[release-v1.11] Trust manager integration (#493)

* Label OpenShift CA trust bundle as Knative trust bundle Signed-off-by: Pierangelo Di Pilato <[email protected]> * Trust-manager integration (knative#7532) * Trust-manager integration Signed-off-by: Pierangelo Di Pilato <[email protected]> * Add E2E tests Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix linter and format Go code Signed-off-by: Pierangelo Di Pilato <[email protected]> * Upgrade rekt Signed-off-by: Pierangelo Di Pilato <[email protected]> * Reference Eventing CA issuer in E2E tests Signed-off-by: Pierangelo Di Pilato <[email protected]> * Force GVK in sources when propagating trust bundle Signed-off-by: Pierangelo Di Pilato <[email protected]> * Format Go code Signed-off-by: Pierangelo Di Pilato <[email protected]> * SinkBinding reconciler needs to create/update/delete trust bundle configmaps Signed-off-by: Pierangelo Di Pilato <[email protected]> * Upgrade rekt deps Signed-off-by: Pierangelo Di Pilato <[email protected]> * Add Deployment volumes for SinkBinding tests Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix CA certs bundle and https endpoint assertions Signed-off-by: Pierangelo Di Pilato <[email protected]> * Pass TrustBundleConfigMapLister in PingSource runner Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix adapter create informer logic for trust bundle ConfigMaps Signed-off-by: Pierangelo Di Pilato <[email protected]> * Remove propagate configmaps in ContainerSource reconciler as is done in SB reconciler Signed-off-by: Pierangelo Di Pilato <[email protected]> * Inject trust bundles as volumes in sinkbinding reconciler Signed-off-by: Pierangelo Di Pilato <[email protected]> * Inject trust-bundle to SinkBinding subjects Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix lister ctx injection Signed-off-by: Pierangelo Di Pilato <[email protected]> --------- Signed-off-by: Pierangelo Di Pilato <[email protected]> * Reload trust-bundle on new connections (knative#7567) This allows administrators to dynamically add trust-bundles that are picked by clients when connecting to new hosts. Signed-off-by: Pierangelo Di Pilato <[email protected]> * Actually run TLS tests Signed-off-by: Pierangelo Di Pilato <[email protected]> * Run generate-release Signed-off-by: Pierangelo Di Pilato <[email protected]> * Create trust bundle ConfigMap manually Signed-off-by: Pierangelo Di Pilato <[email protected]> * Assign global resync Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix regex Signed-off-by: Pierangelo Di Pilato <[email protected]> * User-provided issuers and CA certificate Signed-off-by: Pierangelo Di Pilato <[email protected]> * Fix configmap -> secret Signed-off-by: Pierangelo Di Pilato <[email protected]> * Label bundle configmap Signed-off-by: Pierangelo Di Pilato <[email protected]> * Base64 decode CA certs Signed-off-by: Pierangelo Di Pilato <[email protected]> * Remove install script Signed-off-by: Pierangelo Di Pilato <[email protected]> * Use projected volumes Signed-off-by: Pierangelo Di Pilato <[email protected]> * Create bundle on install_serverless so it's always done Signed-off-by: Pierangelo Di Pilato <[email protected]> --------- Signed-off-by: Pierangelo Di Pilato <[email protected]>
openshift-knative · Jan 26, 2024 · 8c8de08 · 8c8de08
1 parent 74d7707
commit 8c8de08
Show file tree

Hide file tree

Showing 86 changed files with 4,866 additions and 7,670 deletions.
diff --git a/cmd/apiserver_receive_adapter/main.go b/cmd/apiserver_receive_adapter/main.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main
 
 import (
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/adapter/apiserver"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/eventingtls"
 )
 
 const (
@@ -30,5 +32,10 @@ const (
 func main() {
 	ctx := signals.NewContext()
 	ctx = adapter.WithInjectorEnabled(ctx)
+
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	adapter.MainWithContext(ctx, component, apiserver.NewEnvConfig, apiserver.NewAdapter)
 }
diff --git a/cmd/broker/filter/main.go b/cmd/broker/filter/main.go
@@ -25,6 +25,8 @@ import (
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -40,6 +42,7 @@ import (
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/broker/filter"
 	triggerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger"
+	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/reconciler/names"
 )
 
