Create PeerAuthentications on eventing-manager start if Istio is enab…

…led (#205)

* Handle the creation of PeerAuthentications for metrics endpoints.

* Tidy up the dependencies.

* Generate mocks.

* Reformat err string.

* Cleanup imports.

* Refactor PeerAuthentication.

* Add owner Reference.

* Move Creation to reconcilers.

* Restructure pa creation to startup.

* Remove old implementation for PA creation.

* Refactor.

* Clean up.

* Check CRD existence in a nicer way.

* Streamline CRD creation.

* Add some tests

* Add peerauth manifest.

* Fix typo in maketarget.

* Reorder test schedule.

* Fix test call.

* Remove Make target.

* Parse flags

* Get all PeerAuthentications.

* Change CRD name.

* Move logic to func.

* fixed client and revert changes for e2e tests

* revert some changes

* added tests

* fixed label

* added e2e tests

* updated action

* addressed review comments

---------

Co-authored-by: Muhammad Faizan <[email protected]>

.github/workflows/e2e.yml

@@ -82,3 +82,55 @@ jobs:
         if: failure()
         run: |
           kubectl get eventing -n kyma-system -o yaml
+
+  PeerAuthentication:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install k3d tools
+        run: |
+          make -C hack/ci/ install-k3d-tools
+
+      - name: Install Kyma CLI & setup k3d cluster using kyma CLI
+        run: |
+          make kyma
+          make -C hack/ci/ create-k3d
+          kubectl version
+          kubectl cluster-info
+
+      - name: Install PeerAuthentication CRD
+        run: |
+          make -C hack/ci/ apply-peerauthentication-crd
+
+      - name: Install eventing-manager
+        run: |
+          make install IMG=$MANAGER_IMAGE
+
+      - name: Wait for the 'pull-eventing-manager-build' job to succeed
+        uses: kyma-project/wait-for-commit-status-action@2b3ffe09af8b6f40e1213d5fb7f91a7bd41ffb20
+        with:
+          context: "pull-eventing-manager-build"
+          commit_ref: "${{ github.event.pull_request.head.sha }}" # Note: 'github.event.pull_request.head.sha' is not same as 'github.sha' on pull requests.
+          timeout: 600000 # 10 minutes in milliseconds
+          # The check interval is kept long otherwise it will exhaust the GitHub rate limit (More info: https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#rate-limiting)
+          check_interval: 60000 # 1 minute in milliseconds
+        env:
+          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
+          GITHUB_OWNER: "${{ github.repository_owner }}"
+          GITHUB_REPO: "eventing-manager"
+
+      - name: Deploy the controller to the cluster
+        run: |
+          kubectl create ns kyma-system || true
+          make deploy IMG=$MANAGER_IMAGE
+
+      - name: Test if the PeerAuthentications are created correctly
+        run: |
+          make e2e-eventing-peerauthentications
+
+      - name: On error get all PeerAuthentications
+        if: failure()
+        run: |
+          kubectl get peerauthentications.security.istio.io -A -o yaml

Makefile

@@ -160,8 +160,6 @@ install: download-external-crds manifests kustomize ## Install CRDs into the K8s
 .PHONY: download-external-crds
 download-external-crds:
 	curl -s -L -o config/crd/external/subscriptions.eventing.kyma-project.io.crd.yaml https://raw.githubusercontent.com/kyma-project/kyma/main/installation/resources/crds/eventing/subscriptions.eventing.kyma-project.io.crd.yaml
-	curl -s -L -o config/crd/for-tests/applications.applicationconnector.crd.yaml https://raw.githubusercontent.com/kyma-project/kyma/main/installation/resources/crds/application-connector/applications.applicationconnector.crd.yaml
-	curl -s -L -o config/crd/for-tests/apirules.gateway.crd.yaml https://raw.githubusercontent.com/kyma-project/kyma/main/installation/resources/crds/api-gateway/apirules.gateway.crd.yaml
 
 .PHONY: uninstall
 uninstall: manifests kustomize ## Uninstall CRDs from the K8s cluster specified in ~/.kube/config. Call with ignore-not-found=true to ignore resource not found errors during deletion.
@@ -308,6 +306,11 @@ e2e-eventing:
 e2e-eventing-cleanup:
 	go test -v ./hack/e2e/eventing/cleanup/cleanup_test.go --tags=e2e
 
