allows to fully customize the used token)