Update dependencies (#3412)

* Update dependencies

* Fix build issue

go.mod

@@ -35,10 +35,10 @@ require (
 	k8s.io/apiserver v0.27.6
 	k8s.io/client-go v0.27.6
 	k8s.io/utils v0.0.0-20230209194617-a36077c30491
-	knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0
+	knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703
 	knative.dev/hack v0.0.0-20231016131700-2c938d4918da
 	knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5
-	knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7
+	knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e
 	sigs.k8s.io/controller-runtime v0.12.3
 	sigs.k8s.io/yaml v1.3.0
 )

go.sum

@@ -1251,14 +1251,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491 h1:r0BAOLElQnnFhE/ApUsg3iHdVYYPBjNSSOMowRZxxsY=
 k8s.io/utils v0.0.0-20230209194617-a36077c30491/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0 h1:CKeg+12rcm3FhN/MYcbe/EDVScgXjhWObnGxrjeOOVw=
-knative.dev/eventing v0.38.1-0.20231017050713-f9314d883fc0/go.mod h1:Ug/SwaXMZVkP17peh2SvKA6I3FSjd8RrXdJuJNyBS2Y=
+knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703 h1:JvAE5DCPfOD8Wa8IhrNNOQ0eaSWfQb5Rv+UZ6G8+MLg=
+knative.dev/eventing v0.38.1-0.20231019094926-16d75a980703/go.mod h1:swWS48qpCQbBkj+2iS0rVa7PbQBWLD9YAy3CSHfevaU=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da h1:xy+fvuz2LDOMsZ5UwXRaMF70NYUs9fsG+EF5/ierYBg=
 knative.dev/hack v0.0.0-20231016131700-2c938d4918da/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
 knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5 h1:9AvFZdEtuwKWDcTV1VSwmrgrRR9f38wbIAm+sNwLivQ=
 knative.dev/pkg v0.0.0-20231017113806-d6ab72900ea5/go.mod h1:HHRXEd7ZlFpthgE+rwAZ6MUVnuJOAeolnaFSthXloUQ=
-knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7 h1:zcFdS5167SauAvKmmPPUmXJtUxlBdKUWmO/a+F67+IM=
-knative.dev/reconciler-test v0.0.0-20231017131250-999d077826b7/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY=
+knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e h1:lNnU34Bh3xXekvIcpt7fb2GM9XZI1ihoxVHMv4YTuag=
+knative.dev/reconciler-test v0.0.0-20231019092754-317033b0f02e/go.mod h1:0jsKqMXLCIQNdceLuL2SL1LaAZSFtqUY7cLyHt0V2xY=
 pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=

test/rekt/resources/kafkasink/kafkasink.go

@@ -103,7 +103,7 @@ func Address(ctx context.Context, name string, timings ...time.Duration) (*duckv
 }
 
 // ValidateAddress validates the address retured by Address
-func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn {
+func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn {
 	return func(ctx context.Context, t feature.T) {
 		addr, err := Address(ctx, name, timings...)
 		if err != nil {

vendor/knative.dev/eventing/pkg/auth/token_provider.go

@@ -32,7 +32,7 @@ import (
 )
 
 const (
-	expirationBufferTime = time.Second * 30
+	expirationBufferTime = 5 * time.Minute
 )
 
 type OIDCTokenProvider struct {
@@ -73,7 +73,7 @@ func (c *OIDCTokenProvider) GetJWT(serviceAccount types.NamespacedName, audience
 		return "", fmt.Errorf("could not request a token for %s: %w", serviceAccount, err)
 	}
 
-	// we need a duration until this token expires, use the expiry time - (now + 30s)
+	// we need a duration until this token expires, use the expiry time - (now + 5min)
 	// this gives us a buffer so that it doesn't expire between when we retrieve it and when we use it
 	expiryTtl := tokenRequestResponse.Status.ExpirationTimestamp.Time.Sub(time.Now().Add(expirationBufferTime))
 

vendor/knative.dev/eventing/pkg/auth/utils.go

@@ -0,0 +1,42 @@
+/*
+Copyright 2023 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package auth
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+)
+
+const (
+	AuthHeaderKey = "Authorization"
+)
+
+// GetJWTFromHeader Returns the JWT from the Authorization header
+func GetJWTFromHeader(header http.Header) string {
+	authHeader := header.Get(AuthHeaderKey)
+	if authHeader == "" {
+		return ""
+	}
+
+	return strings.TrimPrefix(authHeader, "Bearer ")
+}
+
+// SetAuthHeader sets Authorization header with the given JWT
+func SetAuthHeader(jwt string, header http.Header) {
+	header.Set(AuthHeaderKey, fmt.Sprintf("Bearer %s", jwt))
+}

vendor/knative.dev/eventing/test/rekt/resources/addressable/addressable.go

@@ -25,10 +25,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
+	"knative.dev/reconciler-test/pkg/feature"
 	"knative.dev/reconciler-test/pkg/k8s"
 )
 
-type ValidateAddress func(addressable *duckv1.Addressable) error
+type ValidateAddressFn func(addressable *duckv1.Addressable) error
 
 // Address returns a broker's address.
 func Address(ctx context.Context, gvr schema.GroupVersionResource, name string, timings ...time.Duration) (*duckv1.Addressable, error) {
@@ -55,6 +56,20 @@ func Address(ctx context.Context, gvr schema.GroupVersionResource, name string,
 	return addr, err
 }
 
+func ValidateAddress(gvr schema.GroupVersionResource, name string, validate ValidateAddressFn, timings ...time.Duration) feature.StepFn {
+	return func(ctx context.Context, t feature.T) {
+		addr, err := Address(ctx, gvr, name, timings...)
+		if err != nil {
+			t.Error(err)
+			return
+		}
+		if err := validate(addr); err != nil {
+			t.Error(err)
+			return
+		}
+	}
+}
+
 func AssertHTTPSAddress(addr *duckv1.Addressable) error {
 	if addr.URL.Scheme != "https" {
 		return fmt.Errorf("address is not HTTPS: %#v", addr)

vendor/knative.dev/eventing/test/rekt/resources/broker/broker.go

@@ -160,18 +160,8 @@ func IsAddressable(name string, timings ...time.Duration) feature.StepFn {
 }
 
 // ValidateAddress validates the address retured by Address
-func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn {
-	return func(ctx context.Context, t feature.T) {
-		addr, err := Address(ctx, name, timings...)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-		if err := validate(addr); err != nil {
-			t.Error(err)
-			return
-		}
-	}
+func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn {
+	return addressable.ValidateAddress(GVR(), name, validate, timings...)
 }
 
 // Address returns a broker's address.

vendor/knative.dev/eventing/test/rekt/resources/channel_impl/channel_impl.go

@@ -174,16 +174,6 @@ func AsDestinationRef(name string) *duckv1.Destination {
 var WithDeadLetterSink = delivery.WithDeadLetterSink
 
 // ValidateAddress validates the address retured by Address
-func ValidateAddress(name string, validate addressable.ValidateAddress, timings ...time.Duration) feature.StepFn {
-	return func(ctx context.Context, t feature.T) {
-		addr, err := Address(ctx, name, timings...)
-		if err != nil {
-			t.Error(err)
-			return
-		}
-		if err := validate(addr); err != nil {
-			t.Error(err)
-			return
-		}
-	}
+func ValidateAddress(name string, validate addressable.ValidateAddressFn, timings ...time.Duration) feature.StepFn {
+	return addressable.ValidateAddress(GVR(), name, validate, timings...)
 }

vendor/knative.dev/reconciler-test/pkg/environment/namespace.go

@@ -122,12 +122,26 @@ func (mr *MagicEnvironment) CreateNamespaceIfNeeded() error {
 			return fmt.Errorf("error copying the image pull Secret: %s", err)
 		}
 
-		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.StrategicMergePatchType,
-			[]byte(`{"imagePullSecrets":[{"name":"`+mr.imagePullSecretName+`"}]}`), metav1.PatchOptions{})
+		for _, secret := range sa.ImagePullSecrets {
+			if secret.Name == mr.imagePullSecretName {
+				return nil
+			}
+		}
+
+		// Prevent overwriting existing imagePullSecrets
+		patch := `[{"op":"add","path":"/imagePullSecrets/-","value":{"name":"` + mr.imagePullSecretName + `"}}]`
+		if len(sa.ImagePullSecrets) == 0 {
+			patch = `[{"op":"add","path":"/imagePullSecrets","value":[{"name":"` + mr.imagePullSecretName + `"}]}]`
+		}
+
+		_, err = c.CoreV1().ServiceAccounts(mr.namespace).Patch(context.Background(), sa.Name, types.JSONPatchType,
+			[]byte(patch), metav1.PatchOptions{})
 		if err != nil {
-			return fmt.Errorf("patch failed on NS/SA (%s/%s): %s", mr.namespace, sa.Name, err)
+			return fmt.Errorf("patch failed on NS/SA (%s/%s): %w",
+				mr.namespace, sa.Name, err)
 		}
 	}
+
 	return nil
 }
 

