flowchart LR
A[Service A] --> C0
D2 -->|reply from Service 1| X[Service B]
D4 -->|reply from Service 2| X
subgraph Parallel
C0(Channel 0)
C0 -.-> D1(Dispatcher)
D1 --> F1
D1 -->|reply from Filter 1| C1
subgraph "Subscription 1 with Subscriber: Filter 1, Reply: Channel 1, Channel: Channel 0"
F1(Filter 1)
end
C1 -.-> D2
D2(Dispatcher) --> S1
subgraph "Subscription 2 with Subscriber: Service 1, Reply: Service B, Channel: Channel 1"
C1(Channel 1)
S1(Service 1)
end
C0 -.-> D3
D3(Dispatcher) --> F2
subgraph "Subscription 3 with Subscriber: Filter 2, Reply: Channel 2, Channel: Channel 0"
F2(Filter 2)
end
D3 -->|reply from Filter 2| C2
D4(Dispatcher) --> S2
C2 -.-> D4
subgraph "Subscription 4 with Subscriber: Service 2, Reply: Service B, Channel: Channel 2"
C2(Channel 2)
S2(Service 2)
end
end
Therefor we need to make sure we have the correct EventPolicies in place to not block requests to the underlying channel. So the Parallel reconciler should behave as described:
In case the authentication-oidc feature flag is set to enabled:
create EventPolicies like for the above example:
EventPolicy for Channel1:
.spec.ref: pointing to Channel1
.spec.from: OIDC identity of Subscription1. This means .spec.from is a ref to Subscription1
EventPolicy for Channel2:
.spec.ref: pointing to Channel2
.spec.from: OIDC identity of Subscription3. This means .spec.from is a ref to Subscription3
EventPolicy for Channel0:
This EventPolicy will only be created, if we have an EventPolicy for the Parallel in place (e.g. created by the user). This is because Channel0 represents the input channel of the Parallel and we would not be aware of the allowed subs. But as soon as an EventPolicy for the Parallel is in place, the Parallel reconciler would also create an EventPolicy for its input channel (Channel0 here) with the allowed subjects from the EventPolicy targeting the Parallel.
owner reference of the EventPolicies points to the Sequence, so that we have a lifecycle binding
In case the authentication-oidc feature flag is set to disabled:
clean up eventually existing EventPolicies which were created when authentication-oidc was enabled (e.g. by filtering on EventPolicies which have an owner reference to a Parallel)
When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.
Similar to a Sequence, the Parallel implementation uses Channels under the hood. This means that the Parallel
breaks down to something like
Therefor we need to make sure we have the correct EventPolicies in place to not block requests to the underlying channel. So the Parallel reconciler should behave as described:
authentication-oidc
feature flag is set toenabled
:Channel1
:.spec.ref
: pointing toChannel1
.spec.from
: OIDC identity ofSubscription1
. This means.spec.from
is aref
toSubscription1
Channel2
:.spec.ref
: pointing toChannel2
.spec.from
: OIDC identity ofSubscription3
. This means.spec.from
is aref
toSubscription3
Channel0
:Channel0
represents the input channel of the Parallel and we would not be aware of the allowed subs. But as soon as an EventPolicy for the Parallel is in place, the Parallel reconciler would also create an EventPolicy for its input channel (Channel0
here) with the allowed subjects from the EventPolicy targeting the Parallel.authentication-oidc
feature flag is set todisabled
:authentication-oidc
wasenabled
(e.g. by filtering on EventPolicies which have an owner reference to a Parallel)Prerequisites:
7971
7979
Additional context:
Additional hints for new contributors before starting with this issue:
Draft
status, the issue is subject to change and thus should not be started to be worked on/assign
). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.