+# e2e-eventing-peerauthentications will check if the peerauthentications are created as intended.
+.PHONY: e2e-eventing-peerauthentications
+e2e-eventing-peerauthentications:
+	go test -v ./hack/e2e/eventing/peerauthentications/peerauthentications_test.go --tags=e2e
+
 # e2e will run the whole suite of end-to-end tests for eventing-manager.
 .PHONY: e2e
 e2e: e2e-setup e2e-eventing-setup e2e-eventing e2e-cleanup

cmd/main.go

@@ -22,46 +22,41 @@ import (
 	"log"
 	"os"
 
-	"github.com/kyma-project/eventing-manager/pkg/subscriptionmanager"
-
-	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	istiopeerauthentication "github.com/kyma-project/eventing-manager/pkg/istio/peerauthentication"
 
 	"github.com/go-logr/zapr"
-
 	subscriptionv1alpha1 "github.com/kyma-project/kyma/components/eventing-controller/api/v1alpha1"
 	subscriptionv1alpha2 "github.com/kyma-project/kyma/components/eventing-controller/api/v1alpha2"
+	apiclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	"github.com/kyma-project/eventing-manager/pkg/env"
-
-	"github.com/kyma-project/eventing-manager/pkg/subscriptionmanager/jetstream"
-
-	"github.com/kyma-project/eventing-manager/pkg/eventing"
-	"github.com/kyma-project/eventing-manager/pkg/k8s"
+	apigatewayv1beta1 "github.com/kyma-incubator/api-gateway/api/v1beta1"
 
-	apiclientset "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 
 	eventingcontroller "github.com/kyma-project/eventing-manager/internal/controller/eventing"
 	"github.com/kyma-project/eventing-manager/options"
 	backendmetrics "github.com/kyma-project/eventing-manager/pkg/backend/metrics"
+	"github.com/kyma-project/eventing-manager/pkg/env"
+	"github.com/kyma-project/eventing-manager/pkg/eventing"
+	"github.com/kyma-project/eventing-manager/pkg/k8s"
 	"github.com/kyma-project/eventing-manager/pkg/logger"
+	"github.com/kyma-project/eventing-manager/pkg/subscriptionmanager"
+	"github.com/kyma-project/eventing-manager/pkg/subscriptionmanager/jetstream"
 
 	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
 	// to ensure that exec-entrypoint and run can make use of them.
 	"k8s.io/client-go/dynamic"
-	_ "k8s.io/client-go/plugin/pkg/client/auth"
-
-	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
-	"k8s.io/apimachinery/pkg/runtime"
-	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
+	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
 	"sigs.k8s.io/controller-runtime/pkg/webhook"
 
-	apigatewayv1beta1 "github.com/kyma-incubator/api-gateway/api/v1beta1"
-
 	eventingv1alpha1 "github.com/kyma-project/eventing-manager/api/v1alpha1"
 	//+kubebuilder:scaffold:imports
 )
@@ -196,7 +191,7 @@ func main() { //nolint:funlen // main function needs to initialize many object
 	}
 	//+kubebuilder:scaffold:builder
 
-	// setup webhooks.
+	// Setup webhooks.
 	if err = (&subscriptionv1alpha1.Subscription{}).SetupWebhookWithManager(mgr); err != nil {
 		setupLog.Error(err, "Failed to create webhook")
 		os.Exit(1)
@@ -207,17 +202,24 @@ func main() { //nolint:funlen // main function needs to initialize many object
 		os.Exit(1)
 	}
 
-	if err := mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
+	// sync PeerAuthentications
+	err = istiopeerauthentication.SyncPeerAuthentications(ctx, kubeClient, ctrLogger.WithContext().Named("main"))
+	if err != nil {
+		setupLog.Error(err, "unable to sync PeerAuthentication")
+		os.Exit(1)
+	}
+
+	if err = mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up health check")
 		os.Exit(1)
 	}
-	if err := mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
+	if err = mgr.AddReadyzCheck("readyz", healthz.Ping); err != nil {
 		setupLog.Error(err, "unable to set up ready check")
 		os.Exit(1)
 	}
 
 	setupLog.Info("starting manager")
-	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
+	if err = mgr.Start(ctrl.SetupSignalHandler()); err != nil {
 		setupLog.Error(err, "problem running manager")
 		os.Exit(1)
 	}

