diff --git a/third_party/eventing-latest/eventing-core.yaml b/third_party/eventing-latest/eventing-core.yaml index a94065a4e..4cb519537 100644 --- a/third_party/eventing-latest/eventing-core.yaml +++ b/third_party/eventing-latest/eventing-core.yaml @@ -16,7 +16,7 @@ kind: Namespace metadata: name: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- @@ -40,7 +40,7 @@ metadata: name: eventing-controller namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -48,7 +48,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -64,7 +64,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-resolver labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -80,7 +80,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-source-observer labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -96,7 +96,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-sources-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -112,7 +112,7 @@ kind: ClusterRoleBinding metadata: name: eventing-controller-manipulator labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -144,7 +144,7 @@ metadata: name: pingsource-mt-adapter namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -152,7 +152,7 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-pingsource-mt-adapter labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -184,7 +184,7 @@ metadata: name: eventing-webhook namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -192,7 +192,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -209,7 +209,7 @@ metadata: namespace: knative-eventing name: eventing-webhook labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -225,7 +225,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-resolver labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -241,7 +241,7 @@ kind: ClusterRoleBinding metadata: name: eventing-webhook-podspecable-binding labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -273,7 +273,7 @@ metadata: name: config-br-default-channel namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: channel-template-spec: | @@ -301,7 +301,7 @@ metadata: name: config-br-defaults namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: # Configures the default for any Broker that does not specify a spec.config or Broker class. @@ -338,7 +338,7 @@ metadata: name: default-ch-webhook namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: # Configuration for defaulting channels that do not specify CRD implementations. @@ -374,7 +374,7 @@ metadata: labels: annotations: knative.dev/example-checksum: "9185c153" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: _example: | @@ -420,7 +420,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: # ALPHA feature: The kreference-group allows you to use the Group field in KReferences. @@ -518,7 +518,7 @@ metadata: name: config-leader-election namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f7948630" @@ -581,7 +581,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: # Common configuration for all Knative codebase @@ -634,7 +634,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f46cf09d" @@ -708,7 +708,7 @@ metadata: name: config-sugar namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "62dfac6f" @@ -767,7 +767,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "0492ceb0" @@ -824,7 +824,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: eventing-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -835,7 +835,7 @@ spec: labels: app: eventing-controller app.kubernetes.io/component: eventing-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: # To avoid node becoming SPOF, spread our replicas to different nodes. @@ -853,7 +853,7 @@ spec: containers: - name: eventing-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/controller@sha256:6d73b70f73ec446c0ac08584260a749a5f2d303749333f1f34b1245e88446ec9 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/controller@sha256:2a96122d6d878da9ec639978656deb05ec1a45df9e387771546abcf30b8d091a resources: requests: cpu: 100m @@ -871,7 +871,7 @@ spec: value: knative.dev/eventing # APIServerSource - name: APISERVER_RA_IMAGE - value: gcr.io/knative-nightly/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:0cad965c98287aa9cff0d29333760e5902d14b60603d2fd822e0e40274bcc2e9 + value: gcr.io/knative-nightly/knative.dev/eventing/cmd/apiserver_receive_adapter@sha256:ae888c10468fea094a4eba8a2ca07c9a4a33ac446eed50e2b11ee7c8336a30c3 - name: POD_NAME valueFrom: fieldRef: @@ -941,7 +941,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: # when set to 0 (and only 0) will be set to 1 when the first PingSource is created. @@ -955,7 +955,7 @@ spec: labels: !!merge <<: *labels app.kubernetes.io/component: pingsource-mt-adapter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -969,7 +969,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/mtping@sha256:be13bd37e62ef0505366268669139e3d33bbc00ffb7e5ad5b9b7a494979fd7cb + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/mtping@sha256:9307ca82e8e7508531e7e14f1e0813a41857175ba96b3e3d6fbc5121a20b3618 env: - name: SYSTEM_NAMESPACE value: '' @@ -1043,7 +1043,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -1068,7 +1068,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: minAvailable: 80% @@ -1098,7 +1098,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -1110,7 +1110,7 @@ spec: labels: !!merge <<: *labels