Skip to content

feat: Add auth-proxy sidecar and EventPolicy support to EventTransformer#8883

Open
Arpit529Srivastava wants to merge 3 commits intoknative:mainfrom
Arpit529Srivastava:eventtransform-auth-proxy
Open

feat: Add auth-proxy sidecar and EventPolicy support to EventTransformer#8883
Arpit529Srivastava wants to merge 3 commits intoknative:mainfrom
Arpit529Srivastava:eventtransform-auth-proxy

Conversation

@Arpit529Srivastava
Copy link
Contributor

@Arpit529Srivastava Arpit529Srivastava commented Feb 21, 2026

Fixes #8715

Proposed Changes

This pr adds an auth-proxy sidecar to EventTransform deployments when oidc authentication is enabled, following the same pattern used by IntegrationSink. #8708
reconciles a namespace-scoped RoleBinding so the auth-proxy can read EventPolicies in the transform’s namespace, and also reconciles an aggregated RoleBinding in the knative-eventing namespace to allow access to config-features and config-logging configmaps.

sets status.Address.Audience when oidc is enabled and propagates AppliedEventPoliciesStatus to reflect which EventPolicies apply to the EventTransform.

updates service routing to go through the auth-proxy ports (3128/3129) when oidc is enabled.

Pre-review Checklist

  • At least 80% unit test coverage
  • E2E tests for any new behavior
  • Docs PR for any user-facing impact
  • Spec PR for any new API feature
  • Conformance test for any change to the spec

Release Note

EventTransformer now enforces OIDC authentication and EventPolicy-based authorization via an auth-proxy sidecar when the oidc-authentication feature flag is enabled.

Docs

@knative-prow knative-prow bot requested review from Cali0707 and Leo6Leo February 21, 2026 18:43
@knative-prow
Copy link

knative-prow bot commented Feb 21, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: Arpit529Srivastava
Once this PR has been reviewed and has the lgtm label, please assign creydr for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@knative-prow knative-prow bot added size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 21, 2026
@knative-prow
Copy link

knative-prow bot commented Feb 21, 2026

Hi @Arpit529Srivastava. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@codecov
Copy link

codecov bot commented Feb 21, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 69.47791% with 76 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.83%. Comparing base (d3feb16) to head (f797fa0).
⚠️ Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
pkg/reconciler/eventtransform/eventtransform.go 53.03% 26 Missing and 5 partials ⚠️
pkg/reconciler/eventtransform/controller.go 0.00% 15 Missing ⚠️
pkg/reconciler/eventtransform/resources_jsonata.go 90.06% 11 Missing and 4 partials ⚠️
pkg/reconciler/testing/v1alpha1/eventtransform.go 0.00% 9 Missing ⚠️
...apis/eventing/v1alpha1/eventtransform_lifecycle.go 25.00% 6 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #8883      +/-   ##
==========================================
+ Coverage   50.63%   50.83%   +0.20%     
==========================================
  Files         409      409              
  Lines       21658    21901     +243     
==========================================
+ Hits        10966    11133     +167     
- Misses       9835     9902      +67     
- Partials      857      866       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@Arpit529Srivastava
Copy link
Contributor Author

Arpit529Srivastava commented Feb 21, 2026

/cc @creydr @Cali0707 PTAL, thanks :)

creydr
creydr reviewed Feb 27, 2026
View reviewed changes
Copy link
Member

@creydr creydr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/ok-to-test
Thanks a lot @Arpit529Srivastava for working on this. This looks very promising already. I left a few comments.
Could you also enable the e2e tests for it? We have for example the authz.AddressableAuthZConformance and oidc.AddressableOIDCConformance tests, which should help a lot on those.

pkg/reconciler/eventtransform/eventtransform.go
Comment on lines +488 to +494
_, err := r.rolebindingLister.RoleBindings(rb.Namespace).Get(rb.Name)
if apierrors.IsNotFound(err) {
return nil
}
if err != nil {
return fmt.Errorf("failed to get rolebinding %s/%s: %w", rb.Namespace, rb.Name, err)
}
Copy link
Member

@creydr creydr Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wondering, if we need this and if we could directly delete it instead 🤔

pkg/reconciler/eventtransform/eventtransform.go
Copy link
Member

@creydr creydr Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add comments on your new methods, what they are for?

pkg/reconciler/eventtransform/eventtransform_test.go

const testAuthProxyImage = "quay.io/fake-auth-proxy"

func TestReconcileOIDC(t *testing.T) {
Copy link
Member

@creydr creydr Feb 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can we integrate this in the above test suite?

@knative-prow knative-prow bot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Feb 27, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@creydr creydr creydr left review comments

@Cali0707 Cali0707 Awaiting requested review from Cali0707

@Leo6Leo Leo6Leo Awaiting requested review from Leo6Leo

Assignees

No one assigned

Labels

ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add auth checks to EventTransformer

2 participants

@Arpit529Srivastava @creydr