config/crd/for-tests/applications.applicationconnector.crd.yaml

@@ -20,14 +20,14 @@ spec:
                 compassMetadata:
                   type: object
                   required:
-                  - "authentication"
+                    - "authentication"
                   properties:
                     applicationId:
                       type: string
                     authentication:
                       type: object
                       required:
-                      - "clientIds"
+                        - "clientIds"
                       properties:
                         clientIds:
                           type: array
@@ -72,12 +72,12 @@ spec:
                   items:
                     type: object
                     required:
-                    - "id"
-                    - "name"
-                    - "displayName"
-                    - "providerDisplayName"
-                    - "description"
-                    - "entries"
+                      - "id"
+                      - "name"
+                      - "displayName"
+                      - "providerDisplayName"
+                      - "description"
+                      - "entries"
                     properties:
                       id:
                         type: string
@@ -107,15 +107,15 @@ spec:
                         items:
                           type: object
                           required:
-                          - "type"
+                            - "type"
                           properties:
                             apiType:
                               type: string
                             type:
                               type: string
                               enum:
-                              - "API"
-                              - "Events"
+                                - "API"
+                                - "Events"
                             gatewayUrl:
                               type: string
                             centralGatewayUrl:
@@ -138,8 +138,8 @@ spec:
                             credentials:
                               type: object
                               required:
-                              - "type"
-                              - "secretName"
+                                - "type"
+                                - "secretName"
                               properties:
                                 type:
                                   type: string
@@ -150,7 +150,7 @@ spec:
                                 csrfInfo:
                                   type: object
                                   required:
-                                  - "tokenEndpointURL"
+                                    - "tokenEndpointURL"
                                   properties:
                                     tokenEndpointURL:
                                       type: string
@@ -169,15 +169,15 @@ spec:
                     status:
                       type: string
                   required:
-                  - status
+                    - status
                   type: object
               required:
-              - installationStatus
+                - installationStatus
               type: object
   scope: Cluster
   names:
     plural: applications
     singular: application
     kind: Application
     shortNames:
-    - app
+      - app

config/crd/for-tests/security.istio.io_peerauthentication.yaml

@@ -0,0 +1,93 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    "helm.sh/resource-policy": keep
+  labels:
+    app: istio-pilot
+    chart: istio
+    heritage: Tiller
+    istio: security
+    release: istio
+  name: peerauthentications.security.istio.io
+spec:
+  group: security.istio.io
+  names:
+    categories:
+      - istio-io
+      - security-istio-io
+    kind: PeerAuthentication
+    listKind: PeerAuthenticationList
+    plural: peerauthentications
+    shortNames:
+      - pa
+    singular: peerauthentication
+  scope: Namespaced
+  versions:
+    - additionalPrinterColumns:
+        - description: Defines the mTLS mode used for peer authentication.
+          jsonPath: .spec.mtls.mode
+          name: Mode
+          type: string
+        - description: 'CreationTimestamp is a timestamp representing the server time
+        when this object was created. It is not guaranteed to be set in happens-before
+        order across separate operations. Clients may not set this value. It is represented
+        in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for
+        lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata'
+          jsonPath: .metadata.creationTimestamp
+          name: Age
+          type: date
+      name: v1beta1
+      schema:
+        openAPIV3Schema:
+          properties:
+            spec:
+              description: 'Peer authentication configuration for workloads. See more
+              details at: https://istio.io/docs/reference/config/security/peer_authentication.html'
+              properties:
+                mtls:
+                  description: Mutual TLS settings for workload.
+                  properties:
+                    mode:
+                      description: Defines the mTLS mode used for peer authentication.
+                      enum:
+                        - UNSET
+                        - DISABLE
+                        - PERMISSIVE
+                        - STRICT
+                      type: string
+                  type: object
+                portLevelMtls:
+                  additionalProperties:
+                    properties:
+                      mode:
+                        description: Defines the mTLS mode used for peer authentication.
+                        enum:
+                          - UNSET
+                          - DISABLE
+                          - PERMISSIVE
+                          - STRICT
+                        type: string
+                    type: object
+                  description: Port specific mutual TLS settings.
+                  type: object
+                selector:
+                  description: The selector determines the workloads to apply the ChannelAuthentication
+                    on.
+                  properties:
+                    matchLabels:
+                      additionalProperties:
+                        type: string
+                      description: One or more labels that indicate a specific set of
+                        pods/VMs on which a policy should be applied.
+                      type: object
+                  type: object
+              type: object
+            status:
+              type: object
+              x-kubernetes-preserve-unknown-fields: true
+          type: object
+      served: true
+      storage: true
+      subresources:
+        status: {}

config/rbac/role.yaml

@@ -246,3 +246,15 @@ rules:
   - get
   - list
   - watch
+- apiGroups:
+  - security.istio.io
+  resources:
+  - peerauthentications
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch