From d46ad6499e9a8d56a2b8f920dc5be59dd5dc7182 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Mon, 8 Jan 2024 16:37:25 -0500 Subject: [PATCH 01/25] Enable the TLS feature for BrokerSendEventWithOIDCTokenToSubscriber Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 33 +++++++++++++++++++------------ test/auth/oidc_test.go | 3 +++ 2 files changed, 23 insertions(+), 13 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 7069d0c058d..79ed0556273 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -17,8 +17,12 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" + "knative.dev/eventing/test/rekt/features/featureflags" + "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/eventing/test/rekt/resources/delivery" "knative.dev/eventing/test/rekt/resources/trigger" @@ -33,16 +37,20 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { return &feature.FeatureSet{ Name: "Broker send events with OIDC support", Features: []*feature.Feature{ - BrokerSendEventWithOIDCTokenToSubscriber(), + BrokerSendEventWithOIDCTokenToSubscriberWithTLS(), BrokerSendEventWithOIDCTokenToReply(), - BrokerSendEventWithOIDCTokenToDLS(), + //BrokerSendEventWithOIDCTokenToDLS(), }, } } -func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { +func BrokerSendEventWithOIDCTokenToSubscriberWithTLS() *feature.Feature { f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens") + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + source := feature.MakeRandomK8sName("source") brokerName := feature.MakeRandomK8sName("broker") sink := feature.MakeRandomK8sName("sink") @@ -55,22 +63,21 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) f.Setup("broker is ready", broker.IsReady(brokerName)) f.Setup("broker is addressable", broker.IsAddressable(brokerName)) + f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) // Install the sink f.Setup("install sink", eventshub.Install( sink, + eventshub.StartReceiverTLS, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) - - // Install the trigger and Point the Trigger subscriber to the sink svc. - f.Setup("install trigger", trigger.Install( - triggerName, - brokerName, - trigger.WithSubscriberFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }), )) + + f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) + }) f.Setup("trigger goes ready", trigger.IsReady(triggerName)) // Send event diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 5ebe5e6c46b..2abf591e4d9 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -23,6 +23,8 @@ import ( "testing" "time" + "knative.dev/reconciler-test/pkg/eventshub" + "knative.dev/pkg/system" "knative.dev/reconciler-test/pkg/environment" "knative.dev/reconciler-test/pkg/feature" @@ -64,6 +66,7 @@ func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { ctx, env := global.Environment( knative.WithKnativeNamespace(system.Namespace()), + eventshub.WithTLS(t), knative.WithLoggingConfig, knative.WithTracingConfig, k8s.WithEventListener, From bc97023d90783dd1e177a3d59e3934ef7dcce2c1 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Mon, 8 Jan 2024 16:54:15 -0500 Subject: [PATCH 02/25] Enable the TLS feature for BrokerSendEventWithOIDCTokenToReply Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 44 ++++++++++++++++++++----------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 79ed0556273..9788ff03f19 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -37,8 +37,8 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { return &feature.FeatureSet{ Name: "Broker send events with OIDC support", Features: []*feature.Feature{ - BrokerSendEventWithOIDCTokenToSubscriberWithTLS(), - BrokerSendEventWithOIDCTokenToReply(), + //BrokerSendEventWithOIDCTokenToSubscriberWithTLS(), + BrokerSendEventWithOIDCTokenToReplyWithTLS(), //BrokerSendEventWithOIDCTokenToDLS(), }, } @@ -139,9 +139,18 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { return f } -func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { +func BrokerSendEventWithOIDCTokenToReplyWithTLS() *feature.Feature { + //1. An event is sent to a broker. + //2. A trigger routes this event to a subscriber. + //3. The subscriber processes and replies to the event. + //4. A helper trigger routes the reply to a designated sink. + //5. The test verifies that the reply reaches the sink with the expected modifications. f := feature.NewFeature() + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + brokerName := feature.MakeRandomK8sName("broker") subscriber := feature.MakeRandomK8sName("subscriber") reply := feature.MakeRandomK8sName("reply") @@ -158,34 +167,37 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { // Install subscriber f.Setup("install subscriber", eventshub.Install(subscriber, eventshub.ReplyWithTransformedEvent(replyEventType, replyEventSource, ""), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install sink for reply // Hint: we don't need to require OIDC auth at the reply sink, because the // actual reply is sent to the broker ingress, which must support OIDC. This // reply sink is only to check that the reply as sent and routed correctly. f.Setup("install sink for reply", eventshub.Install(reply, - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install broker f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) f.Setup("Broker is ready", broker.IsReady(brokerName)) + f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) - // Install Trigger - f.Setup("install trigger", trigger.Install(triggerName, brokerName, - trigger.WithSubscriber(service.AsKReference(subscriber), ""), - trigger.WithFilter(map[string]string{ + f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(subscriber) + d.CACerts = eventshub.GetCaCerts(ctx) + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ "type": event.Type(), - }))) + }))(ctx, t) + }) + f.Setup("trigger is ready", trigger.IsReady(triggerName)) - // Install helper trigger to route replys to reply-sink - f.Setup("install helper trigger", trigger.Install(helperTriggerName, brokerName, - trigger.WithSubscriber(service.AsKReference(reply), ""), - trigger.WithFilter(map[string]string{ + f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(reply) + d.CACerts = eventshub.GetCaCerts(ctx) + trigger.Install(helperTriggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ "type": replyEventType, - }))) - f.Setup("helper trigger is ready", trigger.IsReady(helperTriggerName)) + }))(ctx, t) + }) // Send events after data plane is ready. f.Requirement("install source", eventshub.Install(source, From 7db5f0e2c86c23898cd0072db52f6b33d2e76c6b Mon Sep 17 00:00:00 2001 From: Leo Li Date: Mon, 8 Jan 2024 17:14:53 -0500 Subject: [PATCH 03/25] Save the progress on adding TLS support for BrokerSendEventWithOIDCTokenToDLS Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 9788ff03f19..f608009a589 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -19,6 +19,8 @@ package oidc import ( "context" + "knative.dev/pkg/apis" + "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" "knative.dev/eventing/test/rekt/features/featureflags" @@ -38,8 +40,8 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { Name: "Broker send events with OIDC support", Features: []*feature.Feature{ //BrokerSendEventWithOIDCTokenToSubscriberWithTLS(), - BrokerSendEventWithOIDCTokenToReplyWithTLS(), - //BrokerSendEventWithOIDCTokenToDLS(), + //BrokerSendEventWithOIDCTokenToReplyWithTLS(), + BrokerSendEventWithOIDCTokenToDLS(), }, } } @@ -96,6 +98,10 @@ func BrokerSendEventWithOIDCTokenToSubscriberWithTLS() *feature.Feature { func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f := feature.NewFeature() + // TLS is required for OIDC + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + brokerName := feature.MakeRandomK8sName("broker") dls := feature.MakeRandomK8sName("dls") triggerName := feature.MakeRandomK8sName("trigger") @@ -108,7 +114,7 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { // Install DLS sink f.Setup("install dead letter sink", eventshub.Install(dls, eventshub.OIDCReceiverAudience(dlsAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install broker with DLS config brokerConfig := append( @@ -122,8 +128,20 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f.Setup("Broker is ready", broker.IsReady(brokerName)) // Install Trigger - f.Setup("install trigger", trigger.Install(triggerName, brokerName, - trigger.WithSubscriber(nil, "bad://uri"))) + //f.Setup("install trigger", trigger.Install(triggerName, brokerName, + // trigger.WithSubscriber(nil, "bad://uri"))) + + f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + // create an empty destination ref + d := service.AsDestinationRef("") + d.CACerts = eventshub.GetCaCerts(ctx) + // uri is an addressable, create a new one and put the bad uri in it + d.URI, _ = apis.ParseURL("bad://uri") + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) + + // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. + }) + f.Setup("trigger is ready", trigger.IsReady(triggerName)) // Send events after data plane is ready. From 53e8c40d456d8354b353500e5693b1a7747d5549 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Tue, 9 Jan 2024 14:07:16 -0500 Subject: [PATCH 04/25] Still couldn't figure out. Will leave a comment there Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index f608009a589..f1259fd85e4 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -19,8 +19,6 @@ package oidc import ( "context" - "knative.dev/pkg/apis" - "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" "knative.dev/eventing/test/rekt/features/featureflags" @@ -28,6 +26,7 @@ import ( "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/eventing/test/rekt/resources/delivery" "knative.dev/eventing/test/rekt/resources/trigger" + "knative.dev/pkg/apis" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" eventassert "knative.dev/reconciler-test/pkg/eventshub/assert" @@ -116,15 +115,16 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { eventshub.OIDCReceiverAudience(dlsAudience), eventshub.StartReceiverTLS)) - // Install broker with DLS config - brokerConfig := append( - broker.WithEnvConfig(), - delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(dls), - Audience: &dlsAudience, - }), - ) - f.Setup("install broker", broker.Install(brokerName, brokerConfig...)) + f.Setup("install broker", func(ctx context.Context, t feature.T) { + brokerConfig := append(broker.WithEnvConfig(), + delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(dls), + Audience: &dlsAudience, + //CACerts: eventshub.GetCaCerts(ctx), + })) + broker.Install(brokerName, brokerConfig...)(ctx, t) + }) + f.Setup("Broker is ready", broker.IsReady(brokerName)) // Install Trigger From 765ff4e442081cb9f804722e8c78a7128f559229 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Tue, 9 Jan 2024 15:01:44 -0500 Subject: [PATCH 05/25] Update more test to enable TLS Signed-off-by: Leo Li --- .../oidc/addressable_oidc_conformance.go | 8 ++++---- test/auth/features/oidc/broker.go | 19 ++++++++++--------- test/auth/oidc_test.go | 7 ++++--- 3 files changed, 18 insertions(+), 16 deletions(-) diff --git a/test/auth/features/oidc/addressable_oidc_conformance.go b/test/auth/features/oidc/addressable_oidc_conformance.go index a5e7378b6c8..d86eb142e80 100644 --- a/test/auth/features/oidc/addressable_oidc_conformance.go +++ b/test/auth/features/oidc/addressable_oidc_conformance.go @@ -85,7 +85,7 @@ func addressableRejectInvalidAudience(gvr schema.GroupVersionResource, kind, nam f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCInvalidAudience(), eventshub.InputEvent(event), )) @@ -109,7 +109,7 @@ func addressableRejectExpiredToken(gvr schema.GroupVersionResource, kind, name s f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCExpiredToken(), eventshub.InputEvent(event), )) @@ -133,7 +133,7 @@ func addressableRejectCorruptedSignature(gvr schema.GroupVersionResource, kind, f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.OIDCCorruptedSignature(), eventshub.InputEvent(event), )) @@ -157,7 +157,7 @@ func addressableAllowsValidRequest(gvr schema.GroupVersionResource, kind, name s f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(gvr, name), + eventshub.StartSenderToResourceTLS(gvr, name, nil), eventshub.InputEvent(event), )) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index f1259fd85e4..495bf9aefff 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -19,6 +19,8 @@ package oidc import ( "context" + "knative.dev/pkg/apis" + "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" "knative.dev/eventing/test/rekt/features/featureflags" @@ -26,7 +28,6 @@ import ( "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/eventing/test/rekt/resources/delivery" "knative.dev/eventing/test/rekt/resources/trigger" - "knative.dev/pkg/apis" duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" eventassert "knative.dev/reconciler-test/pkg/eventshub/assert" @@ -38,14 +39,14 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { return &feature.FeatureSet{ Name: "Broker send events with OIDC support", Features: []*feature.Feature{ - //BrokerSendEventWithOIDCTokenToSubscriberWithTLS(), - //BrokerSendEventWithOIDCTokenToReplyWithTLS(), + BrokerSendEventWithOIDCTokenToSubscriber(), + BrokerSendEventWithOIDCTokenToReply(), BrokerSendEventWithOIDCTokenToDLS(), }, } } -func BrokerSendEventWithOIDCTokenToSubscriberWithTLS() *feature.Feature { +func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens") // TLS is required for OIDC @@ -84,7 +85,7 @@ func BrokerSendEventWithOIDCTokenToSubscriberWithTLS() *feature.Feature { // Send event f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) @@ -127,6 +128,7 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f.Setup("Broker is ready", broker.IsReady(brokerName)) + // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. // Install Trigger //f.Setup("install trigger", trigger.Install(triggerName, brokerName, // trigger.WithSubscriber(nil, "bad://uri"))) @@ -139,14 +141,13 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { d.URI, _ = apis.ParseURL("bad://uri") trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) - // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. }) f.Setup("trigger is ready", trigger.IsReady(triggerName)) // Send events after data plane is ready. f.Requirement("install source", eventshub.Install(source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) @@ -157,7 +158,7 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { return f } -func BrokerSendEventWithOIDCTokenToReplyWithTLS() *feature.Feature { +func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { //1. An event is sent to a broker. //2. A trigger routes this event to a subscriber. //3. The subscriber processes and replies to the event. @@ -219,7 +220,7 @@ func BrokerSendEventWithOIDCTokenToReplyWithTLS() *feature.Feature { // Send events after data plane is ready. f.Requirement("install source", eventshub.Install(source, - eventshub.StartSenderToResource(broker.GVR(), brokerName), + eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), eventshub.InputEvent(event), )) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 