Provision contract with OIDC information

knative-extensions · Jan 29, 2024 · 6ad3468 · 6ad3468
1 parent 210ac15
commit 6ad3468
Show file tree

Hide file tree

Showing 7 changed files with 41 additions and 0 deletions.
diff --git a/control-plane/pkg/core/config/utils.go b/control-plane/pkg/core/config/utils.go
@@ -77,6 +77,9 @@ func EgressConfigFromDelivery(
 		if deadLetterSinkAddr.CACerts != nil {
 			egressConfig.DeadLetterCACerts = *deadLetterSinkAddr.CACerts
 		}
+		if deadLetterSinkAddr.Audience != nil {
+			egressConfig.DeadLetterAudience = *deadLetterSinkAddr.Audience
+		}
 	}
 
 	if delivery.Retry != nil {

diff --git a/control-plane/pkg/reconciler/broker/broker.go b/control-plane/pkg/reconciler/broker/broker.go
@@ -641,6 +641,10 @@ func (r *Reconciler) reconcilerBrokerResource(ctx context.Context, topic string,
 		}
 	}
 
+	if broker.Status.Address != nil && broker.Status.Address.Audience != nil {
+		resource.Ingress.Audience = *broker.Status.Address.Audience
+	}
+
 	egressConfig, err := coreconfig.EgressConfigFromDelivery(ctx, r.Resolver, broker, broker.Spec.Delivery, r.DefaultBackoffDelayMs)
 	if err != nil {
 		return nil, err

diff --git a/control-plane/pkg/reconciler/channel/channel.go b/control-plane/pkg/reconciler/channel/channel.go
@@ -606,6 +606,12 @@ func (r *Reconciler) getSubscriberConfig(ctx context.Context, channel *messaging
 	if subscriber.SubscriberCACerts != nil && *subscriber.SubscriberCACerts != "" {
 		egress.DestinationCACerts = *subscriber.SubscriberCACerts
 	}
+	if subscriber.SubscriberAudience != nil && *subscriber.SubscriberAudience != "" {
+		egress.DestinationAudience = *subscriber.SubscriberAudience
+	}
+	if subscriber.Auth != nil && subscriber.Auth.ServiceAccountName != nil {
+		egress.OidcServiceAccountName = *subscriber.Auth.ServiceAccountName
+	}
 
 	if subscriptionName != "" {
 		egress.Reference = &contract.Reference{
@@ -622,6 +628,9 @@ func (r *Reconciler) getSubscriberConfig(ctx context.Context, channel *messaging
 		if subscriber.ReplyCACerts != nil && *subscriber.ReplyCACerts != "" {
 			egress.ReplyUrlCACerts = *subscriber.ReplyCACerts
 		}
+		if subscriber.ReplyAudience != nil && *subscriber.ReplyAudience != "" {
+			egress.ReplyUrlAudience = *subscriber.ReplyAudience
+		}
 	}
 
 	subscriptionEgressConfig, err := coreconfig.EgressConfigFromDelivery(ctx, r.Resolver, channel, subscriber.Delivery, r.DefaultBackoffDelayMs)
@@ -701,6 +710,10 @@ func (r *Reconciler) getChannelContractResource(ctx context.Context, topic strin
 		}
 	}
 
+	if channel.Status.Address != nil && channel.Status.Address.Audience != nil {
+		resource.Ingress.Audience = *channel.Status.Address.Audience
+	}
+
 	egressConfig, err := coreconfig.EgressConfigFromDelivery(ctx, r.Resolver, channel, channel.Spec.Delivery, r.DefaultBackoffDelayMs)
 	if err != nil {
 		return nil, err

diff --git a/control-plane/pkg/reconciler/channel/v2/channelv2.go b/control-plane/pkg/reconciler/channel/v2/channelv2.go
@@ -691,6 +691,10 @@ func (r *Reconciler) getChannelContractResource(ctx context.Context, topic strin
 		}
 	}
 
+	if channel.Status.Address != nil && channel.Status.Address.Audience != nil {
+		resource.Ingress.Audience = *channel.Status.Address.Audience
+	}
+
 	egressConfig, err := coreconfig.EgressConfigFromDelivery(ctx, r.Resolver, channel, channel.Spec.Delivery, r.DefaultBackoffDelayMs)
 	if err != nil {
 		return nil, err

diff --git a/control-plane/pkg/reconciler/consumer/consumer.go b/control-plane/pkg/reconciler/consumer/consumer.go
@@ -180,6 +180,9 @@ func (r *Reconciler) reconcileContractEgress(ctx context.Context, c *kafkaintern
 	if destinationAddr.CACerts != nil {
 		egress.DestinationCACerts = *destinationAddr.CACerts
 	}
+	if destinationAddr.Audience != nil {
+		egress.DestinationAudience = *destinationAddr.Audience
+	}
 
 	if c.Spec.Configs.KeyType != nil {
 		egress.KeyType = coreconfig.KeyTypeFromString(*c.Spec.Configs.KeyType)
@@ -294,6 +297,9 @@ func (r *Reconciler) reconcileReplyStrategy(ctx context.Context, c *kafkainterna
 		if destination.CACerts != nil {
 			egress.ReplyUrlCACerts = *destination.CACerts
 		}
+		if destination.Audience != nil {
+			egress.ReplyUrlAudience = *destination.Audience
+		}
 		return nil
 	}
 	if c.Spec.Reply.TopicReply != nil && c.Spec.Reply.TopicReply.Enabled {

diff --git a/control-plane/pkg/reconciler/sink/kafka_sink.go b/control-plane/pkg/reconciler/sink/kafka_sink.go
@@ -211,6 +211,11 @@ func (r *Reconciler) reconcileKind(ctx context.Context, ks *eventing.KafkaSink)
 			},
 		}
 	}
+
+	if ks.Status.Address != nil && ks.Status.Address.Audience != nil {
+		sinkConfig.Ingress.Audience = *ks.Status.Address.Audience
+	}
+
 	statusConditionManager.ConfigResolved()
 
 	sinkIndex := coreconfig.FindResource(ct, ks.UID)

diff --git a/control-plane/pkg/reconciler/trigger/trigger.go b/control-plane/pkg/reconciler/trigger/trigger.go
@@ -331,6 +331,12 @@ func (r *Reconciler) reconcileTriggerEgress(ctx context.Context, broker *eventin
 	if destination.CACerts != nil {
 		egress.DestinationCACerts = *destination.CACerts
 	}
+	if destination.Audience != nil {
+		egress.DestinationAudience = *destination.Audience
+	}
+	if trigger.Status.Auth != nil && trigger.Status.Auth.ServiceAccountName != nil {
+		egress.OidcServiceAccountName = *trigger.Status.Auth.ServiceAccountName
+	}
 
 	newFiltersEnabled := func() bool {
 		r.FlagsLock.RLock()