app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: # To avoid node becoming SPOF, spread our replicas to different nodes. @@ -1130,7 +1130,7 @@ spec: terminationMessagePolicy: FallbackToLogsOnError # This is the Go import path for the binary that is containerized # and substituted here. - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/webhook@sha256:0f08721a13a85c6d8fb6927a14f64c6344fb089f73f0844df988ea7822d3d225 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/webhook@sha256:8bfa14abf09e979e4b40ad73351aeb7f1e8a8d97a64933b62a263cfc14d2b531 resources: requests: # taken from serving. @@ -1203,7 +1203,7 @@ metadata: labels: role: eventing-webhook app.kubernetes.io/component: eventing-webhook - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: eventing-webhook namespace: knative-eventing @@ -1238,7 +1238,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: # TODO add schemas @@ -1516,7 +1516,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -1588,7 +1588,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -1716,7 +1716,7 @@ metadata: knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -1799,7 +1799,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -1875,6 +1875,13 @@ spec: uid: description: UID is used to understand the origin of the subscriber. type: string + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string status: description: Status represents the current state of the Channel. This data may be out of date. type: object @@ -2039,7 +2046,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: containersources.sources.knative.dev spec: @@ -2163,6 +2170,9 @@ spec: sinkCACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string + sinkAudience: + description: Audience is the OIDC audience of the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -2206,15 +2216,15 @@ metadata: name: eventtypes.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev versions: - &version - name: v1beta1 + name: v1beta2 served: true - storage: true + storage: false subresources: status: {} schema: @@ -2324,9 +2334,14 @@ spec: type: string jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" - !!merge <<: *version - name: v1beta2 + name: v1beta1 served: true - storage: false + storage: true + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning header in the server response. + deprecated: true + # This overrides the default warning returned to API clients making v1beta1 API requests. + deprecationWarning: "eventing.knative.dev/v1beta1 EventType is deprecated; see https://knative.dev/docs/eventing/event-registry/ for instructions to migrate to eventing.knative.dev/v1beta2 EventType" # v1beta1 schema is identical to the v1beta2 schema names: kind: EventType @@ -2367,7 +2382,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -2430,7 +2445,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -2656,7 +2671,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: # TODO add schema @@ -2672,9 +2687,9 @@ spec: group: sources.knative.dev versions: - &version - name: v1beta2 + name: v1 served: true - storage: false + storage: true subresources: status: {} schema: @@ -2821,9 +2836,14 @@ spec: type: string jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - !!merge <<: *version - name: v1 + name: v1beta2 served: true - storage: true + storage: false + # This indicates the v1beta2 version of the custom resource is deprecated. + # API requests to this version receive a warning header in the server response. + deprecated: true + # This overrides the default warning returned to API clients making v1beta2 API requests. + deprecationWarning: "sources.knative.dev/v1beta2 PingSource is deprecated; see https://knative.dev/docs/eventing/sources/ping-source/ for instructions to migrate to sources.knative.dev/v1 PingSource" # v1 schema is identical to the v1beta2 schema names: categories: @@ -2864,7 +2884,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -2963,7 +2983,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -3225,7 +3245,7 @@ metadata: duck.knative.dev/source: "true" duck.knative.dev/binding: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: sinkbindings.sources.knative.dev spec: @@ -3385,6 +3405,12 @@ spec: sinkCACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string + sinkAudience: + description: Audience is the OIDC audience of the sink. + type: string + oidcTokenSecretName: + description: Name of the secret with the OIDC token for the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -3429,7 +3455,7 @@ metadata: name: subscriptions.messaging.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -3680,7 +3706,7 @@ metadata: name: triggers.