2abf591e4d9..9c02ed8b897 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -43,7 +43,7 @@ import ( "knative.dev/eventing/test/rekt/resources/sequence" ) -func TestBrokerSupportsOIDC(t *testing.T) { +func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { t.Parallel() ctx, env := global.Environment( @@ -53,6 +53,7 @@ func TestBrokerSupportsOIDC(t *testing.T) { k8s.WithEventListener, environment.Managed(t), environment.WithPollTimings(4*time.Second, 12*time.Minute), + eventshub.WithTLS(t), ) name := feature.MakeRandomK8sName("broker") @@ -61,16 +62,16 @@ func TestBrokerSupportsOIDC(t *testing.T) { env.TestSet(ctx, t, oidc.AddressableOIDCConformance(broker.GVR(), "Broker", name, env.Namespace())) } -func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { +func TestBrokerSendsEventsWithOIDCSupportUnderTLS(t *testing.T) { t.Parallel() ctx, env := global.Environment( knative.WithKnativeNamespace(system.Namespace()), - eventshub.WithTLS(t), knative.WithLoggingConfig, knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.TestSet(ctx, t, oidc.BrokerSendEventWithOIDC()) From b9ed6db4ec2b9b21a92d6475ab0077f537bf49ac Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 10 Jan 2024 16:32:04 -0500 Subject: [PATCH 06/25] Fix the review comments Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 2 +- test/auth/oidc_test.go | 4 ++-- test/rekt/resources/delivery/delivery.go | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 495bf9aefff..83b06c05c51 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -121,7 +121,7 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ Ref: service.AsKReference(dls), Audience: &dlsAudience, - //CACerts: eventshub.GetCaCerts(ctx), + CACerts: eventshub.GetCaCerts(ctx), })) broker.Install(brokerName, brokerConfig...)(ctx, t) }) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 9c02ed8b897..c775a77a1f1 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -43,7 +43,7 @@ import ( "knative.dev/eventing/test/rekt/resources/sequence" ) -func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { +func TestBrokerSupportsOIDC(t *testing.T) { t.Parallel() ctx, env := global.Environment( @@ -62,7 +62,7 @@ func TestBrokerSupportsOIDCUnderTLS(t *testing.T) { env.TestSet(ctx, t, oidc.AddressableOIDCConformance(broker.GVR(), "Broker", name, env.Namespace())) } -func TestBrokerSendsEventsWithOIDCSupportUnderTLS(t *testing.T) { +func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { t.Parallel() ctx, env := global.Environment( diff --git a/test/rekt/resources/delivery/delivery.go b/test/rekt/resources/delivery/delivery.go index 8348e5647d7..626b62c6063 100644 --- a/test/rekt/resources/delivery/delivery.go +++ b/test/rekt/resources/delivery/delivery.go @@ -90,7 +90,7 @@ func WithDeadLetterSinkFromDestination(dest *duckv1.Destination) manifest.CfgFn if dest.CACerts != nil { // This is a multi-line string and should be indented accordingly. // Replace "new line" with "new line + spaces". - dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") + dls["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } if dest.Audience != nil { From eecf8853dcfd1901d5d7e55f2b94e90de14d0d9f Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 11 Jan 2024 16:23:07 -0500 Subject: [PATCH 07/25] Fix the review comments by using destination object Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 83b06c05c51..43e3ea9d839 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -135,11 +135,11 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { // create an empty destination ref - d := service.AsDestinationRef("") + d := duckv1.Destination{} d.CACerts = eventshub.GetCaCerts(ctx) // uri is an addressable, create a new one and put the bad uri in it d.URI, _ = apis.ParseURL("bad://uri") - trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) + trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t) }) From 3ce0a712df6cd8d88dfe7aa0c98f078e855dcf16 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 11 Jan 2024 16:39:22 -0500 Subject: [PATCH 08/25] Enable TLS in the CI Signed-off-by: Leo Li --- test/auth/config/features.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/test/auth/config/features.yaml b/test/auth/config/features.yaml index b93aa837079..a0873f50574 100644 --- a/test/auth/config/features.yaml +++ b/test/auth/config/features.yaml @@ -19,3 +19,5 @@ metadata: namespace: knative-eventing data: authentication-oidc: "enabled" + transport-encryption: "strict" + From ee4d57e26bedd00a799909df3185182c68689c3d Mon Sep 17 00:00:00 2001 From: Leo Li Date: Fri, 12 Jan 2024 11:31:14 -0500 Subject: [PATCH 09/25] comment out all the other tests to validate my assumption Signed-off-by: Leo Li --- test/auth/oidc_test.go | 261 ++++++++++++++++++++--------------------- 1 file changed, 127 insertions(+), 134 deletions(-) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index c775a77a1f1..b15bad23276 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -33,14 +33,7 @@ import ( "knative.dev/eventing/test/auth/features/oidc" brokerfeatures "knative.dev/eventing/test/rekt/features/broker" - "knative.dev/eventing/test/rekt/features/channel" - parallelfeatures "knative.dev/eventing/test/rekt/features/parallel" - sequencefeatures "knative.dev/eventing/test/rekt/features/sequence" "knative.dev/eventing/test/rekt/resources/broker" - "knative.dev/eventing/test/rekt/resources/channel_impl" - "knative.dev/eventing/test/rekt/resources/channel_template" - "knative.dev/eventing/test/rekt/resources/parallel" - "knative.dev/eventing/test/rekt/resources/sequence" ) func TestBrokerSupportsOIDC(t *testing.T) { @@ -77,130 +70,130 @@ func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { env.TestSet(ctx, t, oidc.BrokerSendEventWithOIDC()) } -func TestChannelImplSupportsOIDC(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - environment.WithPollTimings(4*time.Second, 12*time.Minute), - ) - - name := feature.MakeRandomK8sName("channelimpl") - env.Prerequisite(ctx, t, channel.ImplGoesReady(name)) - - env.TestSet(ctx, t, oidc.AddressableOIDCConformance(channel_impl.GVR(), channel_impl.GVK().Kind, name, env.Namespace())) -} - -func TestParallelSupportsOIDC(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - name := feature.MakeRandomK8sName("parallel") - env.Prerequisite(ctx, t, parallelfeatures.GoesReady(name, parallel.WithChannelTemplate(channel_template.ChannelTemplate{ - TypeMeta: channel_impl.TypeMeta(), - Spec: map[string]interface{}{}, - }))) - - env.Test(ctx, t, oidc.ParallelHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) -} - -func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) -} - -func TestSequenceSupportsOIDC(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - name := feature.MakeRandomK8sName("sequence") - env.Prerequisite(ctx, t, sequencefeatures.GoesReady(name, sequence.WithChannelTemplate(channel_template.ChannelTemplate{ - TypeMeta: channel_impl.TypeMeta(), - Spec: map[string]interface{}{}, - }))) - - env.Test(ctx, t, oidc.SequenceHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) -} - -func TestApiserversourceSendEventWithJWT(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) -} - -func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) -} - -func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) -} - -func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { - t.Parallel() - - ctx, env := global.Environment( - knative.WithKnativeNamespace(system.Namespace()), - knative.WithLoggingConfig, - knative.WithTracingConfig, - k8s.WithEventListener, - environment.Managed(t), - ) - - env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) -} +//func