vendor/knative.dev/reconciler-test/pkg/eventshub/options.go

@@ -202,6 +202,11 @@ func DropEventsResponseHeaders(headers map[string]string) EventsHubOption {
 	)
 }
 
+// OIDCReceiverAudience sets the expected audience for received OIDC tokens on the receiver side
+func OIDCReceiverAudience(aud string) EventsHubOption {
+	return compose(envOption(OIDCReceiverAudienceEnv, aud), envOIDCEnabled())
+}
+
 // --- Sender options
 
 // InitialSenderDelay defines how much the sender has to wait (in millisecond), when started, before start sending events.
@@ -283,6 +288,11 @@ func OIDCInvalidAudience() EventsHubOption {
 	return compose(envOption(OIDCGenerateInvalidAudienceTokenEnv, "true"), envOIDCEnabled())
 }
 
+// OIDCSinkAudience sets the Audience of the Sink
+func OIDCSinkAudience(aud string) EventsHubOption {
+	return oidcSinkAudience(&aud)
+}
+
 func oidcSinkAudience(aud *string) EventsHubOption {
 	if aud != nil && *aud != "" {
 		// if the sink has an audience set, we enable OIDC to get a token added

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/100-sa.yaml

@@ -17,3 +17,9 @@ kind: ServiceAccount
 metadata:
   name: {{ .name }}
   namespace: {{ .namespace }}
+{{ if .withPullSecrets }}
+imagePullSecrets:
+  {{ range $_, $value := .withPullSecrets.secrets }}
+  - name: {{ $value }}
+  {{ end }}
+{{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/101-rbac.yaml

@@ -45,3 +45,20 @@ subjects:
   - kind: ServiceAccount
     name: {{ .name }}
     namespace: {{ .namespace }}
+
+{{ if and .withOIDCAuth .isReceiver }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ .name }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator # e.g. to do a token review
+subjects:
+  - kind: ServiceAccount
+    name: {{ .name }}
+    namespace: {{ .namespace }}
+{{ end }}

vendor/knative.dev/reconciler-test/pkg/eventshub/rbac/rbac.go

@@ -21,6 +21,9 @@ import (
 	"embed"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	kubeclient "knative.dev/pkg/client/injection/kube/client"
+	"knative.dev/reconciler-test/pkg/environment"
 
 	"knative.dev/reconciler-test/pkg/feature"
 	"knative.dev/reconciler-test/pkg/manifest"
@@ -30,11 +33,33 @@ import (
 var templates embed.FS
 
 // Install creates the necessary ServiceAccount, Role, RoleBinding for the eventshub.
-// The resources are named according to the current namespace defined in the environment.
 func Install(cfg map[string]interface{}) feature.StepFn {
 	return func(ctx context.Context, t feature.T) {
+		WithPullSecrets(ctx, t)(cfg)
 		if _, err := manifest.InstallYamlFS(ctx, templates, cfg); err != nil && !apierrors.IsAlreadyExists(err) {
 			t.Fatal(err)
 		}
 	}
 }
+
+func WithPullSecrets(ctx context.Context, t feature.T) manifest.CfgFn {
+	namespace := environment.FromContext(ctx).Namespace()
+	serviceAccount, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(namespace).Get(ctx, "default", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("Failed to read default SA in %s namespace: %v", namespace, err)
+	}
+
+	return func(cfg map[string]interface{}) {
+		if len(serviceAccount.ImagePullSecrets) == 0 {
+			return
+		}
+		if _, set := cfg["withPullSecrets"]; !set {
+			cfg["withPullSecrets"] = map[string]interface{}{}
+		}
+		withPullSecrets := cfg["withPullSecrets"].(map[string]interface{})
+		withPullSecrets["secrets"] = []string{}
+		for _, secret := range serviceAccount.ImagePullSecrets {
+			withPullSecrets["secrets"] = append(withPullSecrets["secrets"].([]string), secret.Name)
+		}
+	}
+}