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -3858,6 +3884,9 @@ spec: subscriberCACerts: description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. type: string + subscriberAudience: + description: OIDC audience of the subscriber. + type: string names: kind: Trigger plural: triggers @@ -3889,7 +3918,7 @@ kind: ClusterRole metadata: name: addressable-resolver labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -3903,7 +3932,7 @@ metadata: name: service-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -3922,7 +3951,7 @@ metadata: name: serving-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -3944,7 +3973,7 @@ metadata: name: channel-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -3970,7 +3999,7 @@ metadata: name: broker-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -3990,7 +4019,7 @@ metadata: name: flows-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -4026,7 +4055,7 @@ kind: ClusterRole metadata: name: eventing-broker-filter labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4052,7 +4081,7 @@ kind: ClusterRole metadata: name: eventing-broker-ingress labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4069,7 +4098,7 @@ kind: ClusterRole metadata: name: eventing-config-reader labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4102,7 +4131,7 @@ kind: ClusterRole metadata: name: channelable-manipulator labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -4116,7 +4145,7 @@ metadata: name: meta-channelable-manipulator labels: duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "channelable-manipulator" role. rules: @@ -4155,7 +4184,7 @@ metadata: name: knative-eventing-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev"] @@ -4168,7 +4197,7 @@ metadata: name: knative-messaging-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["messaging.knative.dev"] @@ -4181,7 +4210,7 @@ metadata: name: knative-flows-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["flows.knative.dev"] @@ -4194,7 +4223,7 @@ metadata: name: knative-sources-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["sources.knative.dev"] @@ -4207,7 +4236,7 @@ metadata: name: knative-bindings-namespaced-admin labels: rbac.authorization.k8s.io/aggregate-to-admin: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["bindings.knative.dev"] @@ -4220,7 +4249,7 @@ metadata: name: knative-eventing-namespaced-edit labels: rbac.authorization.k8s.io/aggregate-to-edit: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -4233,7 +4262,7 @@ metadata: name: knative-eventing-namespaced-view labels: rbac.authorization.k8s.io/aggregate-to-view: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: ["eventing.knative.dev", "messaging.knative.dev", "sources.knative.dev", "flows.knative.dev", "bindings.knative.dev"] @@ -4260,7 +4289,7 @@ kind: ClusterRole metadata: name: knative-eventing-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4395,7 +4424,7 @@ kind: ClusterRole metadata: name: knative-eventing-pingsource-mt-adapter labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4462,7 +4491,7 @@ kind: ClusterRole metadata: name: podspecable-binding labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -4476,7 +4505,7 @@ metadata: name: builtin-podspecable-binding labels: duck.knative.dev/podspecable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "podspecable-binding role. rules: @@ -4522,7 +4551,7 @@ kind: ClusterRole metadata: name: source-observer labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing aggregationRule: clusterRoleSelectors: @@ -4536,7 +4565,7 @@ metadata: name: eventing-sources-source-observer labels: duck.knative.dev/source: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "source-observer" role. rules: @@ -4572,7 +4601,7 @@ kind: ClusterRole metadata: name: knative-eventing-sources-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -4658,7 +4687,7 @@ kind: ClusterRole metadata: name: knative-eventing-webhook labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: # For watching logging configuration and getting certs. @@ -4741,12 +4770,24 @@ rules: - "list" - "create" - "patch" - # For the SinkBinding reconciler adding the OIDC identity service accounts + # For the SinkBinding reconciler adding the OIDC identity service accounts - apiGroups: - "" resources: - "serviceaccounts" verbs: *everything + # For the SinkBinding reconciler creating the sinkbinding token secret + - apiGroups: + - "" + resources: + - "serviceaccounts/token" + verbs: + - "create" + - apiGroups: + - "" + resources: + - "secrets" + verbs: *everything # Necessary for conversion webhook. These are copied from the serving # TODO: Do we really need all these permissions? - apiGroups: ["apiextensions.k8s.io"] @@ -4774,7 +4815,7 @@ metadata: namespace: knative-eventing name: knative-eventing-webhook labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: # For manipulating certs into secrets. @@ -4810,7 +4851,7 @@ kind: ValidatingWebhookConfiguration metadata: name: config.webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4845,7 +4886,7 @@ kind: MutatingWebhookConfiguration metadata: name: webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4878,7 +4919,7 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.webhook.eventing.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] @@ -4912,7 +4953,7 @@ metadata: name: eventing-webhook-certs namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # The data is populated at install time. @@ -4936,7 +4977,7 @@ kind: MutatingWebhookConfiguration metadata: name: sinkbindings.webhook.sources.