@@ -74,6 +77,10 @@ func main() {
 	log.Printf("Registering %d informer factories", len(injection.Default.GetInformerFactories()))
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	ctx, informers := injection.Default.SetupInformers(ctx, cfg)
 	kubeClient := kubeclient.Get(ctx)
 
@@ -120,7 +127,8 @@ func main() {
 
 	// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
 	// the messages to the triggers' subscribers) in this binary.
-	handler, err := filter.NewHandler(logger, triggerinformer.Get(ctx), reporter, ctxFunc)
+	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+	handler, err := filter.NewHandler(logger, triggerinformer.Get(ctx), reporter, trustBundleConfigMapInformer, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

diff --git a/cmd/broker/ingress/main.go b/cmd/broker/ingress/main.go
@@ -27,8 +27,10 @@ import (
 	"github.com/google/uuid"
 	"github.com/kelseyhightower/envconfig"
 	"go.uber.org/zap"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
 
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	configmap "knative.dev/pkg/configmap/informer"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -42,11 +44,12 @@ import (
 
 	cmdbroker "knative.dev/eventing/cmd/broker"
 	"knative.dev/eventing/pkg/apis/feature"
-	broker "knative.dev/eventing/pkg/broker"
+	"knative.dev/eventing/pkg/broker"
 	"knative.dev/eventing/pkg/broker/ingress"
 	eventingclient "knative.dev/eventing/pkg/client/injection/client"
 	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
 	eventtypeinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1beta2/eventtype"
+	"knative.dev/eventing/pkg/eventingtls"
 	"knative.dev/eventing/pkg/eventtype"
 	"knative.dev/eventing/pkg/reconciler/names"
 )
@@ -97,6 +100,10 @@ func main() {
 	log.Printf("Registering %d informer factories", len(injection.Default.GetInformerFactories()))
 	log.Printf("Registering %d informers", len(injection.Default.GetInformers()))
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	ctx, informers := injection.Default.SetupInformers(ctx, cfg)
 	loggingConfig, err := cmdbroker.GetLoggingConfig(ctx, system.Namespace(), logging.ConfigMapName())
 	if err != nil {
@@ -136,7 +143,8 @@ func main() {
 
 	reporter := ingress.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String()))
 
-	handler, err := ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer)
+	trustBundleConfigMapInformer := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister().ConfigMaps(system.Namespace())
+	handler, err := ingress.NewHandler(logger, reporter, broker.TTLDefaulter(logger, int32(env.MaxTTL)), brokerInformer, trustBundleConfigMapInformer)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

diff --git a/cmd/controller/main.go b/cmd/controller/main.go
@@ -27,6 +27,10 @@ import (
 	"time"
 
 	"knative.dev/pkg/injection/sharedmain"
+
+	"knative.dev/eventing/pkg/eventingtls"
+
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/reconciler/apiserversource"
@@ -73,6 +77,10 @@ func main() {
 		}
 	}()
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	sharedmain.MainWithContext(ctx, "controller",
 		// Messaging
 		channel.NewController,

diff --git a/cmd/in_memory/channel_dispatcher/main.go b/cmd/in_memory/channel_dispatcher/main.go
@@ -22,10 +22,12 @@ import (
 
 	"os"
 
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
 	"knative.dev/pkg/signals"
 
+	"knative.dev/eventing/pkg/eventingtls"
 	inmemorychannel "knative.dev/eventing/pkg/reconciler/inmemorychannel/dispatcher"
 )
 
