Re-enable Cert Mgr

Signed-off-by: Matthias Wessendorf <[email protected]>

cmd/controller/main.go

@@ -20,6 +20,9 @@ import (
 	// Uncomment the following line to load the gcp plugin (only required to authenticate against GKE clusters).
 	// _ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 
+	v1certificate "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
+
+	"knative.dev/pkg/injection"
 	"knative.dev/pkg/injection/sharedmain"
 
 	filteredFactory "knative.dev/pkg/client/injection/kube/informers/factory/filtered"
@@ -64,9 +67,9 @@ func main() {
 		eventtransform.JsonataResourcesSelector,
 	)
 
-	//for _, inf := range []injection.InformerInjector{v1certificate.WithInformer} {
-	//	injection.Default.RegisterInformer(inf)
-	//}
+	for _, inf := range []injection.InformerInjector{v1certificate.WithInformer} {
+		injection.Default.RegisterInformer(inf)
+	}
 
 	sharedmain.MainWithContext(ctx, "controller",
 		// Messaging

pkg/certificates/certificate.go

@@ -20,8 +20,6 @@ import (
 	"fmt"
 	"time"
 
-	"knative.dev/eventing/pkg/reconciler/integration/sink/resources"
-
 	cmv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 	"knative.dev/pkg/kmeta"
@@ -67,8 +65,8 @@ func MakeCertificate(obj kmeta.OwnerRefableAccessor, name string) *cmv1.Certific
 				RotationPolicy: cmv1.RotationPolicyAlways,
 			},
 			DNSNames: []string{
-				fmt.Sprintf("%s.%s.svc.cluster.local", resources.DeploymentName(name), obj.GetNamespace()),
-				fmt.Sprintf("%s.%s.svc", resources.DeploymentName(name), obj.GetNamespace()),
+				fmt.Sprintf("%s.%s.svc.cluster.local", deploymentName(name), obj.GetNamespace()),
+				fmt.Sprintf("%s.%s.svc", deploymentName(name), obj.GetNamespace()),
 			},
 			IssuerRef: cmmeta.ObjectReference{
 				Name:  "knative-eventing-ca-issuer",
@@ -78,3 +76,7 @@ func MakeCertificate(obj kmeta.OwnerRefableAccessor, name string) *cmv1.Certific
 		},
 	}
 }
+
+func deploymentName(sinkName string) string {
+	return kmeta.ChildName(sinkName, "-deployment")
+}

pkg/reconciler/integration/sink/controller.go

@@ -30,8 +30,8 @@ import (
 	deploymentinformer "knative.dev/pkg/client/injection/kube/informers/apps/v1/deployment"
 	"knative.dev/pkg/client/injection/kube/informers/core/v1/service"
 
-	//	cmclient "knative.dev/eventing/pkg/client/certmanager/injection/client"
-	//	cmcertinformer "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
+	cmclient "knative.dev/eventing/pkg/client/certmanager/injection/client"
+	cmcertinformer "knative.dev/eventing/pkg/client/certmanager/injection/informers/certmanager/v1/certificate"
 
 	integrationsinkreconciler "knative.dev/eventing/pkg/client/injection/reconciler/sinks/v1alpha1/integrationsink"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
@@ -51,7 +51,7 @@ func NewController(
 	eventPolicyInformer := eventpolicy.Get(ctx)
 	deploymentInformer := deploymentinformer.Get(ctx)
 
-	//	cmCertificateInformer := cmcertinformer.Get(ctx)
+	cmCertificateInformer := cmcertinformer.Get(ctx)
 
 	serviceInformer := service.Get(ctx)
 
@@ -61,10 +61,10 @@ func NewController(
 		deploymentLister: deploymentInformer.Lister(),
 		serviceLister:    serviceInformer.Lister(),
 
-		secretLister:      secretInformer.Lister(),
-		eventPolicyLister: eventPolicyInformer.Lister(),
-		//cmCertificateLister: cmCertificateInformer.Lister(),
-		//certManagerClient:   cmclient.Get(ctx),
+		secretLister:        secretInformer.Lister(),
+		eventPolicyLister:   eventPolicyInformer.Lister(),
+		cmCertificateLister: cmCertificateInformer.Lister(),
+		certManagerClient:   cmclient.Get(ctx),
 	}
 
 	var globalResync func(obj interface{})

pkg/reconciler/integration/sink/integrationsink.go

@@ -87,13 +87,13 @@ func newReconciledNormal(namespace, name string) reconciler.Event {
 func (r *Reconciler) ReconcileKind(ctx context.Context, sink *sinks.IntegrationSink) reconciler.Event {
 	featureFlags := feature.FromContext(ctx)
 
-	//if featureFlags.IsPermissiveTransportEncryption() || featureFlags.IsStrictTransportEncryption() {
-	//	_, err := r.reconcileCMCertificate(ctx, sink)
-	//	if err != nil {
-	//		logging.FromContext(ctx).Errorw("Error reconciling Certificate", zap.Error(err))
-	//		return err
-	//	}
-	//}
+	if featureFlags.IsPermissiveTransportEncryption() || featureFlags.IsStrictTransportEncryption() {
+		_, err := r.reconcileCMCertificate(ctx, sink)
+		if err != nil {
+			logging.FromContext(ctx).Errorw("Error reconciling Certificate", zap.Error(err))
+			return err
+		}
+	}
 
