support auto generation of SinkBindings identity service account

[rahulii]

Fixes #7324

Proposed Changes

• 🎁 Expose the name of the OIDC service account in the SinkBinding .status.auth.serviceAccountName
• 🎁 Create the OIDC service account of the SinkBinding

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Expose the SinkBinding OIDC service account name in the SinkBinding .status.auth.serviceAccountName

[knative-prow]

Welcome @rahulii! It looks like this is your first PR to knative/eventing 🎉

[knative-prow]

Hi @rahulii. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[rahulii]

@creydr please review.
Thanks!

[creydr]

Hi @rahulii,
Thanks a lot for your PR. I left 2 comments so far.
Besides of them, I am getting a crashloop backoff when running your PR locally. Seems like some insufficient permissions. Can you check on them?

[creydr]

/ok-to-test

[rahulii]

status:
    auth:
      serviceAccountName: oidc-sources.knative.dev-sinkbinding-heartbeat
    conditions:
    - lastTransitionTime: "2023-10-04T12:04:51Z"
      status: "True"
      type: OIDCIdentityCreated
    - lastTransitionTime: "2023-10-04T12:04:52Z"
      message: Addressable could not be extracted from destination
      reason: NoAddressable
      status: "False"
      type: Ready
    - lastTransitionTime: "2023-10-04T12:04:51Z"
      status: Unknown
      type: SinkProvided

here is the o/p - @creydr

[creydr]

Can you also fix the goformat/style issues?

[creydr]

@rahulii Thanks for the update. Can you fix the unit tests?
Can we also add some reconciler tests, to check if the service account was created and the AuthStatus field set correctly? Something like we did in 0eaf9e8:

eventing/pkg/reconciler/broker/trigger/trigger_test.go

Lines 1489 to 1558 in 402f6ac

	{
	Name: "OIDC: creates OIDC service account",
	Key: testKey,
	Ctx: feature.ToContext(context.Background(), feature.Flags{
	feature.OIDCAuthentication: feature.Enabled,
	}),
	Objects: allBrokerObjectsReadyPlus([]runtime.Object{
	makeReadySubscriptionWithAudience(testNS),
	NewTrigger(triggerName, testNS, brokerName,
	WithTriggerUID(triggerUID),
	WithTriggerSubscriberURI(subscriberURI),
	WithInitTriggerConditions,
	)}...),
	WantErr: false,
	WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
	Object: NewTrigger(triggerName, testNS, brokerName,
	WithTriggerUID(triggerUID),
	WithTriggerSubscriberURI(subscriberURI),
	WithTriggerBrokerReady(),
	// The first reconciliation will initialize the status conditions.
	WithInitTriggerConditions,
	WithTriggerDependencyReady(),
	WithTriggerSubscribed(),
	WithTriggerStatusSubscriberURI(subscriberURI),
	WithTriggerSubscriberResolvedSucceeded(),
	WithTriggerDeadLetterSinkNotConfigured(),
	WithTriggerOIDCIdentityCreatedSucceeded(),
	WithTriggerOIDCServiceAccountName(makeTriggerOIDCServiceAccount().Name),
	),
	}},
	WantCreates: []runtime.Object{
	makeTriggerOIDCServiceAccount(),
	},
	},
	{
	Name: "OIDC: Trigger not ready on invalid OIDC service account",
	Key: testKey,
	Ctx: feature.ToContext(context.Background(), feature.Flags{
	feature.OIDCAuthentication: feature.Enabled,
	}),
	Objects: allBrokerObjectsReadyPlus([]runtime.Object{
	makeReadySubscriptionWithAudience(testNS),
	makeTriggerOIDCServiceAccountWithoutOwnerRef(),
	NewTrigger(triggerName, testNS, brokerName,
	WithTriggerUID(triggerUID),
	WithTriggerSubscriberURI(subscriberURI),
	WithInitTriggerConditions,
	)}...),
	WantErr: true,
	WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
	Object: NewTrigger(triggerName, testNS, brokerName,
	WithTriggerUID(triggerUID),
	WithTriggerSubscriberURI(subscriberURI),
	WithTriggerBrokerReady(),
	// The first reconciliation will initialize the status conditions.
	WithInitTriggerConditions,
	WithTriggerDependencyUnknown("", ""),
	WithTriggerSubscribed(),
	WithTriggerStatusSubscriberURI(subscriberURI),
	WithTriggerSubscriberResolvedSucceeded(),
	WithTriggerDeadLetterSinkNotConfigured(),
	WithTriggerOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", fmt.Sprintf("service account %s not owned by Trigger %s", makeTriggerOIDCServiceAccountWithoutOwnerRef().Name, triggerName)),
	WithTriggerOIDCServiceAccountName(makeTriggerOIDCServiceAccountWithoutOwnerRef().Name),
	WithTriggerSubscribedUnknown("", ""),
	),
	}},
	WantEvents: []string{
	Eventf(corev1.EventTypeWarning, "InternalError", fmt.Sprintf("service account %s not owned by Trigger %s", makeTriggerOIDCServiceAccountWithoutOwnerRef().Name, triggerName)),
	},
	},

[rahulii]

Can we also add some reconciler tests, to check if the service account was created and the AuthStatus field set correctly?

@creydr there are no tests implemented currently for SB reconciler, should I go ahead and create it (a new _test.go file) ?

[codecov]

Codecov Report

Attention: 2 lines in your changes are missing coverage. Please review.

Comparison is base (ba02f4a) 76.90% compared to head (fdda99e) 76.92%.
Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7327      +/-   ##
==========================================
+ Coverage   76.90%   76.92%   +0.02%     
==========================================
  Files         252      252              
  Lines       13693    13701       +8     
==========================================
+ Hits        10530    10539       +9     
  Misses       2637     2637              
+ Partials      526      525       -1     

Files	Coverage Δ
pkg/apis/sources/v1/sinkbinding_types.go	100.00% <ø> (ø)
pkg/apis/sources/v1/sinkbinding_lifecycle.go	89.28% <75.00%> (-1.10%)	⬇️

... and 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[pierDipi]

Do we have a constant string we can use across the board for this reason? /cc @creydr

[creydr]

Not yet. But makes sense to introduce one, as we have this at multiple places 👍

[rahulii]

I think that can be a part of seperate PR!

[pierDipi]

@creydr it's a general common not specific to this PR, but we should evaluate if it makes sense to label all of our service accounts and use a "filtered informer" so that we're not watching all service accounts into a cluster which could be quite large but only "ours"

[rahulii]

I think it makes sense to label the service account 👍🏼

[creydr]

That's a good point @pierDipi. I think we can do this in a separate PR

[creydr]

created #7341

[pierDipi]

Instead of using a cluster-wide configmap informer, we can configure a callback function when calling NewStore, that saves quite a bit of memory since that watcher is watching only configmaps in the system namespace as opposed to watching every configmap in the cluster /cc @creydr

[pierDipi]

see example in pkg/reconciler/broker/controller.go

[rahulii]

like featureStore.WatchConfigs(cmw) , right ?

[creydr]

yes. featureStore.WatchConfigs(cmw) takes additional callback functions which get called on configmap updates. E.g.:

var globalResync func(obj interface{})
featureStore := feature.NewStore(logging.FromContext(ctx).Named("feature-config-store"), func(name string, value interface{}) {
	if globalResync != nil {
		globalResync(nil)
	}
})

with globalResync being something like:

globalResync = func(obj interface{}) {
	impl.GlobalResync(sbInformer.Informer())
}

[rahulii]

thanks @creydr

[rahulii]

/ok-to-test

[creydr]

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

[rahulii]

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ?
quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

[creydr]

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ? quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

I see. Works for me.

[rahulii]

@rahulii maybe #7285 (comment) helps you too on your e2e test 🤷

hmm @creydr do you want to do e2e as part of this PR or create a bug and track it ? quoting @pierDipi from slack :

For E2E tests, we need reconciler-test support for OIDC testing and we're not there yet, so we can track the remaining test part into a different issue and merge this PR ones ready

wdyt?

I see. Works for me.

thanks @creydr , LMK if you need any more changes on this PR! Thanks!

[creydr]

@rahulii the verify job failed. Probably because some relevant changes got merged into main in the meantime. Can you rerun ./hack/update-codegen.sh.?

[rahulii]

@creydr is the e2e test failure because of this PR changes ? 🤔
doen't looks like ! If no, is this PR good to go ?

[creydr]

Thanks a lot @rahulii for your work in this PR and your patience!

/lgtm

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, rahulii

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [creydr]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment