-
Notifications
You must be signed in to change notification settings - Fork 589
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enable TLS for OIDC e2e tests #7551
Changes from 26 commits
d46ad64
bc97023
7db5f0e
27678b1
53e8c40
765ff4e
ba9e0da
b9ed6db
cb42428
eecf885
3ce0a71
ee4d57e
c6b758d
dd5c43d
a05a5d9
47935dc
72164dd
ec2b5b7
1e21507
162b239
fc055e8
7a156b4
e567102
3e84423
41c9372
f0a6f31
60463ba
d82242a
3d42786
d7a180d
810b5e7
400c9f1
0cf666c
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,3 +19,5 @@ metadata: | |
namespace: knative-eventing | ||
data: | ||
authentication-oidc: "enabled" | ||
transport-encryption: "strict" | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,8 +17,14 @@ limitations under the License. | |
package oidc | ||
|
||
import ( | ||
"context" | ||
|
||
"knative.dev/pkg/apis" | ||
|
||
"github.com/cloudevents/sdk-go/v2/test" | ||
"github.com/google/uuid" | ||
"knative.dev/eventing/test/rekt/features/featureflags" | ||
"knative.dev/eventing/test/rekt/resources/addressable" | ||
"knative.dev/eventing/test/rekt/resources/broker" | ||
"knative.dev/eventing/test/rekt/resources/delivery" | ||
"knative.dev/eventing/test/rekt/resources/trigger" | ||
|
@@ -43,6 +49,10 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet { | |
func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { | ||
f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens") | ||
|
||
// TLS is required for OIDC | ||
f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) | ||
f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) | ||
|
||
source := feature.MakeRandomK8sName("source") | ||
brokerName := feature.MakeRandomK8sName("broker") | ||
sink := feature.MakeRandomK8sName("sink") | ||
|
@@ -55,28 +65,27 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { | |
f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
f.Setup("broker is ready", broker.IsReady(brokerName)) | ||
f.Setup("broker is addressable", broker.IsAddressable(brokerName)) | ||
f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) | ||
|
||
// Install the sink | ||
f.Setup("install sink", eventshub.Install( | ||
sink, | ||
eventshub.StartReceiverTLS, | ||
eventshub.OIDCReceiverAudience(sinkAudience), | ||
eventshub.StartReceiver)) | ||
|
||
// Install the trigger and Point the Trigger subscriber to the sink svc. | ||
f.Setup("install trigger", trigger.Install( | ||
triggerName, | ||
brokerName, | ||
trigger.WithSubscriberFromDestination(&duckv1.Destination{ | ||
Ref: service.AsKReference(sink), | ||
Audience: &sinkAudience, | ||
}), | ||
)) | ||
|
||
f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { | ||
d := service.AsDestinationRef(sink) | ||
d.CACerts = eventshub.GetCaCerts(ctx) | ||
d.Audience = &sinkAudience | ||
trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t) | ||
}) | ||
f.Setup("trigger goes ready", trigger.IsReady(triggerName)) | ||
|
||
// Send event | ||
f.Requirement("install source", eventshub.Install( | ||
source, | ||
eventshub.StartSenderToResource(broker.GVR(), brokerName), | ||
eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), | ||
eventshub.InputEvent(event), | ||
)) | ||
|
||
|
@@ -89,6 +98,10 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature { | |
func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { | ||
f := feature.NewFeature() | ||
|
||
// TLS is required for OIDC | ||
f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) | ||
f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) | ||
|
||
brokerName := feature.MakeRandomK8sName("broker") | ||
dls := feature.MakeRandomK8sName("dls") | ||
triggerName := feature.MakeRandomK8sName("trigger") | ||
|
@@ -101,27 +114,37 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { | |
// Install DLS sink | ||
f.Setup("install dead letter sink", eventshub.Install(dls, | ||
eventshub.OIDCReceiverAudience(dlsAudience), | ||
eventshub.StartReceiver)) | ||
|
||
// Install broker with DLS config | ||
brokerConfig := append( | ||
broker.WithEnvConfig(), | ||
delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
Ref: service.AsKReference(dls), | ||
Audience: &dlsAudience, | ||
}), | ||
) | ||
f.Setup("install broker", broker.Install(brokerName, brokerConfig...)) | ||
eventshub.StartReceiverTLS)) | ||
|
||
f.Setup("install broker", func(ctx context.Context, t feature.T) { | ||
brokerConfig := append(broker.WithEnvConfig(), | ||
delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{ | ||
Ref: service.AsKReference(dls), | ||
Audience: &dlsAudience, | ||
CACerts: eventshub.GetCaCerts(ctx), | ||
})) | ||
broker.Install(brokerName, brokerConfig...)(ctx, t) | ||
}) | ||
|
||
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
|
||
// FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. leftover? |
||
// Install Trigger | ||
f.Setup("install trigger", trigger.Install(triggerName, brokerName, | ||
trigger.WithSubscriber(nil, "bad://uri"))) | ||
|
||
f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { | ||
// create an empty destination ref | ||
d := duckv1.Destination{} | ||
d.CACerts = eventshub.GetCaCerts(ctx) | ||
d.URI, _ = apis.ParseURL("bad://uri") | ||
trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t) | ||
|
||
creydr marked this conversation as resolved.
Show resolved
Hide resolved
|
||
}) | ||
|
||
f.Setup("trigger is ready", trigger.IsReady(triggerName)) | ||
|
||
// Send events after data plane is ready. | ||
f.Requirement("install source", eventshub.Install(source, | ||
eventshub.StartSenderToResource(broker.GVR(), brokerName), | ||
eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), | ||
eventshub.InputEvent(event), | ||
)) | ||
|
||
|
@@ -133,8 +156,17 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature { | |
} | ||
|
||
func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { | ||
//1. An event is sent to a broker. | ||
//2. A trigger routes this event to a subscriber. | ||
//3. The subscriber processes and replies to the event. | ||
//4. A helper trigger routes the reply to a designated sink. | ||
//5. The test verifies that the reply reaches the sink with the expected modifications. | ||
f := feature.NewFeature() | ||
|
||
// TLS is required for OIDC | ||
f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict()) | ||
f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled()) | ||
|
||
brokerName := feature.MakeRandomK8sName("broker") | ||
subscriber := feature.MakeRandomK8sName("subscriber") | ||
reply := feature.MakeRandomK8sName("reply") | ||
|
@@ -151,38 +183,41 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature { | |
// Install subscriber | ||
f.Setup("install subscriber", eventshub.Install(subscriber, | ||
eventshub.ReplyWithTransformedEvent(replyEventType, replyEventSource, ""), | ||
eventshub.StartReceiver)) | ||
eventshub.StartReceiverTLS)) | ||
|
||
// Install sink for reply | ||
// Hint: we don't need to require OIDC auth at the reply sink, because the | ||
// actual reply is sent to the broker ingress, which must support OIDC. This | ||
// reply sink is only to check that the reply as sent and routed correctly. | ||
// reply sink is only to check that the reply was sent and routed correctly. | ||
f.Setup("install sink for reply", eventshub.Install(reply, | ||
eventshub.StartReceiver)) | ||
eventshub.StartReceiverTLS)) | ||
|
||
// Install broker | ||
f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...)) | ||
f.Setup("Broker is ready", broker.IsReady(brokerName)) | ||
f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress)) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Not sure if we need this, as we have |
||
|
||
// Install Trigger | ||
f.Setup("install trigger", trigger.Install(triggerName, brokerName, | ||
trigger.WithSubscriber(service.AsKReference(subscriber), ""), | ||
trigger.WithFilter(map[string]string{ | ||
f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { | ||
d := service.AsDestinationRef(subscriber) | ||
d.CACerts = eventshub.GetCaCerts(ctx) | ||
trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ | ||
"type": event.Type(), | ||
}))) | ||
}))(ctx, t) | ||
}) | ||
|
||
f.Setup("trigger is ready", trigger.IsReady(triggerName)) | ||
|
||
// Install helper trigger to route replys to reply-sink | ||
f.Setup("install helper trigger", trigger.Install(helperTriggerName, brokerName, | ||
trigger.WithSubscriber(service.AsKReference(reply), ""), | ||
trigger.WithFilter(map[string]string{ | ||
f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) { | ||
d := service.AsDestinationRef(reply) | ||
d.CACerts = eventshub.GetCaCerts(ctx) | ||
trigger.Install(helperTriggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{ | ||
"type": replyEventType, | ||
}))) | ||
f.Setup("helper trigger is ready", trigger.IsReady(helperTriggerName)) | ||
}))(ctx, t) | ||
}) | ||
|
||
// Send events after data plane is ready. | ||
f.Requirement("install source", eventshub.Install(source, | ||
eventshub.StartSenderToResource(broker.GVR(), brokerName), | ||
eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil), | ||
eventshub.InputEvent(event), | ||
)) | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would simply name this step
install the trigger
, as you do some other configuration besides the CA too. Same in the other files.