flowchart LR
A(Service A) ---> C1
C1 -.-> D1(Dispatcher)
D1 --> SVC1
D1 -->|reply from Service 1| C2
C2 -.-> D2(Dispatcher)
D2 --> SVC2
D2 -->|reply from Service 2| C3
C3 -.-> D3(Dispatcher)
D3 --> SVC3
D3 -->|reply from Service 3| X(Service B)
subgraph Sequence
subgraph Subscription1
C1(Channel 1)
SVC1(Service 1)
end
subgraph Subscription2
C2(Channel 2)
SVC2(Service 2)
end
subgraph Subscription3
C3(Channel 3)
SVC3(Service 3)
end
D1
D2
D3
end
Therefor we need to make sure we have the correct EventPolicies in place to not block requests to the underlying channel. So the sequence reconciler should behave as described:
In case the authentication-oidc feature flag is set to enabled:
create EventPolicies like for the above example:
EventPolicy for Channel2:
.spec.ref: pointing to Channel2
.spec.from: OIDC identity of Subscription1. This means .spec.from is a ref to Subscription1
EventPolicy for Channel3:
.spec.ref: pointing to Channel3
.spec.from: OIDC identity of Subscription2. This means .spec.from is a ref to Subscription2
EventPolicy for Channel1:
This EventPolicy will only be created, if we have an EventPolicy for the Sequence in place (e.g. created by the user). This is because Channel1 represents the input channel of the Sequence and we would not be aware of the allowed subs. But as soon as an EventPolicy for the Sequence is in place, the Sequence reconciler would also create an EventPolicy for its input channel (Channel1 here) with the allowed subjects from the EventPolicy targeting the Sequence.
owner reference of the EventPolicies points to the Sequence, so that we have a lifecycle binding
In case the authentication-oidc feature flag is set to disabled:
clean up eventually existing EventPolicies which were created when authentication-oidc was enabled (e.g. by filtering on EventPolicies which have an owner reference to a Sequence)
When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.
The Sequence implementation uses Channels under the hood. This means that the Sequence
breaks down to something like
Therefor we need to make sure we have the correct EventPolicies in place to not block requests to the underlying channel. So the sequence reconciler should behave as described:
authentication-oidc
feature flag is set toenabled
:Channel2
:.spec.ref
: pointing toChannel2
.spec.from
: OIDC identity ofSubscription1
. This means.spec.from
is aref
toSubscription1
Channel3
:.spec.ref
: pointing toChannel3
.spec.from
: OIDC identity ofSubscription2
. This means.spec.from
is aref
toSubscription2
Channel1
:Channel1
represents the input channel of the Sequence and we would not be aware of the allowed subs. But as soon as an EventPolicy for the Sequence is in place, the Sequence reconciler would also create an EventPolicy for its input channel (Channel1
here) with the allowed subjects from the EventPolicy targeting the Sequence.authentication-oidc
feature flag is set todisabled
:authentication-oidc
wasenabled
(e.g. by filtering on EventPolicies which have an owner reference to a Sequence)Prerequisites:
7971
7978
Additional context:
Additional hints for new contributors before starting with this issue:
Draft
status, the issue is subject to change and thus should not be started to be worked on/assign
). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.