Sequence and Parallel: announce correct OIDC identities in authstatus

[creydr]

Currently the Sequence and Parallel use a dedicated OIDC service account in their .status.auth.serviceAccountName. Anyhow the underlying channel dispatchers use the SAs from the Subscription(s), so that the announced OIDC identity of the Sequence/Parallel is not correct.
In knative/pkg#3032 the AuthStatus was adjusted to support to announce multiple serviceAccountNames.
This PR addresses the above issue and populates the Sequences and Parallels .status.auth.serviceAccountNames (plural) with the OIDC identities from the underlying subscriptions.

Hint:

• 865edbc reverts the changes in the Sequence to create the OIDC SA (e5f2814)
• a32d1da reverts the changes in the Parallel to create the OIDC SA (dc96522)

Release Note

fix: Expose OIDC identities of underlying Subscriptions in Sequence and Parallel

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 69.42%. Comparing base (7e1c082) to head (c7953fc).
Report is 43 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7902      +/-   ##
==========================================
+ Coverage   69.22%   69.42%   +0.20%     
==========================================
  Files         339      344       +5     
  Lines       19494    15897    -3597     
==========================================
- Hits        13494    11037    -2457     
+ Misses       5337     4184    -1153     
- Partials      663      676      +13     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[creydr]

wait.go:200: test-mbcwiubs/sinkbinding-qcvlukqo condition is {"type":"Ready","status":"False","lastTransitionTime":"2024-05-08T07:37:57Z","reason":"TrustBundlePropagation","message":"failed to create ConfigMap test-mbcwiubs/knative-eventing-bundlekne-bundle: configmaps \"knative-eventing-bundlekne-bundle\" already exists"}

/retest-required

/cc @pierDipi

[creydr]

wait.go:200: test-xyfdvrfi/sinkbinding-fcpikzdn condition is {"type":"Ready","status":"False","lastTransitionTime":"2024-05-08T11:08:51Z","reason":"TrustBundlePropagation","message":"failed to create ConfigMap test-xyfdvrfi/knative-eventing-bundlekne-bundle: configmaps \"knative-eventing-bundlekne-bundle\" already exists"}

/retest-required

[creydr]

@pierDipi, we could also migrate the existing usages of serviceAccountName to serviceAccountNames for the other components too and then deprecate serviceAccountName. But we should do that in a separate PR.

[creydr]

@pierDipi, @Cali0707 could you PTAL?

[Cali0707]

@creydr do we want to backport this to 1.14? If we do, maybe it would make sense to only have the CRD changes for the parallel and sequence in this PR, and then change the others in a separate PR?

[creydr]

@creydr do we want to backport this to 1.14? If we do, maybe it would make sense to only have the CRD changes for the parallel and sequence in this PR, and then change the others in a separate PR?

We would need to backport the knative/pkg changes too (to have the additional field). Therefor I tend to not backport it, as this is also mostly relevant for the upcoming authZ work (and in alpha state too) 🤷

[Cali0707]

Just have a small question about unit testing this (which we could also do as a follow up or maybe isn't needed)

Otherwise lgtm!

[Cali0707]

In this unit test (or another one?) could we add a test that verifies that the parallel correctly sets the audiences from the subscriptions?

[creydr]

Good point. For the audience, we have

eventing/pkg/apis/flows/v1/parallel_lifecycle_test.go

Lines 491 to 496 in 4951b74

	}, {
	name: "Audience",
	address: &duckv1.Addressable{Audience: audience},
	want: &duckv1.Addressable{Audience: audience},
	wantStatus: corev1.ConditionTrue,
	}}

. So I guess you mean the OIDC service account names (but we have this kind of in the e2e tests: 32f59d4). But I can add a unit test tomorrow, which might help on debugging

[Cali0707]

In this unit tests (or another one?) could we add a test that verifies that the sequence correctly sets its audiences based off of the subscription audiences?

[creydr]

Similar to #7902 (comment)

[Cali0707]

/lgtm

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cali0707, creydr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [Cali0707,creydr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment