diff --git a/go.mod b/go.mod index 66e85def5..3b218bbe1 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module knative.dev/eventing-github -go 1.21 +go 1.22 require ( github.com/cloudevents/sdk-go/v2 v2.15.2 @@ -14,9 +14,9 @@ require ( k8s.io/api v0.29.2 k8s.io/apimachinery v0.29.2 k8s.io/client-go v0.29.2 - knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90 + knative.dev/eventing v0.41.1-0.20240620173702-f84a98c60901 knative.dev/hack v0.0.0-20240607132042-09143140a254 - knative.dev/pkg v0.0.0-20240614135239-339c22b8218c + knative.dev/pkg v0.0.0-20240620215714-915c00977757 knative.dev/serving v0.41.1-0.20240620131618-6d90f5493686 ) @@ -89,7 +89,7 @@ require ( golang.org/x/tools v0.22.0 // indirect gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect google.golang.org/api v0.183.0 // indirect - google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e // indirect + google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 // indirect google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 // indirect google.golang.org/grpc v1.64.0 // indirect google.golang.org/protobuf v1.34.1 // indirect diff --git a/go.sum b/go.sum index 6a4446517..19d39e6bf 100644 --- a/go.sum +++ b/go.sum @@ -636,8 +636,8 @@ google.golang.org/genproto v0.0.0-20200618031413-b414f8b61790/go.mod h1:jDfRM7Fc google.golang.org/genproto v0.0.0-20200729003335-053ba62fc06f/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200804131852-c06518451d9c/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= google.golang.org/genproto v0.0.0-20200825200019-8632dd797987/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no= -google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e h1:SkdGTrROJl2jRGT/Fxv5QUf9jtdKCQh4KQJXbXVLAi0= -google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e/go.mod h1:LweJcLbyVij6rCex8YunD8DYR5VDonap/jYl3ZRxcIU= +google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 h1:+rdxYoE3E5htTEWIe15GlN6IfvbURM//Jt0mmkmm6ZU= +google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117/go.mod h1:OimBR/bc1wPO9iV4NC2bpyjy3VnAwZh5EBPQdtaE5oo= google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 h1:Zy9XzmMEflZ/MAaA7vNcoebnRAld7FsPW1EeBB7V0m8= google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157/go.mod h1:EfXuqaE1J41VCDicxHzUDm+8rk+7ZdXzHV0IhO/I6s0= google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c= @@ -723,14 +723,14 @@ k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/A k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ= k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90 h1:rieOHfbsEveC/30tfSCf3g7Ocu9mJ+w4Dv22FBMC5lY= -knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90/go.mod h1:Ja5ThoaajtwMAb7pHhG3t0WRul5oSZPalfP5R/0YP80= +knative.dev/eventing v0.41.1-0.20240620173702-f84a98c60901 h1:f+8MaSnRI5U7hjTf4V8xhF4ppd3UvcJVJB7w0Z1WPMo= +knative.dev/eventing v0.41.1-0.20240620173702-f84a98c60901/go.mod h1:o6FjbuGhX9faLv57flszVIvbEw++dBpeuD/xExAEagc= knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8= knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q= knative.dev/networking v0.0.0-20240611072033-3b8764c0bb4c h1:Q+DdJYzvhwAVWMQtP6mbEr5dNxpr+K9HAF9RqJmZefY= knative.dev/networking v0.0.0-20240611072033-3b8764c0bb4c/go.mod h1:WhZLv94eOMDGHbdZiMrw6cnRfN3WEcFgpjUcV0A48pI= -knative.dev/pkg v0.0.0-20240614135239-339c22b8218c h1:OaKrY7L6rzWTvs51JlieJajL40F6CpBbvO1aZspg2EA= -knative.dev/pkg v0.0.0-20240614135239-339c22b8218c/go.mod h1:l7R8/SteYph0mZDsVgq3fVs4mWp1DaYx9BJJX68U6ik= +knative.dev/pkg v0.0.0-20240620215714-915c00977757 h1:vjPAW4ll00Yu0H/avu1vkjbHHh9n0DlukvWGl2eHrs4= +knative.dev/pkg v0.0.0-20240620215714-915c00977757/go.mod h1:uqK/Rec08I8njY3r2y8aY90Lmt/a8cUwm8H2XI9jHZk= knative.dev/serving v0.41.1-0.20240620131618-6d90f5493686 h1:vsVRBvxZrC312+j3q/fhBJfHAsx+4DcOOChWZOP3CdE= knative.dev/serving v0.41.1-0.20240620131618-6d90f5493686/go.mod h1:zvjO9iWedTW7/heF8A6rouZP47g4ZvmtDjUW2f88KQo= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= diff --git a/vendor/knative.dev/eventing/pkg/apis/messaging/v1/in_memory_channel_lifecycle.go b/vendor/knative.dev/eventing/pkg/apis/messaging/v1/in_memory_channel_lifecycle.go index 6be9e29f3..3b6441a30 100644 --- a/vendor/knative.dev/eventing/pkg/apis/messaging/v1/in_memory_channel_lifecycle.go +++ b/vendor/knative.dev/eventing/pkg/apis/messaging/v1/in_memory_channel_lifecycle.go @@ -33,6 +33,7 @@ var imcCondSet = apis.NewLivingConditionSet( InMemoryChannelConditionAddressable, InMemoryChannelConditionChannelServiceReady, InMemoryChannelConditionDeadLetterSinkResolved, + InMemoryChannelConditionEventPoliciesReady, ) const ( @@ -64,6 +65,10 @@ const ( // InMemoryChannelConditionDeadLetterSinkResolved has status True when there is a Dead Letter Sink ref or URI // defined in the Spec.Delivery, is a valid destination and its correctly resolved into a valid URI InMemoryChannelConditionDeadLetterSinkResolved apis.ConditionType = "DeadLetterSinkResolved" + + // InMemoryChannelConditionEventPoliciesReady has status True when all the applying EventPolicies for this + // InMemoryChannel are ready. + InMemoryChannelConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady" ) // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface. @@ -182,3 +187,19 @@ func (imcs *InMemoryChannelStatus) MarkDeadLetterSinkResolvedFailed(reason, mess imcs.DeliveryStatus = eventingduck.DeliveryStatus{} imcCondSet.Manage(imcs).MarkFalse(InMemoryChannelConditionDeadLetterSinkResolved, reason, messageFormat, messageA...) } + +func (imcs *InMemoryChannelStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) { + imcCondSet.Manage(imcs).MarkFalse(InMemoryChannelConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +func (imcs *InMemoryChannelStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) { + imcCondSet.Manage(imcs).MarkUnknown(InMemoryChannelConditionEventPoliciesReady, reason, messageFormat, messageA...) +} + +func (imcs *InMemoryChannelStatus) MarkEventPoliciesTrue() { + imcCondSet.Manage(imcs).MarkTrue(InMemoryChannelConditionEventPoliciesReady) +} + +func (imcs *InMemoryChannelStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) { + imcCondSet.Manage(imcs).MarkTrueWithReason(InMemoryChannelConditionEventPoliciesReady, reason, messageFormat, messageA...) +} diff --git a/vendor/knative.dev/eventing/pkg/auth/event_policy.go b/vendor/knative.dev/eventing/pkg/auth/event_policy.go index 26efd1634..e049772f1 100644 --- a/vendor/knative.dev/eventing/pkg/auth/event_policy.go +++ b/vendor/knative.dev/eventing/pkg/auth/event_policy.go @@ -20,6 +20,9 @@ import ( "fmt" "strings" + "k8s.io/apimachinery/pkg/types" + "k8s.io/client-go/tools/cache" + corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -86,6 +89,71 @@ func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyListe return relevantPolicies, nil } +// GetApplyingResourcesOfEventPolicyForGK returns all applying resource names of GK of the given event policy. +// It returns only the names, as the resources are part of the same namespace as the event policy. +// +// This function is kind of the "inverse" of GetEventPoliciesForResource. +func GetApplyingResourcesOfEventPolicyForGK(eventPolicy *v1alpha1.EventPolicy, gk schema.GroupKind, gkIndexer cache.Indexer) ([]string, error) { + applyingResources := map[string]struct{}{} + + if eventPolicy.Spec.To == nil { + // empty .spec.to matches everything in namespace + + err := cache.ListAllByNamespace(gkIndexer, eventPolicy.Namespace, labels.Everything(), func(i interface{}) { + name := i.(metav1.Object).GetName() + applyingResources[name] = struct{}{} + }) + if err != nil { + return nil, fmt.Errorf("failed to list all %s %s resources in %s: %w", gk.Group, gk.Kind, eventPolicy.Namespace, err) + } + } else { + for _, to := range eventPolicy.Spec.To { + if to.Ref != nil { + toGV, err := schema.ParseGroupVersion(to.Ref.APIVersion) + if err != nil { + return nil, fmt.Errorf("could not parse group version of %q: %w", to.Ref.APIVersion, err) + } + + if strings.EqualFold(toGV.Group, gk.Group) && + strings.EqualFold(to.Ref.Kind, gk.Kind) { + + applyingResources[to.Ref.Name] = struct{}{} + } + } + + if to.Selector != nil { + selectorGV, err := schema.ParseGroupVersion(to.Selector.APIVersion) + if err != nil { + return nil, fmt.Errorf("could not parse group version of %q: %w", to.Selector.APIVersion, err) + } + + if strings.EqualFold(selectorGV.Group, gk.Group) && + strings.EqualFold(to.Selector.Kind, gk.Kind) { + + selector, err := metav1.LabelSelectorAsSelector(to.Selector.LabelSelector) + if err != nil { + return nil, fmt.Errorf("could not parse label selector %v: %w", to.Selector.LabelSelector, err) + } + + err = cache.ListAllByNamespace(gkIndexer, eventPolicy.Namespace, selector, func(i interface{}) { + name := i.