From 5661eb5455572784e6bb8ba4aa20d77aa7179b9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Wed, 10 Apr 2024 15:43:15 +0200 Subject: [PATCH 1/2] Add limitations for having OIDC and Istio enabled --- .../experimental-features/sender-identity.md | 25 +++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/docs/eventing/experimental-features/sender-identity.md b/docs/eventing/experimental-features/sender-identity.md index 070cc6950b5..75f241443a9 100644 --- a/docs/eventing/experimental-features/sender-identity.md +++ b/docs/eventing/experimental-features/sender-identity.md @@ -234,3 +234,28 @@ Send events to the Broker using OIDC authentication: "name": "authenticated" } ``` + +## Limitations with Istio + +You might experience issues with the [eventing integration with Istio](https://github.com/knative-extensions/eventing-istio) and having the `authentication-oidc` feature flag enabeled, when the JWKS URI is represented via an IP. E.g. like in the following case: + +``` +$ kubectl get --raw /.well-known/openid-configuration | jq +{ + "issuer": "https://kubernetes.default.svc", + "jwks_uri": "https://172.18.0.3:6443/openid/v1/jwks", + ... +} +``` + +In this case you need to add the [`traffic.sidecar.istio.io/excludeOutboundIPRanges: /32`](https://istio.io/latest/docs/reference/config/annotations/#SidecarTrafficExcludeOutboundIPRanges) annotation to the pod templates of the following deployments: +* `imc-dispatcher` +* `mt-broker-ingress` +* `mt-broker-filter` + +For example: + +``` +$ kubectl -n knative-eventing patch deploy imc-dispatcher --patch '{"spec":{"template":{"metadata":{"annotations":{"traffic.sidecar.istio.io/excludeOutboundIPRanges":"172.18.0.3/32"}}}}}' +deployment.apps/imc-dispatcher patched +``` From e4c1f00517d7c943c224afb485299fc669c412d7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christoph=20St=C3=A4bler?= Date: Thu, 11 Apr 2024 16:53:38 +0200 Subject: [PATCH 2/2] Fix list --- docs/eventing/experimental-features/sender-identity.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/eventing/experimental-features/sender-identity.md b/docs/eventing/experimental-features/sender-identity.md index 75f241443a9..677473cd578 100644 --- a/docs/eventing/experimental-features/sender-identity.md +++ b/docs/eventing/experimental-features/sender-identity.md @@ -249,9 +249,10 @@ $ kubectl get --raw /.well-known/openid-configuration | jq ``` In this case you need to add the [`traffic.sidecar.istio.io/excludeOutboundIPRanges: /32`](https://istio.io/latest/docs/reference/config/annotations/#SidecarTrafficExcludeOutboundIPRanges) annotation to the pod templates of the following deployments: -* `imc-dispatcher` -* `mt-broker-ingress` -* `mt-broker-filter` + +- `imc-dispatcher` +- `mt-broker-ingress` +- `mt-broker-filter` For example: