Authenticate requests from PingSources

[Zazzscoot]

Fixes #7320

Proposed Changes

(Prerequisites: OIDC mode is enabled, and sink has a defined audience)

• Binds the source's service account to allow the source to create a JWT token
• Edited existing tests to add sinkAudience

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Docs

[linux-foundation-easycla]

The committers listed above are authorized under a signed CLA.

• ✅ login: Zazzscoot / name: Scott Hirano (17c775a, acdba24, 36c0f81, 1518b67, 709f368, 16e5faa, 4f3c536, c28078e, cdbb2b5, 6531a80, 6b1c2f8, 0a5396b, 3e3cf30, 396bf6c, f1d4428, c5e26e7, 292ecb6, de55635, 5e92caa, c687fd6, 4ac3395, 1eb1883, aa3569e, 99ed180, 5bfe16f, 9352fa8)
• ✅ login: yijie-04 / name: Yijie Wang (7bef2bc, 23e898c, f9185dd, 00c2a92)

[knative-prow]

Welcome @Zazzscoot! It looks like this is your first PR to knative/eventing 🎉

[knative-prow]

Hi @Zazzscoot. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[creydr]

Hello @Zazzscoot,
Thanks for your work on this so far. I just got roughly over your PR and saw you want to create some roles & rolebindings dynamically. This is not needed in case of the pingsource, as we have only one pingsource managing pod running (in the knative-eventing namespace) which handles all pingsource resources (not like in case of the apiserversource, which creates a deployment for each apiserversource resource). So you need only to adjust the permissions of the pingsource deployment/pod (pingsource-mt-adapter-clusterrole.yaml)

[Leo6Leo]

@Zazzscoot Thanks for the PR! Here are some review comments I have:

1. As this is your very first PR in the LFX(linux fundation) community, please make sure you complete the EasyCLA so that you are authorized to contribute to Knative.

Here is the link on what is EasyCLA and how to complete it.

2. And for the description of the PR, make sure you put the issue number and the keyword "fixes" on the same line, as GitHub will automatically detect it and link the issue and your PR together.

3. For the PRs that you are still working on, you can add a keyword "[WIP]" at the beginning of the title of your PR.
   For example, your PR's title is Authenticate requests from PingSources, you can edit it and make it become [WIP] Authenticate requests from PingSources ", and the bot will automatically add a label to it and indicate that this PR is work in progress. And you can also open this PR as a draft PR.

[Leo6Leo]

@Zazzscoot I made some graphics and hope to assist your understanding of the whole workflow!

On how to approach solving this issue, as suggested in my graphic:

1. Granting the access
   According to @creydr 's comment, we need to grant permission to PingSource's adaptor, so it can create the JWT token (OIDC Token)! Take a look at my PR here and it will help!

2. Testing it is actually working
   Take a look at here and ApiserversourceSendEventWithJWT() function on how to make a e2e test on this and how to make reconciler test here

Tips:

1. You might be encountering the trouble when you are copying the lines similar to these
   https://github.com/knative/eventing/pull/7452/files#diff-d2cf61e462d4d61f80a631d9fc5f72ffd47999876b91b472e7d3af5ea700f7e5R63-R64
   And your IDE will complain about it by saying "file not found" or something similar. Don't worry, you may just need to update the dependency! Simply runing hack/update-deps.sh will simply solve the problem by adding a few new files in the vendor folder.

Please let me know if you have any other questions or need further explainations!

[creydr]

Hi @Zazzscoot,
the 1.13 release is in ~ 2 weeks (Jan 24th). Do you think we can complete this by that date (including the reviews) as we would like to see this in? How can I help you?

[Zazzscoot]

/cc @Leo6Leo @creydr

[Leo6Leo]

/ok-to-test

[Zazzscoot]

/ok-to-test

[creydr]

/ok-to-test

Hi @Zazzscoot,
to run the Github workflows, an org member has to approve them manually (on PRs from non-org members). The /ok-to-test label can only be applied once and tells Prow to run these tests

[Zazzscoot]

Please see my review comments. After that, your errors should be fixed. Please let me know if you have any other questions! @Zazzscoot

Hey @Leo6Leo, I have made your changes and the TestPingSourceSendsEventsWithOIDC is now passing! Thank you so much for the comment!

[Zazzscoot]

/ok-to-test

Hi @Zazzscoot, to run the Github workflows, an org member has to approve them manually (on PRs from non-org members). The /ok-to-test label can only be applied once and tells Prow to run these tests

Noted, thanks for the clarification!

[creydr]

Only one tiny comment. Otherwise looking good!
Thanks for your work so far @Zazzscoot and @yijie-04 👍

[creydr]

And it seems to have a couple of style issues too. Could you PTAL at them?

[creydr]

/retest

[creydr]

/retest

[creydr]

/retest

[creydr]

Only one unneeded/leftover comment to be removed

[creydr]

Thanks a lot @Zazzscoot and @yijie-04 for you work and patience for finishing it!
🎉 🎉 🎉

/lgtm

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, Zazzscoot

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [creydr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Leo6Leo]

@Zazzscoot @yijie-04 Great work guys! You guys did it! Hope to see more contributions from you in the knative community :)

[yijie-04]

Thank you so much for the help and support! @Leo6Leo @creydr