(metav1.Object).GetName() + applyingResources[name] = struct{}{} + }) + if err != nil { + return nil, fmt.Errorf("could not list resources of GK in %q namespace for selector %v: %w", eventPolicy.Namespace, selector, err) + } + } + } + } + } + + res := []string{} + for name := range applyingResources { + res = append(res, name) + } + return res, nil +} + // ResolveSubjects returns the OIDC service accounts names for the objects referenced in the EventPolicySpecFrom. func ResolveSubjects(resolver *resolver.AuthenticatableResolver, eventPolicy *v1alpha1.EventPolicy) ([]string, error) { allSAs := []string{} @@ -145,3 +213,77 @@ func SubjectContained(sub string, allowedSubs []string) bool { return false } + +func handleApplyingResourcesOfEventPolicy(eventPolicy *v1alpha1.EventPolicy, gk schema.GroupKind, indexer cache.Indexer, handlerFn func(key types.NamespacedName) error) error { + applyingResources, err := GetApplyingResourcesOfEventPolicyForGK(eventPolicy, gk, indexer) + if err != nil { + return fmt.Errorf("could not get applying resources of eventpolicy: %w", err) + } + + for _, resourceName := range applyingResources { + err := handlerFn(types.NamespacedName{ + Namespace: eventPolicy.Namespace, + Name: resourceName, + }) + + if err != nil { + return fmt.Errorf("could not handle resource %q: %w", resourceName, err) + } + } + + return nil +} + +// EventPolicyEventHandler returns an ResourceEventHandler, which passes the referencing resources of the EventPolicy +// to the enqueueFn if the EventPolicy was referencing or got updated and now is referencing the resource of the given GVK. +func EventPolicyEventHandler(indexer cache.Indexer, gk schema.GroupKind, enqueueFn func(key types.NamespacedName)) cache.ResourceEventHandler { + return cache.ResourceEventHandlerFuncs{ + AddFunc: func(obj interface{}) { + eventPolicy, ok := obj.(*v1alpha1.EventPolicy) + if !ok { + return + } + + handleApplyingResourcesOfEventPolicy(eventPolicy, gk, indexer, func(key types.NamespacedName) error { + enqueueFn(key) + return nil + }) + }, + UpdateFunc: func(oldObj, newObj interface{}) { + // Here we need to check if the old or the new EventPolicy was referencing the given GVK + oldEventPolicy, ok := oldObj.(*v1alpha1.EventPolicy) + if !ok { + return + } + newEventPolicy, ok := newObj.(*v1alpha1.EventPolicy) + if !ok { + return + } + + // make sure, we handle the keys only once + toHandle := map[types.NamespacedName]struct{}{} + addToHandleList := func(key types.NamespacedName) error { + toHandle[key] = struct{}{} + return nil + } + + handleApplyingResourcesOfEventPolicy(oldEventPolicy, gk, indexer, addToHandleList) + handleApplyingResourcesOfEventPolicy(newEventPolicy, gk, indexer, addToHandleList) + + for k := range toHandle { + enqueueFn(k) + } + }, + DeleteFunc: func(obj interface{}) { + eventPolicy, ok := obj.(*v1alpha1.EventPolicy) + if !ok { + return + } + + handleApplyingResourcesOfEventPolicy(eventPolicy, gk, indexer, func(key types.NamespacedName) error { + enqueueFn(key) + return nil + }) + }, + } +} diff --git a/vendor/modules.txt b/vendor/modules.txt index 5984db905..296518b01 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -350,7 +350,7 @@ gomodules.xyz/jsonpatch/v2 # google.golang.org/api v0.183.0 ## explicit; go 1.20 google.golang.org/api/support/bundler -# google.golang.org/genproto/googleapis/api v0.0.0-20240521202816-d264139d666e +# google.golang.org/genproto/googleapis/api v0.0.0-20240604185151-ef581f913117 ## explicit; go 1.20 google.golang.org/genproto/googleapis/api/httpbody # google.golang.org/genproto/googleapis/rpc v0.0.0-20240528184218-531527333157 @@ -970,7 +970,7 @@ k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/eventing v0.41.1-0.20240620085917-18dfe3c0ac90 +# knative.dev/eventing v0.41.1-0.20240620173702-f84a98c60901 ## explicit; go 1.21 knative.dev/eventing/pkg/adapter/v2 knative.dev/eventing/pkg/adapter/v2/test @@ -1038,8 +1038,8 @@ knative.dev/hack knative.dev/networking/pkg/apis/networking knative.dev/networking/pkg/apis/networking/v1alpha1 knative.dev/networking/pkg/config -# knative.dev/pkg v0.0.0-20240614135239-339c22b8218c -## explicit; go 1.21 +# knative.dev/pkg v0.0.0-20240620215714-915c00977757 +## explicit; go 1.22 knative.dev/pkg/apis knative.dev/pkg/apis/duck knative.dev/pkg/apis/duck/ducktypes