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1", "v1beta1"] diff --git a/third_party/eventing-latest/eventing-crds.yaml b/third_party/eventing-latest/eventing-crds.yaml index 23d0ab465..30a5e7bef 100644 --- a/third_party/eventing-latest/eventing-crds.yaml +++ b/third_party/eventing-latest/eventing-crds.yaml @@ -20,7 +20,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: # TODO add schemas @@ -298,7 +298,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -370,7 +370,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -498,7 +498,7 @@ metadata: knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -581,7 +581,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -657,6 +657,13 @@ spec: uid: description: UID is used to understand the origin of the subscriber. type: string + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string status: description: Status represents the current state of the Channel. This data may be out of date. type: object @@ -821,7 +828,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: containersources.sources.knative.dev spec: @@ -945,6 +952,9 @@ spec: sinkCACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string + sinkAudience: + description: Audience is the OIDC audience of the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -988,15 +998,15 @@ metadata: name: eventtypes.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev versions: - &version - name: v1beta1 + name: v1beta2 served: true - storage: true + storage: false subresources: status: {} schema: @@ -1106,9 +1116,14 @@ spec: type: string jsonPath: ".status.conditions[?(@.type==\"Ready\")].reason" - !!merge <<: *version - name: v1beta2 + name: v1beta1 served: true - storage: false + storage: true + # This indicates the v1beta1 version of the custom resource is deprecated. + # API requests to this version receive a warning header in the server response. + deprecated: true + # This overrides the default warning returned to API clients making v1beta1 API requests. + deprecationWarning: "eventing.knative.dev/v1beta1 EventType is deprecated; see https://knative.dev/docs/eventing/event-registry/ for instructions to migrate to eventing.knative.dev/v1beta2 EventType" # v1beta1 schema is identical to the v1beta2 schema names: kind: EventType @@ -1149,7 +1164,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -1212,7 +1227,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -1438,7 +1453,7 @@ metadata: eventing.knative.dev/source: "true" duck.knative.dev/source: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: # TODO add schema @@ -1454,9 +1469,9 @@ spec: group: sources.knative.dev versions: - &version - name: v1beta2 + name: v1 served: true - storage: false + storage: true subresources: status: {} schema: @@ -1603,9 +1618,14 @@ spec: type: string jsonPath: ".status.conditions[?(@.type=='Ready')].reason" - !!merge <<: *version - name: v1 + name: v1beta2 served: true - storage: true + storage: false + # This indicates the v1beta2 version of the custom resource is deprecated. + # API requests to this version receive a warning header in the server response. + deprecated: true + # This overrides the default warning returned to API clients making v1beta2 API requests. + deprecationWarning: "sources.knative.dev/v1beta2 PingSource is deprecated; see https://knative.dev/docs/eventing/sources/ping-source/ for instructions to migrate to sources.knative.dev/v1 PingSource" # v1 schema is identical to the v1beta2 schema names: categories: @@ -1646,7 +1666,7 @@ metadata: labels: knative.dev/crd-install: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: flows.knative.dev @@ -1745,7 +1765,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -2007,7 +2027,7 @@ metadata: duck.knative.dev/source: "true" duck.knative.dev/binding: "true" knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: sinkbindings.sources.knative.dev spec: @@ -2167,6 +2187,12 @@ spec: sinkCACerts: description: CACerts is the Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string + sinkAudience: + description: Audience is the OIDC audience of the sink. + type: string + oidcTokenSecretName: + description: Name of the secret with the OIDC token for the sink. + type: string additionalPrinterColumns: - name: Sink type: string @@ -2211,7 +2237,7 @@ metadata: name: subscriptions.messaging.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -2462,7 +2488,7 @@ metadata: name: triggers.eventing.knative.dev labels: knative.dev/crd-install: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: eventing.knative.dev @@ -2640,6 +2666,9 @@ spec: subscriberCACerts: description: Certification Authority (CA) certificates in PEM format according to https://www.rfc-editor.org/rfc/rfc7468. type: string + subscriberAudience: + description: OIDC audience of the subscriber. + type: string names: kind: Trigger plural: triggers diff --git a/third_party/eventing-latest/in-memory-channel.yaml b/third_party/eventing-latest/in-memory-channel.yaml index 38ab22419..5cb36766f 100644 --- a/third_party/eventing-latest/in-memory-channel.yaml +++ b/third_party/eventing-latest/in-memory-channel.yaml @@ -18,7 +18,7 @@ metadata: name: imc-controller namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -26,7 +26,7 @@ kind: ClusterRoleBinding metadata: name: imc-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -43,7 +43,7 @@ metadata: namespace: knative-eventing name: imc-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -59,7 +59,7 @@ kind: ClusterRoleBinding metadata: name: imc-controller-resolver labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -91,7 +91,7 @@ metadata: name: imc-dispatcher namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- apiVersion: rbac.authorization.k8s.io/v1 @@ -99,7 +99,7 @@ kind: ClusterRoleBinding