Skip to content

[release-v1.21] SRVKE-1834: Backport integration probes #1757

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
openshift-merge-bot merged 2 commits into from
Feb 5, 2026
Merged

[release-v1.21] SRVKE-1834: Backport integration probes #1757

openshift-merge-bot merged 2 commits into from
Feb 5, 2026

Conversation

@creydr
Copy link
Collaborator

@creydr creydr commented Feb 5, 2026

Adding probes to IntegrationSink & -Source (backporting 4ee1519 and 4ee1519)

creydr added 2 commits February 5, 2026 13:36
@creydr
Make auth-proxy query EventPolicies dynamically (knative#8870)
6f6cc74 
* Make auth-proxy query EventPolicies dynamically

IntegrationSink was baking EventPolicies into the AUTH_POLICIES env var,
requiring deployment rollouts whenever policies changed. This caused test
failures because old pods with stale policies continued serving traffic
during RollingUpdate.

Change auth-proxy to query EventPolicies dynamically using a namespace-scoped
informer, similar to how Broker and Channel work. This eliminates deployment
rollouts when EventPolicies change.

- Add knative-eventing-eventpolicy-reader ClusterRole
- Create namespace-scoped EventPolicy informer in auth-proxy
- Add parent resource env vars to identify which resource to query policies for
- Create RoleBinding in sink's namespace for EventPolicy access
- Remove AUTH_POLICIES env var from deployment spec
- Add test coverage for OIDC-enabled deployments with RoleBindings

* Get resync period from context

* Use rolebindingLister instead of kubeclient directly

* Delete EventPolicy RBAC when OIDC gets disabled

* Recreate subjectsWithFilters only on eventPolicy changes
@creydr
Add probes to IntegrationSource & -Sink deployments (knative#8867)
0c28787 
* Add probes to IntegrationSource deployments

* Fix auth-proxy SINK_URI missing value error

The auth-proxy container was crashing with "required key SINK_URI
missing value" due to a circular dependency in the reconciliation
order. The deployment (with auth-proxy) was being created before
the IntegrationSink status.Address was set, causing the auth-proxy
to fail during startup.

This commit fixes the issue by deriving the SINK_URI directly from
the sink name and namespace (using network.GetServiceHostname())
instead of reading it from status.Address. This matches how the
reconcileAddress() function constructs the URL, but without
requiring the status to be set first.

The same approach is now used for the SINK_AUDIENCE when OIDC
authentication is enabled.

This eliminates the circular dependency and ensures the auth-proxy
always has a valid SINK_URI, regardless of reconciliation timing.

* Add readiness check to auth-proxy

* Fix unit tests

* Use same timings for auth-proxy probes
@creydr creydr requested a review from simkam February 5, 2026 12:40
@openshift-ci-robot
Copy link

openshift-ci-robot commented Feb 5, 2026

@creydr: This pull request references SRVKE-1834 which is a valid jira issue.

Details

In response to this:

Adding probes to IntegrationSink & -Source (backporting 4ee1519 and 4ee1519)

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot requested review from aliok and matzew February 5, 2026 12:40
@openshift-ci openshift-ci bot added the approved label Feb 5, 2026
@simkam
Copy link

simkam commented Feb 5, 2026

/lgtm

@openshift-ci openshift-ci bot added the lgtm label Feb 5, 2026
@openshift-ci
Copy link

openshift-ci bot commented Feb 5, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, simkam

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 8878324 into openshift-knative:release-v1.21 Feb 5, 2026
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simkam simkam Awaiting requested review from simkam

@aliok aliok Awaiting requested review from aliok

@matzew matzew Awaiting requested review from matzew

Assignees

@simkam simkam

Labels

approved lgtm

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@creydr @openshift-ci-robot @simkam