Enable TLS for OIDC e2e tests

test/auth/config/features.yaml

@@ -19,3 +19,5 @@ metadata:
   namespace: knative-eventing
 data:
   authentication-oidc: "enabled"
+  transport-encryption: "strict"
+

test/auth/features/oidc/addressable_oidc_conformance.go

@@ -85,7 +85,7 @@ func addressableRejectInvalidAudience(gvr schema.GroupVersionResource, kind, nam
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCInvalidAudience(),
 		eventshub.InputEvent(event),
 	))
@@ -109,7 +109,7 @@ func addressableRejectExpiredToken(gvr schema.GroupVersionResource, kind, name s
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCExpiredToken(),
 		eventshub.InputEvent(event),
 	))
@@ -133,7 +133,7 @@ func addressableRejectCorruptedSignature(gvr schema.GroupVersionResource, kind,
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.OIDCCorruptedSignature(),
 		eventshub.InputEvent(event),
 	))
@@ -157,7 +157,7 @@ func addressableAllowsValidRequest(gvr schema.GroupVersionResource, kind, name s
 
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(gvr, name),
+		eventshub.StartSenderToResourceTLS(gvr, name, nil),
 		eventshub.InputEvent(event),
 	))
 

test/auth/features/oidc/apiserversource.go

@@ -19,6 +19,9 @@ package oidc
 import (
 	"context"
 
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/features/source"
+
 	"github.com/cloudevents/sdk-go/v2/test"
 	rbacv1 "k8s.io/api/rbac/v1"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
@@ -44,8 +47,11 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 
 	f := feature.NewFeatureNamed("ApiServerSource send events with OIDC authentication")
 
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	f.Setup("deploy receiver", eventshub.Install(sink,
-		eventshub.StartReceiver,
+		eventshub.StartReceiverTLS,
 		eventshub.OIDCReceiverAudience(audience)))
 
 	f.Setup("Create Service Account for ApiServerSource with RBAC for v1.Event resources",
@@ -63,6 +69,7 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 	f.Requirement("install ApiServerSource", func(ctx context.Context, t feature.T) {
 		d := service.AsDestinationRef(sink)
 		d.Audience = &audience
+		d.CACerts = eventshub.GetCaCerts(ctx)
 
 		cfg = append(cfg, apiserversource.WithSink(d))
 		apiserversource.Install(src, cfg...)(ctx, t)
@@ -81,7 +88,8 @@ func ApiserversourceSendEventWithJWT() *feature.Feature {
 				Match(eventassert.MatchKind(eventshub.EventReceived)).
 				MatchEvent(test.HasType("dev.knative.apiserver.resource.update")).
 				AtLeast(1),
-		)
+		).Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(apiserversource.Gvr(), src)).
+		Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(apiserversource.Gvr(), src))
 
 	return f
 }

test/auth/features/oidc/broker.go

@@ -17,8 +17,14 @@ limitations under the License.
 package oidc
 
 import (
+	"context"
+
+	"knative.dev/pkg/apis"
+
 	"github.com/cloudevents/sdk-go/v2/test"
 	"github.com/google/uuid"
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/resources/addressable"
 	"knative.dev/eventing/test/rekt/resources/broker"
 	"knative.dev/eventing/test/rekt/resources/delivery"
 	"knative.dev/eventing/test/rekt/resources/trigger"
@@ -43,6 +49,10 @@ func BrokerSendEventWithOIDC() *feature.FeatureSet {
 func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 	f := feature.NewFeatureNamed("Broker supports flow with OIDC tokens")
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	source := feature.MakeRandomK8sName("source")
 	brokerName := feature.MakeRandomK8sName("broker")
 	sink := feature.MakeRandomK8sName("sink")
@@ -55,28 +65,27 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 	f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...))
 	f.Setup("broker is ready", broker.IsReady(brokerName))
 	f.Setup("broker is addressable", broker.IsAddressable(brokerName))
+	f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress))
 
 	// Install the sink
 	f.Setup("install sink", eventshub.Install(
 		sink,
+		eventshub.StartReceiverTLS,
 		eventshub.OIDCReceiverAudience(sinkAudience),
-		eventshub.StartReceiver))
-
-	// Install the trigger and Point the Trigger subscriber to the sink svc.
-	f.Setup("install trigger", trigger.Install(
-		triggerName,
-		brokerName,
-		trigger.WithSubscriberFromDestination(&duckv1.Destination{
-			Ref:      service.AsKReference(sink),
-			Audience: &sinkAudience,
-		}),
 	))
+
+	f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(sink)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.Audience = &sinkAudience
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d))(ctx, t)
+	})
 	f.Setup("trigger goes ready", trigger.IsReady(triggerName))
 
 	// Send event
 	f.Requirement("install source", eventshub.Install(
 		source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 
@@ -89,6 +98,10 @@ func BrokerSendEventWithOIDCTokenToSubscriber() *feature.Feature {
 func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 	f := feature.NewFeature()
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	brokerName := feature.MakeRandomK8sName("broker")
 	dls := feature.MakeRandomK8sName("dls")
 	triggerName := feature.MakeRandomK8sName("trigger")
@@ -101,27 +114,37 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 	// Install DLS sink
 	f.Setup("install dead letter sink", eventshub.Install(dls,
 		eventshub.OIDCReceiverAudience(dlsAudience),
-		eventshub.StartReceiver))
-
-	// Install broker with DLS config
-	brokerConfig := append(
-		broker.WithEnvConfig(),
-		delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{
-			Ref:      service.AsKReference(dls),
-			Audience: &dlsAudience,
-		}),
-	)
-	f.Setup("install broker", broker.Install(brokerName, brokerConfig...))
+		eventshub.StartReceiverTLS))
+
+	f.Setup("install broker", func(ctx context.Context, t feature.T) {
+		brokerConfig := append(broker.WithEnvConfig(),
+			delivery.WithDeadLetterSinkFromDestination(&duckv1.Destination{
+				Ref:      service.AsKReference(dls),
+				Audience: &dlsAudience,
+				CACerts:  eventshub.GetCaCerts(ctx),
+			}))
+		broker.Install(brokerName, brokerConfig...)(ctx, t)
+	})
+
 	f.Setup("Broker is ready", broker.IsReady(brokerName))
 
+	// FIXME: current progress left over here. Need to figure out why trigger cannot be initialized correctly.
 	// Install Trigger
-	f.Setup("install trigger", trigger.Install(triggerName, brokerName,
-		trigger.WithSubscriber(nil, "bad://uri")))
+
+	f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) {
+		// create an empty destination ref
+		d := duckv1.Destination{}
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.URI, _ = apis.ParseURL("bad://uri")
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(&d))(ctx, t)
+
+	})
+
 	f.Setup("trigger is ready", trigger.IsReady(triggerName))
 
 	// Send events after data plane is ready.
 	f.Requirement("install source", eventshub.Install(source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 
@@ -133,8 +156,17 @@ func BrokerSendEventWithOIDCTokenToDLS() *feature.Feature {
 }
 
 func BrokerSendEventWithOIDCTokenToReply() *feature.Feature {
+	//1. An event is sent to a broker.
+	//2. A trigger routes this event to a subscriber.
+	//3. The subscriber processes and replies to the event.
+	//4. A helper trigger routes the reply to a designated sink.
+	//5. The test verifies that the reply reaches the sink with the expected modifications.
 	f := feature.NewFeature()
 
+	// TLS is required for OIDC
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	brokerName := feature.MakeRandomK8sName("broker")
 	subscriber := feature.MakeRandomK8sName("subscriber")
 	reply := feature.MakeRandomK8sName("reply")
@@ -151,38 +183,41 @@ func BrokerSendEventWithOIDCTokenToReply() *feature.Feature {
 	// Install subscriber
 	f.Setup("install subscriber", eventshub.Install(subscriber,
 		eventshub.ReplyWithTransformedEvent(replyEventType, replyEventSource, ""),
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
 
 	// Install sink for reply
 	// Hint: we don't need to require OIDC auth at the reply sink, because the
 	// actual reply is sent to the broker ingress, which must support OIDC. This
-	// reply sink is only to check that the reply as sent and routed correctly.
+	// reply sink is only to check that the reply was sent and routed correctly.
 	f.Setup("install sink for reply", eventshub.Install(reply,
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
 
 	// Install broker
 	f.Setup("install broker", broker.Install(brokerName, broker.WithEnvConfig()...))
 	f.Setup("Broker is ready", broker.IsReady(brokerName))
+	f.Setup("Broker has HTTPS address", broker.ValidateAddress(brokerName, addressable.AssertHTTPSAddress))
 
-	// Install Trigger
-	f.Setup("install trigger", trigger.Install(triggerName, brokerName,
-		trigger.WithSubscriber(service.AsKReference(subscriber), ""),
-		trigger.WithFilter(map[string]string{
+	f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(subscriber)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		trigger.Install(triggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{
 			"type": event.Type(),
-		})))
+		}))(ctx, t)
+	})
+
 	f.Setup("trigger is ready", trigger.IsReady(triggerName))
 
-	// Install helper trigger to route replys to reply-sink
-	f.Setup("install helper trigger", trigger.Install(helperTriggerName, brokerName,
-		trigger.WithSubscriber(service.AsKReference(reply), ""),
-		trigger.WithFilter(map[string]string{
+	f.Setup("install the trigger and specify the CA cert of the destination", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(reply)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		trigger.Install(helperTriggerName, brokerName, trigger.WithSubscriberFromDestination(d), trigger.WithFilter(map[string]string{
 			"type": replyEventType,
-		})))
-	f.Setup("helper trigger is ready", trigger.IsReady(helperTriggerName))
+		}))(ctx, t)
+	})
 
 	// Send events after data plane is ready.
 	f.Requirement("install source", eventshub.Install(source,
-		eventshub.StartSenderToResource(broker.GVR(), brokerName),
+		eventshub.StartSenderToResourceTLS(broker.GVR(), brokerName, nil),
 		eventshub.InputEvent(event),
 	))
 

test/auth/features/oidc/containersource.go

@@ -17,35 +17,45 @@ limitations under the License.
 package oidc
 
 import (
+	"context"
+
 	"github.com/cloudevents/sdk-go/v2/test"
+	"knative.dev/eventing/test/rekt/features/featureflags"
+	"knative.dev/eventing/test/rekt/features/source"
 	"knative.dev/eventing/test/rekt/resources/containersource"
-	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/reconciler-test/pkg/eventshub"
 	"knative.dev/reconciler-test/pkg/eventshub/assert"
 	"knative.dev/reconciler-test/pkg/feature"
 	"knative.dev/reconciler-test/pkg/resources/service"
 )
 
 func SendsEventsWithSinkRefOIDC() *feature.Feature {
-	source := feature.MakeRandomK8sName("containersource")
+	src := feature.MakeRandomK8sName("containersource")
 	sink := feature.MakeRandomK8sName("sink")
 	sinkAudience := "audience"
 	f := feature.NewFeature()
 
+	f.Prerequisite("transport encryption is strict", featureflags.TransportEncryptionStrict())
+	f.Prerequisite("should not run when Istio is enabled", featureflags.IstioDisabled())
+
 	f.Setup("install sink", eventshub.Install(sink,
 		eventshub.OIDCReceiverAudience(sinkAudience),
-		eventshub.StartReceiver))
+		eventshub.StartReceiverTLS))
+
+	f.Requirement("install ContainerSource", func(ctx context.Context, t feature.T) {
+		d := service.AsDestinationRef(sink)
+		d.CACerts = eventshub.GetCaCerts(ctx)
+		d.Audience = &sinkAudience
 
-	f.Requirement("install containersource", containersource.Install(source,
-		containersource.WithSink(&duckv1.Destination{
-			Ref:      service.AsKReference(sink),
-			Audience: &sinkAudience,
-		})))
-	f.Requirement("containersource goes ready", containersource.IsReady(source))
+		containersource.Install(src, containersource.WithSink(d))(ctx, t)
+	})
+
+	f.Requirement("containersource goes ready", containersource.IsReady(src))
 
 	f.Stable("containersource as event source").
 		Must("delivers events",
-			assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1))
-
+			assert.OnStore(sink).MatchEvent(test.HasType("dev.knative.eventing.samples.heartbeat")).AtLeast(1)).
+		Must("Set sinkURI to HTTPS endpoint", source.ExpectHTTPSSink(containersource.Gvr(), src)).
+		Must("Set sinkCACerts to non empty CA certs", source.ExpectCACerts(containersource.Gvr(), src))
 	return f
 }