TestChannelImplSupportsOIDC(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// environment.WithPollTimings(4*time.Second, 12*time.Minute), +// ) +// +// name := feature.MakeRandomK8sName("channelimpl") +// env.Prerequisite(ctx, t, channel.ImplGoesReady(name)) +// +// env.TestSet(ctx, t, oidc.AddressableOIDCConformance(channel_impl.GVR(), channel_impl.GVK().Kind, name, env.Namespace())) +//} +// +//func TestParallelSupportsOIDC(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// name := feature.MakeRandomK8sName("parallel") +// env.Prerequisite(ctx, t, parallelfeatures.GoesReady(name, parallel.WithChannelTemplate(channel_template.ChannelTemplate{ +// TypeMeta: channel_impl.TypeMeta(), +// Spec: map[string]interface{}{}, +// }))) +// +// env.Test(ctx, t, oidc.ParallelHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) +//} +// +//func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) +//} +// +//func TestSequenceSupportsOIDC(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// name := feature.MakeRandomK8sName("sequence") +// env.Prerequisite(ctx, t, sequencefeatures.GoesReady(name, sequence.WithChannelTemplate(channel_template.ChannelTemplate{ +// TypeMeta: channel_impl.TypeMeta(), +// Spec: map[string]interface{}{}, +// }))) +// +// env.Test(ctx, t, oidc.SequenceHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) +//} +// +//func TestApiserversourceSendEventWithJWT(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) +//} +// +//func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) +//} +// +//func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) +//} +// +//func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { +// t.Parallel() +// +// ctx, env := global.Environment( +// knative.WithKnativeNamespace(system.Namespace()), +// knative.WithLoggingConfig, +// knative.WithTracingConfig, +// k8s.WithEventListener, +// environment.Managed(t), +// ) +// +// env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) +//} From 47935dc91a7ba9a01929997479abfbcd2962d781 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 14:48:41 -0500 Subject: [PATCH 10/25] Revert "comment out all the other tests to validate my assumption" This reverts commit ee4d57e26bedd00a799909df3185182c68689c3d. --- test/auth/oidc_test.go | 261 +++++++++++++++++++++-------------------- 1 file changed, 134 insertions(+), 127 deletions(-) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index b15bad23276..c775a77a1f1 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -33,7 +33,14 @@ import ( "knative.dev/eventing/test/auth/features/oidc" brokerfeatures "knative.dev/eventing/test/rekt/features/broker" + "knative.dev/eventing/test/rekt/features/channel" + parallelfeatures "knative.dev/eventing/test/rekt/features/parallel" + sequencefeatures "knative.dev/eventing/test/rekt/features/sequence" "knative.dev/eventing/test/rekt/resources/broker" + "knative.dev/eventing/test/rekt/resources/channel_impl" + "knative.dev/eventing/test/rekt/resources/channel_template" + "knative.dev/eventing/test/rekt/resources/parallel" + "knative.dev/eventing/test/rekt/resources/sequence" ) func TestBrokerSupportsOIDC(t *testing.T) { @@ -70,130 +77,130 @@ func TestBrokerSendsEventsWithOIDCSupport(t *testing.T) { env.TestSet(ctx, t, oidc.BrokerSendEventWithOIDC()) } -//func TestChannelImplSupportsOIDC(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// environment.WithPollTimings(4*time.Second, 12*time.Minute), -// ) -// -// name := feature.MakeRandomK8sName("channelimpl") -// env.Prerequisite(ctx, t, channel.ImplGoesReady(name)) -// -// env.TestSet(ctx, t, oidc.AddressableOIDCConformance(channel_impl.GVR(), channel_impl.GVK().Kind, name, env.Namespace())) -//} -// -//func TestParallelSupportsOIDC(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// name := feature.MakeRandomK8sName("parallel") -// env.Prerequisite(ctx, t, parallelfeatures.GoesReady(name, parallel.WithChannelTemplate(channel_template.ChannelTemplate{ -// TypeMeta: channel_impl.TypeMeta(), -// Spec: map[string]interface{}{}, -// }))) -// -// env.Test(ctx, t, oidc.ParallelHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) -//} -// -//func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) -//} -// -//func TestSequenceSupportsOIDC(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// name := feature.MakeRandomK8sName("sequence") -// env.Prerequisite(ctx, t, sequencefeatures.GoesReady(name, sequence.WithChannelTemplate(channel_template.ChannelTemplate{ -// TypeMeta: channel_impl.TypeMeta(), -// Spec: map[string]interface{}{}, -// }))) -// -// env.Test(ctx, t, oidc.SequenceHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) -//} -// -//func TestApiserversourceSendEventWithJWT(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) -//} -// -//func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) -//} -// -//func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) -//} -// -//func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { -// t.Parallel() -// -// ctx, env := global.Environment( -// knative.WithKnativeNamespace(system.Namespace()), -// knative.WithLoggingConfig, -// knative.WithTracingConfig, -// k8s.WithEventListener, -// environment.Managed(t), -// ) -// -// env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) -//} +func TestChannelImplSupportsOIDC(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + environment.WithPollTimings(4*time.Second, 12*time.Minute), + ) + + name := feature.MakeRandomK8sName("channelimpl") + env.Prerequisite(ctx, t, channel.ImplGoesReady(name)) + + env.TestSet(ctx, t, oidc.AddressableOIDCConformance(channel_impl.GVR(), channel_impl.GVK().Kind, name, env.Namespace())) +} + +func TestParallelSupportsOIDC(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + name := feature.MakeRandomK8sName("parallel") + env.Prerequisite(ctx, t, parallelfeatures.GoesReady(name, parallel.WithChannelTemplate(channel_template.ChannelTemplate{ + TypeMeta: channel_impl.TypeMeta(), + Spec: map[string]interface{}{}, + }))) + + env.Test(ctx, t, oidc.ParallelHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) +} + +func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) +} + +func TestSequenceSupportsOIDC(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + name := feature.MakeRandomK8sName("sequence") + env.Prerequisite(ctx, t, sequencefeatures.GoesReady(name, sequence.WithChannelTemplate(channel_template.ChannelTemplate{ + TypeMeta: channel_impl.TypeMeta(), + Spec: map[string]interface{}{}, + }))) + + env.Test(ctx, t, oidc.SequenceHasAudienceOfInputChannel(name, env.Namespace(), channel_impl.GVR(), channel_impl.GVK().Kind)) +} + +func TestApiserversourceSendEventWithJWT(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) +} + +func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) +} + +func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) +} + +func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { + t.Parallel() + + ctx, env := global.Environment( + knative.WithKnativeNamespace(system.Namespace()), + knative.WithLoggingConfig, + knative.WithTracingConfig, + k8s.WithEventListener, + environment.Managed(t), + ) + + env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) +} From 72164ddfd0ecfdf30148c4a4aef7bf295fb59b52 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 15:31:19 -0500 Subject: [PATCH 11/25] fix the wrong indentation for the cacert format Signed-off-by: Leo Li --- test/rekt/resources/sequence/sequence.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rekt/resources/sequence/sequence.go b/test/rekt/resources/sequence/sequence.go index d740fe98092..b95080654cd 100644 --- a/test/rekt/resources/sequence/sequence.go +++ b/test/rekt/resources/sequence/sequence.go @@ -127,7 +127,7 @@ func WithStepFromDestination(dest *duckv1.Destination) manifest.CfgFn { if dest.CACerts != nil { // This is a multi-line string and should be indented accordingly. // Replace "new line" with "new line + spaces". - step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") + step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } if dest.Audience != nil { From ec2b5b733ba7a55c59f9ff85ae5f09412e1810b5 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 15:40:03 -0500 Subject: [PATCH 12/25] enable the TLS for TestParallelTwoBranchesWithOIDCSupport Signed-off-by: Leo Li --- test/auth/features/oidc/parallel.go | 25 +++++++++++++++++++------ test/auth/oidc_test.go | 1 + 2 files changed, 20 insertions(+), 6 deletions(-) diff --git a/test/auth/features/oidc/parallel.go b/test/auth/features/oidc/parallel.go index 6cd5db62afa..29a022b6854 100644 --- a/test/auth/features/oidc/parallel.go +++ b/test/auth/features/oidc/parallel.go @@ -20,6 +20,8 @@ import ( "context" "strconv" + "knative.dev/eventing/test/rekt/features/featureflags" + cloudevents "github.com/cloudevents/sdk-go/v2" "github.com/cloudevents/sdk-go/v2/test" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -55,6 +57,9 @@ func ParallelHasAudienceOfInputChannel(parallelName, parallelNamespace string, c func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplate) *feature.Feature { f := feature.NewFeatureNamed("Parallel test.") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + parallelName := feature.MakeRandomK8sName("parallel1") source := feature.MakeRandomK8sName("source1") sink := feature.MakeRandomK8sName("sink1") @@ -80,23 +85,23 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install Subscribers for both branches. f.Setup("install subscriber1", eventshub.Install(subscriber1, eventshub.ReplyWithAppendedData("appended data 1"), eventshub.OIDCReceiverAudience(subscriber1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install subscriber2", eventshub.Install(subscriber2, eventshub.ReplyWithAppendedData("appended data 2"), eventshub.OIDCReceiverAudience(subscriber2Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install Filter only for first branch. f.Setup("install filter1", eventshub.Install(filter1, eventshub.ReplyWithTransformedEvent(event.Type(), event.Source(), string(event.Data())), eventshub.OIDCReceiverAudience(filter1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) // Install a Parallel with two branches f.Setup("install Parallel", func(ctx context.Context, t feature.T) { @@ -104,24 +109,31 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat parallel.WithReply(&duckv1.Destination{ Ref: service.AsKReference(sink), Audience: &sinkAudience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithSubscriberAt(branch1Num, &duckv1.Destination{ Ref: service.AsKReference(subscriber1), Audience: &subscriber1Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithSubscriberAt(branch2Num, &duckv1.Destination{ Ref: service.AsKReference(subscriber2), Audience: &subscriber2Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithFilterAt(branch1Num, &duckv1.Destination{ Ref: service.AsKReference(filter1), Audience: &filter1Audience, + CACerts: eventshub.GetCaCerts(ctx), }), parallel.WithReplyAt(branch1Num, nil), + parallel.WithReplyAt(branch2Num, nil), + // The Reply for second branch is same as global reply. parallel.WithReplyAt(branch2Num, &duckv1.Destination{ Ref: service.AsKReference(sink), Audience: &sinkAudience, + CACerts: eventshub.GetCaCerts(ctx), }), ) @@ -129,14 +141,15 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat }) f.Setup("Parallel goes ready", parallel.IsReady(parallelName)) f.Setup("Parallel is addressable", parallel.IsAddressable(parallelName)) + f.Setup("Parallel has HTTPS address", parallel.ValidateAddress(parallelName, addressable.AssertHTTPSAddress)) f.Requirement("install source", eventshub.Install( source, - eventshub.StartSenderToResource(parallel.GVR(), parallelName), + eventshub.StartSenderToResourceTLS(parallel.GVR(), parallelName, nil), eventshub.InputEvent(event), )) - f.Stable("test Parallel with two branches and 1 filter"). + f.Stable("test Parallel with two branches and 1 filter, and with TLS enabled"). Must("deliver event to subscriber1", eventasssert.OnStore(subscriber1).MatchEvent(test.HasId(event.ID())).AtLeast(1)). Must("deliver event to subscriber2", eventasssert.OnStore(subscriber2).MatchEvent(test.HasId(event.ID())).AtLeast(1)). Must("deliver event to filter1", eventasssert.OnStore(filter1).MatchEvent(test.HasId(event.ID())).AtLeast(1)). diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index c775a77a1f1..7a3f29992bd 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -200,6 +200,7 @@ func TestParallelTwoBranchesWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ParallelWithTwoBranchesOIDC(channel_template.ImmemoryChannelTemplate())) From 1e21507be85aa6426c6eb3d525de35bae9ec4fe2 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 16:13:00 -0500 Subject: [PATCH 13/25] enable the TLS for TestSequenceSendsEventsWithOIDCSupport Signed-off-by: Leo Li --- test/auth/features/oidc/sequence.go | 41 +++++++++++++++++------------ test/auth/oidc_test.go | 1 + 2 files changed, 25 insertions(+), 17 deletions(-) diff --git a/test/auth/features/oidc/sequence.go b/test/auth/features/oidc/sequence.go index e126e8da2c8..7ec880891d7 100644 --- a/test/auth/features/oidc/sequence.go +++ b/test/auth/features/oidc/sequence.go @@ -17,6 +17,8 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -54,7 +56,7 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { Name: "Sequence send events with OIDC support", Features: []*feature.Feature{ SequenceSendsEventWithOIDCTokenToSteps(), - SequenceSendsEventWithOIDCTokenToReply(), + //SequenceSendsEventWithOIDCTokenToReply(), }, } } @@ -81,31 +83,36 @@ func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { f.Setup("install step 1", eventshub.Install(step1Name, eventshub.ReplyWithAppendedData(step1Append), eventshub.OIDCReceiverAudience(step1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install step 2", eventshub.Install(step2Name, eventshub.ReplyWithAppendedData(step2Append), eventshub.OIDCReceiverAudience(step2Audience), - eventshub.StartReceiver)) - - cfg := []manifest.CfgFn{ - sequence.WithChannelTemplate(channelTemplate), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step1Name), - Audience: &step1Audience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step2Name), - Audience: &step2Audience, - }), - } + eventshub.StartReceiverTLS)) + + f.Setup("Install Sequence", func(ctx context.Context, t feature.T) { + cfg := []manifest.CfgFn{ + sequence.WithChannelTemplate(channelTemplate), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step1Name), + Audience: &step1Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step2Name), + Audience: &step2Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + } + + sequence.Install(sequenceName, cfg...)(ctx, t) + }) - f.Setup("Install Sequence", sequence.Install(sequenceName, cfg...)) f.Setup("Sequence goes ready", sequence.IsReady(sequenceName)) event := test.FullEvent() event.SetData("text/plain", "hello") f.Requirement("install source", eventshub.Install(sourceName, - eventshub.StartSenderToResource(sequence.GVR(), sequenceName), + eventshub.StartSenderToResourceTLS(sequence.GVR(), sequenceName, nil), eventshub.InputEvent(event))) expectedMsg := string(event.Data()) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 7a3f29992bd..3a7cc252277 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -186,6 +186,7 @@ func TestSequenceSendsEventsWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.TestSet(ctx, t, oidc.SequenceSendsEventWithOIDC()) From 162b239d28f0cdc272307c5de185cbcbd479bb04 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 16:23:44 -0500 Subject: [PATCH 14/25] enable the TLS for TestApiserversourceSendEventWithJWT Signed-off-by: Leo Li --- test/auth/features/oidc/apiserversource.go | 12 ++++++++++-- test/auth/oidc_test.go | 1 + 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/test/auth/features/oidc/apiserversource.go b/test/auth/features/oidc/apiserversource.go index 658449a25e7..162303ce1f1 100644 --- a/test/auth/features/oidc/apiserversource.go +++ b/test/auth/features/oidc/apiserversource.go @@ -19,6 +19,9 @@ package oidc import ( "context" + "knative.dev/eventing/test/rekt/features/featureflags" + "knative.dev/eventing/test/rekt/features/source" + "github.com/cloudevents/sdk-go/v2/test" rbacv1 "k8s.io/api/rbac/v1" v1 "knative.dev/eventing/pkg/apis/sources/v1" @@ -44,8 +47,11 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { f := feature.NewFeatureNamed("ApiServerSource send events with OIDC authentication") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("deploy receiver", eventshub.Install(sink, - eventshub.StartReceiver, + eventshub.StartReceiverTLS, eventshub.OIDCReceiverAudience(audience))) f.Setup("Create Service Account for ApiServerSource with RBAC for v1.Event resources", @@ -63,6 +69,7 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) { d := service.AsDestinationRef(sink) d.Audience = &audience + d.CACerts = eventshub.GetCaCerts(ctx) cfg = append(cfg, apiserversource.WithSink(d)) apiserversource.Install(src, cfg...)(ctx, t) @@ -81,7 +88,8 @@ func ApiserversourceSendEventWithJWT() *feature.Feature { Match(eventassert.MatchKind(eventshub.EventReceived)). MatchEvent(test.HasType("dev.knative.apiserver.resource.update")). AtLeast(1), - ) + ).Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)). + Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(apiserversource.Gvr(), src)) return f } diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 3a7cc252277..df5e8ef5876 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -158,6 +158,7 @@ func TestApiserversourceSendEventWithJWT(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ApiserversourceSendEventWithJWT()) From fc055e8526b6b5bde67d2f86e10020eeb5d8101e Mon Sep 17 00:00:00 2001 From: Leo Li Date: Wed, 17 Jan 2024 16:34:36 -0500 Subject: [PATCH 15/25] enable the TLS for TestContainerSourceSendsEventsWithOIDCSupport Signed-off-by: Leo Li --- test/auth/features/oidc/containersource.go | 32 ++++++++++++++-------- test/auth/oidc_test.go | 1 + 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/test/auth/features/oidc/containersource.go b/test/auth/features/oidc/containersource.go index 861aaa2a927..8efb053b01c 100644 --- a/test/auth/features/oidc/containersource.go +++ b/test/auth/features/oidc/containersource.go @@ -17,9 +17,12 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" + "knative.dev/eventing/test/rekt/features/source" "knative.dev/eventing/test/rekt/resources/containersource" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" @@ -27,25 +30,32 @@ import ( ) func SendsEventsWithSinkRefOIDC() *feature.Feature { - source := feature.MakeRandomK8sName("containersource") + src := feature.MakeRandomK8sName("containersource") sink := feature.MakeRandomK8sName("sink") sinkAudience := "audience" f := feature.NewFeature() + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + + f.Requirement("install ContainerSource", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience - f.Requirement("install containersource", containersource.Install(source, - containersource.WithSink(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }))) - f.Requirement("containersource goes ready", containersource.IsReady(source)) + containersource.Install(src, containersource.WithSink(d))(ctx, t) + }) + + f.Requirement("containersource goes ready", containersource.IsReady(src)) f.Stable("containersource as event source"). Must("delivers events", - assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)) - + assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)). + Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(containersource.Gvr(), src)). + Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(containersource.Gvr(), src)) return f } diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index df5e8ef5876..650580784c4 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -173,6 +173,7 @@ func TestContainerSourceSendsEventsWithOIDCSupport(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.SendsEventsWithSinkRefOIDC()) From 7a156b4abe74b5c1066bc49e6248f980e066b06d Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 11:59:46 -0500 Subject: [PATCH 16/25] Update test/rekt/resources/sequence/sequence.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christoph Stäbler --- test/rekt/resources/sequence/sequence.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/rekt/resources/sequence/sequence.go b/test/rekt/resources/sequence/sequence.go index b95080654cd..a034486779e 100644 --- a/test/rekt/resources/sequence/sequence.go +++ b/test/rekt/resources/sequence/sequence.go @@ -127,7 +127,7 @@ func WithStepFromDestination(dest *duckv1.Destination) manifest.CfgFn { if dest.CACerts != nil { // This is a multi-line string and should be indented accordingly. // Replace "new line" with "new line + spaces". - step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") + step["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } if dest.Audience != nil { From e5671029ae69d443528c2c750a71cbea0614506e Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:00:01 -0500 Subject: [PATCH 17/25] Update test/auth/features/oidc/broker.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christoph Stäbler --- test/auth/features/oidc/broker.go | 2 -- 1 file changed, 2 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 43e3ea9d839..e3e1b48c4fe 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -130,8 +130,6 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. // Install Trigger - //f.Setup("install trigger", trigger.Install(triggerName, brokerName, - // trigger.WithSubscriber(nil, "bad://uri"))) f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { // create an empty destination ref From 3e84423e4b02e711c9d55037714ccb0d725229c9 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:00:27 -0500 Subject: [PATCH 18/25] Update test/auth/features/oidc/broker.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christoph Stäbler --- test/auth/features/oidc/broker.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index e3e1b48c4fe..7b010b90f8f 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -189,7 +189,7 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { // Install sink for reply // Hint: we don't need to require OIDC auth at the reply sink, because the // actual reply is sent to the broker ingress, which must support OIDC. This - // reply sink is only to check that the reply as sent and routed correctly. + // reply sink is only to check that the reply was sent and routed correctly. f.Setup("install sink for reply", eventshub.Install(reply, eventshub.StartReceiverTLS)) From 41c937283ce2c2610e789fafc5a6ab2efa277d35 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:00:39 -0500 Subject: [PATCH 19/25] Update test/auth/features/oidc/parallel.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christoph Stäbler --- test/auth/features/oidc/parallel.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/auth/features/oidc/parallel.go b/test/auth/features/oidc/parallel.go index 29a022b6854..d7ff7b76fa4 100644 --- a/test/auth/features/oidc/parallel.go +++ b/test/auth/features/oidc/parallel.go @@ -149,7 +149,7 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat eventshub.InputEvent(event), )) - f.Stable("test Parallel with two branches and 1 filter, and with TLS enabled"). + f.Stable("test Parallel with two branches and 1 filter"). Must("deliver event to subscriber1", eventasssert.OnStore(subscriber1).MatchEvent(test.HasId(event.ID())).AtLeast(1)). Must("deliver event to subscriber2", eventasssert.OnStore(subscriber2).MatchEvent(test.HasId(event.ID())).AtLeast(1)). Must("deliver event to filter1", eventasssert.OnStore(filter1).MatchEvent(test.HasId(event.ID())).AtLeast(1)). From 60463ba5cd94f4281f7e3417477325a93c317537 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:03:01 -0500 Subject: [PATCH 20/25] Update test/auth/features/oidc/broker.go MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Christoph Stäbler --- test/auth/features/oidc/broker.go | 1 - 1 file changed, 1 deletion(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index 7b010b90f8f..ad2e7347465 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -135,7 +135,6 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { // create an empty destination ref d := duckv1.Destination{} d.CACerts = eventshub.GetCaCerts(ctx) - // uri is an addressable, create a new one and put the bad uri in it d.URI, _ = apis.ParseURL("bad://uri") trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t) From d82242a6a853637f6a4d37f3538acd83769cebb7 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:29:03 -0500 Subject: [PATCH 21/25] enable the TLS for TestSequenceSendsEventsWithOIDCSupport Signed-off-by: Leo Li --- test/auth/features/oidc/sequence.go | 58 ++++++++++++++++++----------- 1 file changed, 36 insertions(+), 22 deletions(-) diff --git a/test/auth/features/oidc/sequence.go b/test/auth/features/oidc/sequence.go index 7ec880891d7..bbe0d7e0bae 100644 --- a/test/auth/features/oidc/sequence.go +++ b/test/auth/features/oidc/sequence.go @@ -19,6 +19,8 @@ package oidc import ( "context" + "knative.dev/eventing/test/rekt/features/featureflags" + "github.com/cloudevents/sdk-go/v2/test" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/runtime/schema" @@ -56,7 +58,7 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { Name: "Sequence send events with OIDC support", Features: []*feature.Feature{ SequenceSendsEventWithOIDCTokenToSteps(), - //SequenceSendsEventWithOIDCTokenToReply(), + SequenceSendsEventWithOIDCTokenToReply(), }, } } @@ -64,6 +66,9 @@ func SequenceSendsEventWithOIDC() *feature.FeatureSet { func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { f := feature.NewFeatureNamed("Sequence supports OIDC in internal flow between steps") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + channelTemplate := channel_template.ChannelTemplate{ TypeMeta: channel_impl.TypeMeta(), Spec: map[string]interface{}{}, @@ -129,6 +134,9 @@ func SequenceSendsEventWithOIDCTokenToSteps() *feature.Feature { func SequenceSendsEventWithOIDCTokenToReply() *feature.Feature { f := feature.NewFeatureNamed("Sequence supports OIDC for reply") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + channelTemplate := channel_template.ChannelTemplate{ TypeMeta: channel_impl.TypeMeta(), Spec: map[string]interface{}{}, @@ -150,38 +158,44 @@ func SequenceSendsEventWithOIDCTokenToReply() *feature.Feature { f.Setup("install step 1", eventshub.Install(step1Name, eventshub.ReplyWithAppendedData(step1Append), eventshub.OIDCReceiverAudience(step1Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) f.Setup("install step 2", eventshub.Install(step2Name, eventshub.ReplyWithAppendedData(step2Append), eventshub.OIDCReceiverAudience(step2Audience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + f.Setup("install sink", eventshub.Install(replySinkName, eventshub.OIDCReceiverAudience(replySinkAudience), - eventshub.StartReceiver)) - - cfg := []manifest.CfgFn{ - sequence.WithChannelTemplate(channelTemplate), - sequence.WithReplyFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(replySinkName), - Audience: &replySinkAudience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step1Name), - Audience: &step1Audience, - }), - sequence.WithStepFromDestination(&duckv1.Destination{ - Ref: service.AsKReference(step2Name), - Audience: &step2Audience, - }), - } + eventshub.StartReceiverTLS)) + + f.Setup("Install Sequence", func(ctx context.Context, t feature.T) { + cfg := []manifest.CfgFn{ + sequence.WithChannelTemplate(channelTemplate), + sequence.WithReplyFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(replySinkName), + Audience: &replySinkAudience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step1Name), + Audience: &step1Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + sequence.WithStepFromDestination(&duckv1.Destination{ + Ref: service.AsKReference(step2Name), + Audience: &step2Audience, + CACerts: eventshub.GetCaCerts(ctx), + }), + } - f.Setup("Install Sequence", sequence.Install(sequenceName, cfg...)) + sequence.Install(sequenceName, cfg...)(ctx, t) + }) f.Setup("Sequence goes ready", sequence.IsReady(sequenceName)) event := test.FullEvent() event.SetData("text/plain", "hello") f.Requirement("install source", eventshub.Install(sourceName, - eventshub.StartSenderToResource(sequence.GVR(), sequenceName), + eventshub.StartSenderToResourceTLS(sequence.GVR(), sequenceName, nil), eventshub.InputEvent(event))) expectedMsg := string(event.Data()) From d7a180d2b2d01bf9af322de5cc95c2884963334f Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:33:10 -0500 Subject: [PATCH 22/25] enable the TLS for TestPingSourceSendsEventsWithOIDC Signed-off-by: Leo Li --- test/auth/features/oidc/pingsource.go | 22 +++++++++++++++------- test/auth/oidc_test.go | 1 + 2 files changed, 16 insertions(+), 7 deletions(-) diff --git a/test/auth/features/oidc/pingsource.go b/test/auth/features/oidc/pingsource.go index feee5821f53..7c0192d2698 100644 --- a/test/auth/features/oidc/pingsource.go +++ b/test/auth/features/oidc/pingsource.go @@ -17,9 +17,11 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/pingsource" - duckv1 "knative.dev/pkg/apis/duck/v1" "knative.dev/reconciler-test/pkg/eventshub" "knative.dev/reconciler-test/pkg/eventshub/assert" "knative.dev/reconciler-test/pkg/feature" @@ -32,15 +34,21 @@ func PingSourceSendEventWithSinkRefOIDC() *feature.Feature { sinkAudience := "audience" f := feature.NewFeature() + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(sinkAudience), - eventshub.StartReceiver)) + eventshub.StartReceiverTLS)) + + f.Requirement("Install pingsource", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &sinkAudience + + pingsource.Install(source, pingsource.WithSink(d))(ctx, t) + }) - f.Requirement("install pingsource", - pingsource.Install(source, pingsource.WithSink(&duckv1.Destination{ - Ref: service.AsKReference(sink), - Audience: &sinkAudience, - }))) f.Requirement("pingsource goes ready", pingsource.IsReady(source)) f.Stable("pingsource as event source"). diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 602d4cc3f69..7c3a0dcc3dc 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -188,6 +188,7 @@ func TestPingSourceSendsEventsWithOIDC(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.PingSourceSendEventWithSinkRefOIDC()) From 810b5e7a44cb3a763d363c5e3428713f7811b58e Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 12:44:53 -0500 Subject: [PATCH 23/25] enable the TLS for TestChannelDispatcherAuthenticatesWithOIDC Signed-off-by: Leo Li --- test/auth/features/oidc/channel.go | 21 ++++++++++++++++++--- test/auth/oidc_test.go | 1 + 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/test/auth/features/oidc/channel.go b/test/auth/features/oidc/channel.go index 2512d357cce..2cc1819f3d7 100644 --- a/test/auth/features/oidc/channel.go +++ b/test/auth/features/oidc/channel.go @@ -17,7 +17,10 @@ limitations under the License. package oidc import ( + "context" + "github.com/cloudevents/sdk-go/v2/test" + "knative.dev/eventing/test/rekt/features/featureflags" "knative.dev/eventing/test/rekt/resources/channel_impl" "knative.dev/eventing/test/rekt/resources/subscription" "knative.dev/reconciler-test/pkg/eventshub" @@ -29,6 +32,9 @@ import ( func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature { f := feature.NewFeatureNamed("Channel dispatcher authenticates requests with OIDC") + f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) + f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) + source := feature.MakeRandomK8sName("source") channelName := feature.MakeRandomK8sName("channel") sink := feature.MakeRandomK8sName("sink") @@ -37,12 +43,21 @@ func ChannelDispatcherAuthenticatesRequestsWithOIDC() *feature.Feature { f.Setup("install channel", channel_impl.Install(channelName)) f.Setup("channel is ready", channel_impl.IsReady(channelName)) - f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiver)) - f.Setup("install subscription", subscription.Install(subscriptionName, subscription.WithChannel(channel_impl.AsRef(channelName)), subscription.WithSubscriber(service.AsKReference(sink), "", receiverAudience))) + f.Setup("install sink", eventshub.Install(sink, eventshub.OIDCReceiverAudience(receiverAudience), eventshub.StartReceiverTLS)) + + f.Setup("install subscription", func(ctx context.Context, t feature.T) { + d := service.AsDestinationRef(sink) + d.CACerts = eventshub.GetCaCerts(ctx) + d.Audience = &receiverAudience + subscription.Install(subscriptionName, + subscription.WithChannel(channel_impl.AsRef(channelName)), + subscription.WithSubscriberFromDestination(d))(ctx, t) + }) + f.Setup("subscription is ready", subscription.IsReady(subscriptionName)) event := test.FullEvent() - f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResource(channel_impl.GVR(), channelName))) + f.Requirement("install source", eventshub.Install(source, eventshub.InputEvent(event), eventshub.StartSenderToResourceTLS(channel_impl.GVR(), channelName, nil))) f.Alpha("channel dispatcher").Must("authenticate requests with OIDC", assert.OnStore(sink).MatchReceivedEvent(test.HasId(event.ID())).AtLeast(1)) diff --git a/test/auth/oidc_test.go b/test/auth/oidc_test.go index 7c3a0dcc3dc..a12e109e92f 100644 --- a/test/auth/oidc_test.go +++ b/test/auth/oidc_test.go @@ -124,6 +124,7 @@ func TestChannelDispatcherAuthenticatesWithOIDC(t *testing.T) { knative.WithTracingConfig, k8s.WithEventListener, environment.Managed(t), + eventshub.WithTLS(t), ) env.Test(ctx, t, oidc.ChannelDispatcherAuthenticatesRequestsWithOIDC()) From 400c9f1a19f5421f9e4be200650374fc2161791c Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 15:32:02 -0500 Subject: [PATCH 24/25] add the audience field Signed-off-by: Leo Li --- test/rekt/resources/subscription/subscription.go | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/rekt/resources/subscription/subscription.go b/test/rekt/resources/subscription/subscription.go index 3521d0d4bba..9d30702fc30 100644 --- a/test/rekt/resources/subscription/subscription.go +++ b/test/rekt/resources/subscription/subscription.go @@ -153,6 +153,10 @@ func WithSubscriberFromDestination(dest *duckv1.Destination) manifest.CfgFn { subscriber["CACerts"] = strings.ReplaceAll(*dest.CACerts, "\n", "\n ") } + if dest.Audience != nil { + subscriber["audience"] = *dest.Audience + } + if uri != nil { subscriber["uri"] = uri.String() } From 0cf666c2ae8fe0e53b0af7411cd5d424b880b068 Mon Sep 17 00:00:00 2001 From: Leo Li Date: Thu, 18 Jan 2024 15:40:12 -0500 Subject: [PATCH 25/25] Code clean up Signed-off-by: Leo Li --- test/auth/features/oidc/broker.go | 12 +++--------- test/auth/features/oidc/parallel.go | 1 - 2 files changed, 3 insertions(+), 10 deletions(-) diff --git a/test/auth/features/oidc/broker.go b/test/auth/features/oidc/broker.go index ad2e7347465..40cb57f2453 100644 --- a/test/auth/features/oidc/broker.go +++ b/test/auth/features/oidc/broker.go @@ -24,7 +24,6 @@ import ( "github.com/cloudevents/sdk-go/v2/test" "github.com/google/uuid" "knative.dev/eventing/test/rekt/features/featureflags" - "knative.dev/eventing/test/rekt/resources/addressable" "knative.dev/eventing/test/rekt/resources/broker" "knative.dev/eventing/test/rekt/resources/delivery" "knative.dev/eventing/test/rekt/resources/trigger" @@ -65,7 +64,6 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) f.Setup("broker is ready", broker.IsReady(brokerName)) f.Setup("broker is addressable", broker.IsAddressable(brokerName)) - f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) // Install the sink f.Setup("install sink", eventshub.Install( @@ -74,7 +72,7 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { eventshub.OIDCReceiverAudience(sinkAudience), )) - f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + f.Setup("Install the trigger", func(ctx context.Context, t feature.T) { d := service.AsDestinationRef(sink) d.CACerts = eventshub.GetCaCerts(ctx) d.Audience = &sinkAudience @@ -128,10 +126,7 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { f.Setup("Broker is ready", broker.IsReady(brokerName)) - // FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. - // Install Trigger - - f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + f.Setup("Install the trigger", func(ctx context.Context, t feature.T) { // create an empty destination ref d := duckv1.Destination{} d.CACerts = eventshub.GetCaCerts(ctx) @@ -195,9 +190,8 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { // Install broker f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) f.Setup("Broker is ready", broker.IsReady(brokerName)) - f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) - f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { + f.Setup("install the trigger", func(ctx context.Context, t feature.T) { d := service.AsDestinationRef(subscriber) d.CACerts = eventshub.GetCaCerts(ctx) trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ diff --git a/test/auth/features/oidc/parallel.go b/test/auth/features/oidc/parallel.go index d7ff7b76fa4..cf2ab49e0f2 100644 --- a/test/auth/features/oidc/parallel.go +++ b/test/auth/features/oidc/parallel.go @@ -141,7 +141,6 @@ func ParallelWithTwoBranchesOIDC(channelTemplate channel_template.ChannelTemplat }) f.Setup("Parallel goes ready", parallel.IsReady(parallelName)) f.Setup("Parallel is addressable", parallel.IsAddressable(parallelName)) - f.Setup("Parallel has HTTPS address", parallel.ValidateAddress(parallelName, addressable.AssertHTTPSAddress)) f.Requirement("install source", eventshub.Install( source,