metadata: name: imc-dispatcher labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -161,7 +161,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing data: MaxIdleConnections: "1000" @@ -190,7 +190,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "f46cf09d" @@ -266,7 +266,7 @@ metadata: labels: knative.dev/config-propagation: original knative.dev/config-category: eventing - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing annotations: knative.dev/example-checksum: "0492ceb0" @@ -323,7 +323,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -335,7 +335,7 @@ spec: labels: !!merge <<: *labels app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -350,7 +350,7 @@ spec: enableServiceLinks: false containers: - name: controller - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:b3066dff9f59eda6db32e66c8e22fba55620fe4e42510cc43ca8ce06773c04d6 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_controller@sha256:7eecdb0b923aed139108d8575d0c01a172b5a8d48ae9708fd8e43e406cefa385 env: - name: WEBHOOK_NAME value: inmemorychannel-webhook @@ -367,7 +367,7 @@ spec: fieldRef: fieldPath: metadata.namespace - name: DISPATCHER_IMAGE - value: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:71dc2298bffdebfda0630e3d1d1d0b6f1271b4449faa13408b8041c2d9edf5b6 + value: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:142adab955fba6ca3cb5a0f9b4fd8bfec196ddf4f167eb17aaaf12153b767c71 - name: POD_NAME valueFrom: fieldRef: @@ -408,7 +408,7 @@ kind: Service metadata: labels: app.kubernetes.io/component: imc-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: inmemorychannel-webhook namespace: knative-eventing @@ -450,7 +450,7 @@ metadata: messaging.knative.dev/channel: in-memory-channel messaging.knative.dev/role: dispatcher app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -492,7 +492,7 @@ metadata: labels: knative.dev/high-availability: "true" app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -504,7 +504,7 @@ spec: labels: !!merge <<: *labels app.kubernetes.io/component: imc-dispatcher - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: affinity: @@ -519,7 +519,7 @@ spec: enableServiceLinks: false containers: - name: dispatcher - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:71dc2298bffdebfda0630e3d1d1d0b6f1271b4449faa13408b8041c2d9edf5b6 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/in_memory/channel_dispatcher@sha256:142adab955fba6ca3cb5a0f9b4fd8bfec196ddf4f167eb17aaaf12153b767c71 readinessProbe: &probe failureThreshold: 3 httpGet: @@ -594,7 +594,7 @@ metadata: knative.dev/crd-install: "true" messaging.knative.dev/subscribable: "true" duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: group: messaging.knative.dev @@ -650,7 +650,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -700,7 +700,7 @@ spec: description: Certification Authority (CA) certificates in PEM format that the source trusts when sending events to the sink. type: string audience: - description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the Addressable itself. If the target is an Addressable and specifies an Audience, the target's Audience takes precedence. + description: Audience is the OIDC audience. This only needs to be set if the target is not an Addressable and thus the Audience can't be received from the target itself. If specified, it takes precedence over the target's Audience. type: string retry: description: Retry is the minimum number of retries the sender should attempt when sending an event before moving it to the dead letter sink. @@ -732,6 +732,13 @@ spec: uid: description: UID is used to understand the origin of the subscriber. type: string + auth: + description: Auth provides the relevant information for OIDC authentication. + type: object + properties: + serviceAccountName: + description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication. + type: string status: description: Status represents the current state of the Channel. This data may be out of date. type: object @@ -892,7 +899,7 @@ metadata: name: imc-addressable-resolver labels: duck.knative.dev/addressable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "addressable-resolver" role. rules: @@ -927,7 +934,7 @@ metadata: name: imc-channelable-manipulator labels: duck.knative.dev/channelable: "true" - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # Do not use this role directly. These rules will be added to the "channelable-manipulator" role. rules: @@ -965,7 +972,7 @@ kind: ClusterRole metadata: name: imc-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -1103,7 +1110,7 @@ kind: ClusterRole metadata: name: imc-dispatcher labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -1130,6 +1137,13 @@ rules: verbs: - create - patch + # Create OIDC tokens + - apiGroups: + - "" + resources: + - "serviceaccounts/token" + verbs: + - create # Updates the finalizer so we can remove our handlers when channel is deleted # Patches the status.subscribers to reflect when the subscription dataplane has been # configured. @@ -1183,7 +1197,7 @@ metadata: namespace: knative-eventing name: knative-inmemorychannel-webhook labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: # For manipulating certs into secrets. @@ -1219,7 +1233,7 @@ kind: MutatingWebhookConfiguration metadata: name: inmemorychannel.eventing.