 	_, err := r.reconcileDeployment(ctx, sink, featureFlags)
 	if err != nil {

pkg/reconciler/integration/sink/resources/container_image.go

@@ -26,12 +26,13 @@ import (
 	commonv1a1 "knative.dev/eventing/pkg/apis/common/integration/v1alpha1"
 	"knative.dev/eventing/pkg/apis/feature"
 	"knative.dev/eventing/pkg/apis/sinks/v1alpha1"
+	"knative.dev/eventing/pkg/certificates"
 	"knative.dev/eventing/pkg/reconciler/integration"
 	"knative.dev/pkg/kmeta"
 )
 
 func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) *appsv1.Deployment {
-	//t := true
+	t := true
 
 	deploy := &appsv1.Deployment{
 		TypeMeta: metav1.TypeMeta{
@@ -55,17 +56,17 @@ func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, featureFlags feature.Fla
 					Labels: integration.Labels(sink.Name),
 				},
 				Spec: corev1.PodSpec{
-					//Volumes: []corev1.Volume{
-					//	{
-					//		Name: CertificateName(sink),
-					//		VolumeSource: corev1.VolumeSource{
-					//			Secret: &corev1.SecretVolumeSource{
-					//				SecretName: CertificateName(sink),
-					//				Optional:   &t,
-					//			},
-					//		},
-					//	},
-					//},
+					Volumes: []corev1.Volume{
+						{
+							Name: certificates.CertificateName(sink.Name),
+							VolumeSource: corev1.VolumeSource{
+								Secret: &corev1.SecretVolumeSource{
+									SecretName: certificates.CertificateName(sink.Name),
+									Optional:   &t,
+								},
+							},
+						},
+					},
 					Containers: []corev1.Container{
 						{
 							Name:            "sink",
@@ -83,13 +84,13 @@ func MakeDeploymentSpec(sink *v1alpha1.IntegrationSink, featureFlags feature.Fla
 									Name:          "https",
 								}},
 							Env: makeEnv(sink, featureFlags),
-							//VolumeMounts: []corev1.VolumeMount{
-							//	{
-							//		Name:      CertificateName(sink),
-							//		MountPath: "/etc/" + CertificateName(sink),
-							//		ReadOnly:  true,
-							//	},
-							//},
+							VolumeMounts: []corev1.VolumeMount{
+								{
+									Name:      certificates.CertificateName(sink.Name),
+									MountPath: "/etc/" + certificates.CertificateName(sink.Name),
+									ReadOnly:  true,
+								},
+							},
 						},
 					},
 				},
@@ -137,19 +138,19 @@ func MakeService(sink *v1alpha1.IntegrationSink) *corev1.Service {
 func makeEnv(sink *v1alpha1.IntegrationSink, featureFlags feature.Flags) []corev1.EnvVar {
 	var envVars []corev1.EnvVar
 
-	//// Transport encryption environment variables
-	//if !featureFlags.IsDisabledTransportEncryption() {
-	//	envVars = append(envVars, []corev1.EnvVar{
-	//		{
-	//			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
-	//			Value: "/etc/" + CertificateName(sink) + "/tls.crt",
-	//		},
-	//		{
-	//			Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
-	//			Value: "/etc/" + CertificateName(sink) + "/tls.key",
-	//		},
-	//	}...)
-	//}
+	// Transport encryption environment variables
+	if !featureFlags.IsDisabledTransportEncryption() {
+		envVars = append(envVars, []corev1.EnvVar{
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
+				Value: "/etc/" + certificates.CertificateName(sink.Name) + "/tls.crt",
+			},
+			{
+				Name:  "QUARKUS_HTTP_SSL_CERTIFICATE_KEY-FILES",
+				Value: "/etc/" + certificates.CertificateName(sink.Name) + "/tls.key",
+			},
+		}...)
+	}
 
 	// No HTTP with strict TLS
 	if featureFlags.IsStrictTransportEncryption() {

test/rekt/integration_sink_test.go

@@ -25,6 +25,7 @@ import (
 	"knative.dev/eventing/test/rekt/features/integrationsink"
 	"knative.dev/pkg/system"
 	"knative.dev/reconciler-test/pkg/environment"
+	"knative.dev/reconciler-test/pkg/eventshub"
 	"knative.dev/reconciler-test/pkg/k8s"
 	"knative.dev/reconciler-test/pkg/knative"
 )
@@ -42,3 +43,18 @@ func TestIntegrationSinkSuccess(t *testing.T) {
 
 	env.Test(ctx, t, integrationsink.Success())
 }
+
+func TestIntegrationSinkSuccessTLS(t *testing.T) {
+	t.Parallel()
+
+	ctx, env := global.Environment(
+		knative.WithKnativeNamespace(system.Namespace()),
+		knative.WithLoggingConfig,
+		knative.WithTracingConfig,
+		k8s.WithEventListener,
+		eventshub.WithTLS(t),
+		environment.Managed(t),
+	)
+
+	env.Test(ctx, t, integrationsink.SuccessTLS())
+}