@@ -36,6 +38,10 @@ func main() {
 		ctx = injection.WithNamespaceScope(ctx, ns)
 	}
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	sharedmain.MainWithContext(ctx, "inmemorychannel-dispatcher",
 		inmemorychannel.NewController,
 	)

diff --git a/cmd/mtping/main.go b/cmd/mtping/main.go
@@ -17,10 +17,12 @@ limitations under the License.
 package main
 
 import (
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/signals"
 
 	"knative.dev/eventing/pkg/adapter/mtping"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/eventingtls"
 )
 
 const (
@@ -54,5 +56,9 @@ func main() {
 		adapter.WithCloudEventsStatusReporterConfigurator(adapter.NewCloudEventsReporterConfiguratorFromConfigMap()),
 	})
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	adapter.MainWithContext(ctx, component, mtping.NewEnvConfig, mtping.NewAdapter)
 }
diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -23,8 +23,12 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/client-go/kubernetes/scheme"
+	configmapinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/configmap/filtered"
+
 	"knative.dev/eventing/pkg/apis/feature"
+	"knative.dev/eventing/pkg/eventingtls"
 
+	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
 	"knative.dev/pkg/configmap"
 	"knative.dev/pkg/controller"
 	"knative.dev/pkg/injection"
@@ -54,7 +58,7 @@ import (
 	pingdefaultconfig "knative.dev/eventing/pkg/apis/sources/config"
 	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
 	sourcesv1beta2 "knative.dev/eventing/pkg/apis/sources/v1beta2"
-	sugar "knative.dev/eventing/pkg/apis/sugar"
+	"knative.dev/eventing/pkg/apis/sugar"
 	"knative.dev/eventing/pkg/reconciler/sinkbinding"
 
 	versionedscheme "knative.dev/eventing/pkg/client/clientset/versioned/scheme"
@@ -194,7 +198,8 @@ func NewConfigValidationController(ctx context.Context, _ configmap.Watcher) *co
 
 func NewSinkBindingWebhook(opts ...psbinding.ReconcilerOption) injection.ControllerConstructor {
 	return func(ctx context.Context, cmw configmap.Watcher) *controller.Impl {
-		sbresolver := sinkbinding.WithContextFactory(ctx, func(types.NamespacedName) {})
+		trustBundleConfigMapLister := configmapinformer.Get(ctx, eventingtls.TrustBundleLabelSelector).Lister()
+		withContext := sinkbinding.WithContextFactory(ctx, trustBundleConfigMapLister, func(types.NamespacedName) {})
 
 		return psbinding.NewAdmissionController(ctx,
 
@@ -208,7 +213,7 @@ func NewSinkBindingWebhook(opts ...psbinding.ReconcilerOption) injection.Control
 			sinkbinding.ListAll,
 
 			// How to setup the context prior to invoking Do/Undo.
-			sbresolver,
+			withContext,
 			opts...,
 		)
 	}
@@ -281,6 +286,10 @@ func main() {
 		SecretName: "eventing-webhook-certs",
 	})
 
+	ctx = filteredFactory.WithSelectors(ctx,
+		eventingtls.TrustBundleLabelSelector,
+	)
+
 	sharedmain.WebhookMainWithContext(ctx, webhook.NameFromEnv(),
 		certificates.NewController,
 		NewConfigValidationController,

diff --git a/config/brokers/mt-channel-broker-tls/broker-filter-tls-certificate.yaml b/config/brokers/mt-channel-broker-tls/broker-filter-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - broker-filter.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/brokers/mt-channel-broker-tls/broker-ingress-tls-certificate.yaml b/config/brokers/mt-channel-broker-tls/broker-ingress-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - broker-ingress.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/channels/in-memory-channel-tls/imc-dispatcher-tls-certificate.yaml b/config/channels/in-memory-channel-tls/imc-dispatcher-tls-certificate.yaml
@@ -43,6 +43,6 @@ spec:
     - imc-dispatcher.knative-eventing.svc
 
   issuerRef:
-    name: selfsigned-ca-issuer
-    kind: Issuer
+    name: knative-eventing-ca-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/core/roles/webhook-clusterrole.yaml b/config/core/roles/webhook-clusterrole.yaml
@@ -26,6 +26,9 @@ rules:
     resources:
       - "configmaps"
     verbs:
+      - "create"
+      - "update"
+      - "delete"
       - "get"
       - "list"
       - "watch"

diff --git a/config/openshift-trusted-cabundle.yaml b/config/openshift-trusted-cabundle.yaml
@@ -21,3 +21,4 @@ metadata:
     app.kubernetes.io/version: devel
     app.kubernetes.io/name: knative-eventing
     config.openshift.io/inject-trusted-cabundle: "true"
+    networking.knative.dev/trust-bundle: "true"
diff --git a/config/tls/issuers/selfsigned-ca-issuer.yaml → config/tls/issuers/eventing-ca-issuer.yaml b/config/tls/issuers/selfsigned-ca-issuer.yaml → config/tls/issuers/eventing-ca-issuer.yaml
@@ -14,10 +14,9 @@
 
 # This is the issuer that every Eventing component should use to issue their server's certs.
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: selfsigned-ca-issuer
-  namespace: knative-eventing
+  name: knative-eventing-ca-issuer
 spec:
   ca:
-    secretName: eventing-ca
+    secretName: knative-eventing-ca
diff --git a/config/tls/issuers/selfsigned-issuer.yaml b/config/tls/issuers/selfsigned-issuer.yaml
@@ -14,21 +14,20 @@
 
 # This is the root issuer to bootstrap the eventing CA.
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
-  name: selfsigned-issuer
-  namespace: knative-eventing
+  name: knative-eventing-selfsigned-issuer
 spec:
   selfSigned: {}
 ---
 # This is the Eventing CA certificate.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: selfsigned-ca
-  namespace: knative-eventing
+  name: knative-eventing-selfsigned-ca
+  namespace: cert-manager
 spec:
-  secretName: eventing-ca
+  secretName: knative-eventing-ca
 
   isCA: true
   commonName: selfsigned-ca
@@ -37,6 +36,6 @@ spec:
     size: 256
 
   issuerRef:
-    name: selfsigned-issuer
-    kind: Issuer
+    name: knative-eventing-selfsigned-issuer
+    kind: ClusterIssuer
     group: cert-manager.io
diff --git a/config/tls/trust-manager/bundle-configmap.yaml b/config/tls/trust-manager/bundle-configmap.yaml
@@ -0,0 +1,23 @@
+# Copyright 2024 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: knative-eventing-bundle
+  namespace: knative-eventing
+  labels:
+    networking.knative.dev/trust-bundle: "true"
+    app.kubernetes.io/version: devel
+    app.kubernetes.io/name: knative-eventing
diff --git a/config/tls/trust-manager/bundle.yaml b/config/tls/trust-manager/bundle.yaml
@@ -0,0 +1,43 @@
+# Copyright 2024 The Knative Authors
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: trust.cert-manager.io/v1alpha1
+kind: Bundle
+metadata:
+  name: knative-eventing-bundle  # The bundle name will also be used for the target
+spec:
+  sources:
+    # Include a bundle of publicly trusted certificates which can be
+    # used to validate most TLS certificates on the internet, such as
+    # those issued by Let's Encrypt, Google, Amazon and others.
+    - useDefaultCAs: true
+
+    # A Secret in the "trust" namespace; see "Trust Namespace" below for further details
+    - secret:
+        name: "knative-eventing-ca"
+        key: "tls.crt"
+
+  target:
+
+    configMap:
+      key: "knative-eventing-bundle.pem"
+    additionalFormats:
+      jks:
+        key: "knative-eventing-bundle.jks"
+      pkcs12:
+        key: "knative-eventing-bundle.p12"
+
+    namespaceSelector:
+      matchLabels:
+        kubernetes.io/metadata.name: "knative-eventing"