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -1252,7 +1266,7 @@ kind: ValidatingWebhookConfiguration metadata: name: validation.inmemorychannel.eventing.knative.dev labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing webhooks: - admissionReviewVersions: ["v1"] @@ -1286,7 +1300,7 @@ metadata: name: inmemorychannel-webhook-certs namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing # The data is populated at install time. diff --git a/third_party/eventing-latest/mt-channel-broker.yaml b/third_party/eventing-latest/mt-channel-broker.yaml index 37d798fe7..5bd05bfc7 100644 --- a/third_party/eventing-latest/mt-channel-broker.yaml +++ b/third_party/eventing-latest/mt-channel-broker.yaml @@ -16,7 +16,7 @@ kind: ClusterRole metadata: name: knative-eventing-mt-channel-broker-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: # Configs resources and status we care about. @@ -58,7 +58,7 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-filter labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -78,6 +78,12 @@ rules: - get - list - watch + - apiGroups: + - "" + resources: + - "serviceaccounts/token" + verbs: + - create --- # Copyright 2023 The Knative Authors @@ -129,7 +135,7 @@ metadata: name: mt-broker-filter namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- @@ -151,7 +157,7 @@ kind: ClusterRole metadata: name: knative-eventing-mt-broker-ingress labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing rules: - apiGroups: @@ -208,6 +214,37 @@ rules: - get - list - watch + - apiGroups: + - "" + resources: + - "serviceaccounts/token" + resourceNames: + - "mt-broker-ingress-oidc" + verbs: + - create + +--- +# Copyright 2023 The Knative Authors +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mt-broker-ingress-oidc + namespace: knative-eventing + labels: + app.kubernetes.io/version: "20231204-3fcc78a3d" + app.kubernetes.io/name: knative-eventing --- # Copyright 2020 The Knative Authors @@ -229,7 +266,7 @@ metadata: name: mt-broker-ingress namespace: knative-eventing labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing --- @@ -252,7 +289,7 @@ kind: ClusterRoleBinding metadata: name: eventing-mt-channel-broker-controller labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -283,7 +320,7 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-filter labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -343,7 +380,7 @@ kind: ClusterRoleBinding metadata: name: knative-eventing-mt-broker-ingress labels: - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing subjects: - kind: ServiceAccount @@ -404,7 +441,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -415,7 +452,7 @@ spec: labels: eventing.knative.dev/brokerRole: filter app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-filter @@ -423,7 +460,7 @@ spec: containers: - name: filter terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/broker/filter@sha256:98cd31549153e1162f56feb6d244fb271bc69a478f4e97819807c7c0e712ed20 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/broker/filter@sha256:a3888824605b8d1f9c91003e6a0d0ce1bf7bd2a9957d055d6d98c35c0170f602 readinessProbe: &probe failureThreshold: 3 httpGet: @@ -494,7 +531,7 @@ metadata: labels: eventing.knative.dev/brokerRole: filter app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: broker-filter namespace: knative-eventing @@ -537,7 +574,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -548,7 +585,7 @@ spec: labels: eventing.knative.dev/brokerRole: ingress app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: serviceAccountName: mt-broker-ingress @@ -556,7 +593,7 @@ spec: containers: - name: ingress terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/broker/ingress@sha256:d780fd1a34de1354c96b7f6edbc7a8a89ea4596bc2d23cc62d4964b640741af1 + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/broker/ingress@sha256:812eea9136494d1c1e09f52434af6a33c9b7f79de49c7b67020e47296d6f4513 readinessProbe: &probe failureThreshold: 3 httpGet: @@ -627,7 +664,7 @@ metadata: labels: eventing.knative.dev/brokerRole: ingress app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing name: broker-ingress namespace: knative-eventing @@ -670,7 +707,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: mt-broker-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: selector: @@ -681,7 +718,7 @@ spec: labels: app: mt-broker-controller app.kubernetes.io/component: broker-controller - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: # To avoid node becoming SPOF, spread our replicas to different nodes. @@ -699,7 +736,7 @@ spec: containers: - name: mt-broker-controller terminationMessagePolicy: FallbackToLogsOnError - image: gcr.io/knative-nightly/knative.dev/eventing/cmd/mtchannel_broker@sha256:c58557a7b202a9fb8a806d6b53c249050eb5ff9ee2f413e86c60695a59bc8a6b + image: gcr.io/knative-nightly/knative.dev/eventing/cmd/mtchannel_broker@sha256:984b51cbbcf3cd3029490bae56cb90674b28410ad4ddcfac4f123a0e7489493e resources: requests: cpu: 100m @@ -756,7 +793,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-ingress - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: @@ -780,7 +817,7 @@ metadata: namespace: knative-eventing labels: app.kubernetes.io/component: broker-filter - app.kubernetes.io/version: "20231114-7a645f87c" + app.kubernetes.io/version: "20231204-3fcc78a3d" app.kubernetes.io/name: knative-eventing spec: scaleTargetRef: