[release-1.14] Watch only our own OIDC-related secrets (#8071)

Filter OIDC secrets

Signed-off-by: Pierangelo Di Pilato <[email protected]>
Co-authored-by: Pierangelo Di Pilato <[email protected]>

Author: knative-prow-robot

pkg/auth/serviceaccount.go

@@ -21,11 +21,13 @@ import (
 	"fmt"
 	"strings"
 
-	"knative.dev/eventing/pkg/apis/feature"
+	"k8s.io/apimachinery/pkg/api/equality"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
 	pkgreconciler "knative.dev/pkg/reconciler"
 
+	"knative.dev/eventing/pkg/apis/feature"
+
 	"go.uber.org/zap"
 	v1 "k8s.io/api/core/v1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@@ -38,10 +40,10 @@ import (
 )
 
 const (
-	//OIDCLabelKey is used to filter out all the informers that related to OIDC work
-	OIDCLabelKey = "oidc"
+	// OIDCLabelKey is used to filter out all the informers that related to OIDC work
+	OIDCLabelKey = "eventing.knative.dev/oidc"
 
-	// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
+	// OIDCLabelSelector is the label selector for the OIDC resources
 	OIDCLabelSelector = OIDCLabelKey
 )
 
@@ -87,28 +89,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 	saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
 	sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName)
 
+	expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
+
 	// If the resource doesn't exist, we'll create it.
 	if apierrs.IsNotFound(err) {
 		logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err))
 
-		expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
-
 		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{})
 		if err != nil {
-			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 		}
 
 		return nil
 	}
-
 	if err != nil {
-		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 	}
-
 	if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) {
 		return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name)
 	}
 
+	if !equality.Semantic.DeepDerivative(expected, sa) {
+		expected.ResourceVersion = sa.ResourceVersion
+
+		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
+		}
+
+		return nil
+
+	}
+
 	return nil
 }
 

pkg/reconciler/sinkbinding/controller.go

@@ -44,7 +44,7 @@ import (
 	"knative.dev/pkg/apis/duck"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
-	secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret"
+	secretinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered"
 	serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount/filtered"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
@@ -80,7 +80,7 @@ func NewController(
 	psInformerFactory := podspecable.Get(ctx)
 	namespaceInformer := namespace.Get(ctx)
 	oidcServiceaccountInformer := serviceaccountinformer.Get(ctx, auth.OIDCLabelSelector)
-	secretInformer := secretinformer.Get(ctx)
+	secretInformer := secretinformer.Get(ctx, auth.OIDCLabelSelector)
 	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector)
 	trustBundleConfigMapLister := trustBundleConfigMapInformer.Lister()
 

pkg/reconciler/sinkbinding/sinkbinding.go

@@ -193,6 +193,9 @@ func (s *SinkBindingSubResourcesReconciler) renewOIDCTokenSecret(ctx context.Con
 
 	apiVersion := fmt.Sprintf("%s/%s", v1.SchemeGroupVersion.Group, v1.SchemeGroupVersion.Version)
 	applyConfig := new(applyconfigurationcorev1.SecretApplyConfiguration).
+		WithLabels(map[string]string{
+			auth.OIDCLabelKey: "enabled",
+		}).
 		WithName(secretName).
 		WithNamespace(sb.Namespace).
 		WithType(corev1.SecretTypeOpaque).

vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/secret.go renamed to vendor/knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered/secret.go

@@ -1277,7 +1277,7 @@ knative.dev/pkg/client/injection/kube/informers/core/v1/endpoints/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/namespace
 knative.dev/pkg/client/injection/kube/informers/core/v1/namespace/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/pod
-knative.dev/pkg/client/injection/kube/informers/core/v1/secret
+knative.dev/pkg/client/injection/kube/informers/core/v1/secret/filtered
 knative.dev/pkg/client/injection/kube/informers/core/v1/service
 knative.dev/pkg/client/injection/kube/informers/core/v1/service/fake
 knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount