Sequence Reconciler: Create EventPolicies for Sequence

[creydr]

The Sequence implementation uses Channels under the hood. This means that the Sequence

flowchart LR
    A[Service A] --> Sequence
    Sequence --> X[Service B]
    
    subgraph Sequence
    S1(Step 1<br />Service S1) --> S2(Step 2<br />Service S2)
    S2 --> S3(Step 3<br />Service S3)
    end

Loading

breaks down to something like

flowchart LR
    A(Service A) ---> C1
        
    C1 -.-> D1(Dispatcher)
    D1 --> SVC1
    D1 -->|reply from Service 1| C2

    C2 -.-> D2(Dispatcher)
    D2 --> SVC2
    D2 -->|reply from Service 2| C3

    C3 -.-> D3(Dispatcher)
    D3 --> SVC3
    D3 -->|reply from Service 3| X(Service B)
    
    subgraph Sequence
        subgraph Subscription1
        C1(Channel 1)
        SVC1(Service 1)
        end

        subgraph Subscription2
        C2(Channel 2)
        SVC2(Service 2) 
        end

        subgraph Subscription3
        C3(Channel 3)
        SVC3(Service 3) 
        end

        D1
        D2
        D3
    end

Loading

Therefor we need to make sure we have the correct EventPolicies in place to not block requests to the underlying channel. So the sequence reconciler should behave as described:

• In case the authentication-oidc feature flag is set to enabled:
  • create EventPolicies like for the above example:
    • EventPolicy for Channel2:
      • .spec.ref: pointing to Channel2
      • .spec.from: OIDC identity of Subscription1. This means .spec.from is a ref to Subscription1
    • EventPolicy for Channel3:
      • .spec.ref: pointing to Channel3
      • .spec.from: OIDC identity of Subscription2. This means .spec.from is a ref to Subscription2
    • EventPolicy for Channel1:
      • This EventPolicy will only be created, if we have an EventPolicy for the Sequence in place (e.g. created by the user). This is because Channel1 represents the input channel of the Sequence and we would not be aware of the allowed subs. But as soon as an EventPolicy for the Sequence is in place, the Sequence reconciler would also create an EventPolicy for its input channel (Channel1 here) with the allowed subjects from the EventPolicy targeting the Sequence.
    • owner reference of the EventPolicies points to the Sequence, so that we have a lifecycle binding
• In case the authentication-oidc feature flag is set to disabled:
  • clean up eventually existing EventPolicies which were created when authentication-oidc was enabled (e.g. by filtering on EventPolicies which have an owner reference to a Sequence)

Prerequisites:

• Add EventPolicy type #7971
• List applying policies in Sequence .status.policies #7978

Additional context:

• Feature track document

Additional hints for new contributors before starting with this issue:

1. When the issue has the Draft status, the issue is subject to change and thus should not be started to be worked on
2. Make sure you've read and understood the CONTRIBUTING.md guidelines
3. Make sure you're able to run Knative Eventing locally and run at least the unit tests.
4. Feel free to raise any questions you have either directly here in the issue, in the #knative-eventing Slack channel or join the Eventing Workgroup Meeting
5. When you feel comfortable with this issue, feel free to assign it to you (e.g. by commenting /assign). Please be aware that we might unassign you, if we don't see any progress from your side to give other contributors also a chance to work on this issue.

[Leo6Leo]

/assign