diff --git a/api/v1/receiver_types.go b/api/v1/receiver_types.go
index a869c6921..bafc7e30e 100644
--- a/api/v1/receiver_types.go
+++ b/api/v1/receiver_types.go
@@ -81,8 +81,7 @@ type ReceiverSpec struct {
// to validate the payload authenticity. The Secret must contain a 'token'
// key. For GCR receivers, the Secret must also contain an 'email' key
// with the IAM service account email configured on the Pub/Sub push
- // subscription, and may optionally contain an 'audience' key with the
- // expected OIDC token audience.
+ // subscription, and an 'audience' key with the expected OIDC token audience.
// +required
SecretRef meta.LocalObjectReference `json:"secretRef"`
diff --git a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
index 713ef5855..2114e2d89 100644
--- a/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
+++ b/config/crd/bases/notification.toolkit.fluxcd.io_receivers.yaml
@@ -130,8 +130,7 @@ spec:
to validate the payload authenticity. The Secret must contain a 'token'
key. For GCR receivers, the Secret must also contain an 'email' key
with the IAM service account email configured on the Pub/Sub push
- subscription, and may optionally contain an 'audience' key with the
- expected OIDC token audience.
+ subscription, and an 'audience' key with the expected OIDC token audience.
properties:
name:
description: Name of the referent.
diff --git a/docs/api/v1/notification.md b/docs/api/v1/notification.md
index 1c156d176..35f9c5263 100644
--- a/docs/api/v1/notification.md
+++ b/docs/api/v1/notification.md
@@ -152,8 +152,7 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
to validate the payload authenticity. The Secret must contain a ‘token’
key. For GCR receivers, the Secret must also contain an ‘email’ key
with the IAM service account email configured on the Pub/Sub push
-subscription, and may optionally contain an ‘audience’ key with the
-expected OIDC token audience.
+subscription, and an ‘audience’ key with the expected OIDC token audience.
@@ -373,8 +372,7 @@ github.com/fluxcd/pkg/apis/meta.LocalObjectReference
to validate the payload authenticity. The Secret must contain a ‘token’
key. For GCR receivers, the Secret must also contain an ‘email’ key
with the IAM service account email configured on the Pub/Sub push
-subscription, and may optionally contain an ‘audience’ key with the
-expected OIDC token audience.
+subscription, and an ‘audience’ key with the expected OIDC token audience.
diff --git a/docs/spec/v1/receivers.md b/docs/spec/v1/receivers.md
index 471e0a0ed..336fd5618 100644
--- a/docs/spec/v1/receivers.md
+++ b/docs/spec/v1/receivers.md
@@ -576,7 +576,7 @@ The Secret referenced by `.spec.secretRef.name` must contain the following keys:
|--------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| `token` | Yes | Random string used to salt the generated [webhook path](#webhook-path). |
| `email` | Yes | The email of the IAM service account configured on the Pub/Sub push subscription for OIDC authentication. |
-| `audience` | No | The expected `aud` claim in the OIDC token. If omitted, the controller reconstructs it from the incoming request URL, which matches the Pub/Sub default behavior of using the push endpoint URL as the audience. Set this if you configured a custom audience on the Pub/Sub subscription. |
+| `audience` | Yes | The expected `aud` claim in the OIDC token. |
Example:
@@ -591,6 +591,10 @@ type: Opaque
stringData:
token:
email: @.iam.gserviceaccount.com
+ # The default audience set by GCP is the full push endpoint URL, but
+ # you can also choose a custom audience and configure it on the Pub/Sub
+ # subscription.
+ audience: https:///hook/
```
When the verification succeeds, the request payload is unmarshalled to the
diff --git a/internal/server/receiver_handlers.go b/internal/server/receiver_handlers.go
index 120397d46..117756e26 100644
--- a/internal/server/receiver_handlers.go
+++ b/internal/server/receiver_handlers.go
@@ -426,34 +426,23 @@ func (s *ReceiverServer) validate(ctx context.Context, receiver apiv1.Receiver,
} `json:"message"`
}
- expectedEmail, ok := secret.Data["email"]
- _ = ok
+ expectedEmail := string(secret.Data["email"])
// TODO: in Flux 2.9, require the email. this will be a breaking change.
- // if !ok {
+ // if expectedEmail == "" {
// return fmt.Errorf("invalid secret data: required field 'email' for GCR receiver")
// }
- // Determine the expected audience. If explicitly set in the secret, use
- // that. Otherwise, reconstruct the webhook URL from the request, which is
- // the default audience used by GCR when it sends the webhook.
- audience := string(secret.Data["audience"])
- if audience == "" {
- scheme := "https"
- if r.TLS == nil {
- if proto := r.Header.Get("X-Forwarded-Proto"); proto != "" {
- scheme = proto
- } else {
- scheme = "http"
- }
- }
- audience = scheme + "://" + r.Host + r.URL.Path
- }
+ expectedAudience := string(secret.Data["audience"])
+ // TODO: in Flux 2.9, require the audience. this will be a breaking change.
+ // if expectedAudience == "" {
+ // return fmt.Errorf("invalid secret data: required field 'audience' for GCR receiver")
+ // }
authenticate := authenticateGCRRequest
if s.gcrTokenValidator != nil {
authenticate = s.gcrTokenValidator
}
- if err := authenticate(ctx, r.Header.Get("Authorization"), string(expectedEmail), audience); err != nil {
+ if err := authenticate(ctx, r.Header.Get("Authorization"), expectedEmail, expectedAudience); err != nil {
return fmt.Errorf("cannot authenticate GCR request: %w", err)
}