Add triggers OIDC identity to Reply & DLS requests (#7481)

Fix boilerplate header

Add metrics to reply & DLS requests and refactor

Add e2e test

Fix broker to setup its own delivery status

Fix trigger reconciler to not update broker spec

Add reply test

Address review comments

cmd/broker/filter/main.go

@@ -40,6 +40,7 @@ import (
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/auth"
 	"knative.dev/eventing/pkg/broker/filter"
+	brokerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/broker"
 	triggerinformer "knative.dev/eventing/pkg/client/injection/informers/eventing/v1/trigger"
 	"knative.dev/eventing/pkg/reconciler/names"
 )
@@ -125,7 +126,7 @@ func main() {
 	// We are running both the receiver (takes messages in from the Broker) and the dispatcher (send
 	// the messages to the triggers' subscribers) in this binary.
 	oidcTokenVerifier := auth.NewOIDCTokenVerifier(ctx)
-	handler, err := filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), reporter, ctxFunc)
+	handler, err := filter.NewHandler(logger, oidcTokenVerifier, oidcTokenProvider, triggerinformer.Get(ctx), brokerinformer.Get(ctx), reporter, ctxFunc)
 	if err != nil {
 		logger.Fatal("Error creating Handler", zap.Error(err))
 	}

config/brokers/mt-channel-broker/roles/filter-clusterrole.yaml

@@ -22,6 +22,8 @@ rules:
   - apiGroups:
       - eventing.knative.dev
     resources:
+      - brokers
+      - brokers/status
       - triggers
       - triggers/status
     verbs:

config/channels/in-memory-channel/resources/in-memory-channel.yaml

@@ -247,6 +247,9 @@ spec:
               deadLetterSinkCACerts:
                 description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
                 type: string
+              deadLetterSinkAudience:
+                description: OIDC audience of the dead letter sink.
+                type: string
               observedGeneration:
                 description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
                 type: integer

config/core/resources/broker.yaml

@@ -165,6 +165,9 @@ spec:
               deadLetterSinkCACerts:
                 description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
                 type: string
+              deadLetterSinkAudience:
+                description: OIDC audience of the dead letter sink.
+                type: string
               observedGeneration:
                 description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
                 type: integer

config/core/resources/channel.yaml

@@ -285,6 +285,9 @@ spec:
               deadLetterSinkCACerts:
                 description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
                 type: string
+              deadLetterSinkAudience:
+                description: OIDC audience of the dead letter sink.
+                type: string
               observedGeneration:
                 description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
                 type: integer

config/core/resources/subscription.yaml

@@ -207,6 +207,9 @@ spec:
                   deadLetterSinkCACerts:
                     description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
                     type: string
+                  deadLetterSinkAudience:
+                    description: OIDC audience of the dead letter sink.
+                    type: string
                   replyUri:
                     description: ReplyURI is the fully resolved URI for the spec.reply.
                     type: string

config/core/resources/trigger.yaml

@@ -186,6 +186,9 @@ spec:
               deadLetterSinkCACerts:
                 description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468.
                 type: string
+              deadLetterSinkAudience:
+                description: OIDC audience of the dead letter sink.
+                type: string
               observedGeneration:
                 description: ObservedGeneration is the 'Generation' of the Service that was last processed by the controller.
                 type: integer

docs/eventing-api.md

@@ -453,6 +453,18 @@ string
 according to <a href="https://www.rfc-editor.org/rfc/rfc7468">https://www.rfc-editor.org/rfc/rfc7468</a>.</p>
 </td>
 </tr>
+<tr>
+<td>
+<code>deadLetterSinkAudience</code><br/>
+<em>
+string
+</em>
+</td>
+<td>
+<em>(Optional)</em>
+<p>DeadLetterSinkAudience is the OIDC audience of the DeadLetterSink</p>
+</td>
+</tr>
 </tbody>
 </table>
 <h3 id="duck.knative.dev/v1.Subscribable">Subscribable

pkg/apis/duck/v1/delivery_types.go

@@ -158,6 +158,9 @@ type DeliveryStatus struct {
 	// according to https://www.rfc-editor.org/rfc/rfc7468.
 	// +optional
 	DeadLetterSinkCACerts *string `json:"deadLetterSinkCACerts,omitempty"`
+	// DeadLetterSinkAudience is the OIDC audience of the DeadLetterSink
+	// +optional
+	DeadLetterSinkAudience *string `json:"deadLetterSinkAudience,omitempty"`
 }
 
 func (ds *DeliveryStatus) IsSet() bool {
@@ -166,14 +169,16 @@ func (ds *DeliveryStatus) IsSet() bool {
 
 func NewDeliveryStatusFromAddressable(addr *duckv1.Addressable) DeliveryStatus {
 	return DeliveryStatus{
-		DeadLetterSinkURI:     addr.URL,
-		DeadLetterSinkCACerts: addr.CACerts,
+		DeadLetterSinkURI:      addr.URL,
+		DeadLetterSinkCACerts:  addr.CACerts,
+		DeadLetterSinkAudience: addr.Audience,
 	}
 }
 
 func NewDestinationFromDeliveryStatus(status DeliveryStatus) duckv1.Destination {
 	return duckv1.Destination{
-		URI:     status.DeadLetterSinkURI,
-		CACerts: status.DeadLetterSinkCACerts,
+		URI:      status.DeadLetterSinkURI,
+		CACerts:  status.DeadLetterSinkCACerts,
+		Audience: status.DeadLetterSinkAudience,
 	}
 }