Sequence and Parallel: announce correct OIDC identities in authstatus (…

…#7902)

* Update CRDs to include AuthStatus serviceAccountNames

* Revert "support auto generation of Sequence identity service account [OIDC] (#7361)"

This reverts commit e5f2814.

* Update Sequence to expose OIDC identities of underlying Subscriptions

* Revert "Add serviceaccount in parallel (#7373)"

This reverts commit dc96522.

* Update Parallel to expose OIDC identities of underlying Subscriptions

* Add e2e test for Parallel

* Add e2e test for Sequence

* Add unit tests

config/channels/in-memory-channel/resources/in-memory-channel.yaml

@@ -170,6 +170,11 @@ spec:
                         serviceAccountName:
                           description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                           type: string
+                        serviceAccountNames:
+                          description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                          type: array
+                          items:
+                            type: string
           status:
             description: Status represents the current state of the Channel. This data may be out of date.
             type: object
@@ -286,6 +291,11 @@ spec:
                         serviceAccountName:
                           description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                           type: string
+                        serviceAccountNames:
+                          description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                          type: array
+                          items:
+                            type: string
     additionalPrinterColumns:
     - name: URL
       type: string

config/core/resources/apiserversource.yaml

@@ -201,6 +201,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               ceAttributes:
                 description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.
                 type: array

config/core/resources/channel.yaml

@@ -189,6 +189,11 @@ spec:
                         serviceAccountName:
                           description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                           type: string
+                        serviceAccountNames:
+                          description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                          type: array
+                          items:
+                            type: string
           status:
             description: Status represents the current state of the Channel. This data may be out of date.
             type: object
@@ -321,6 +326,11 @@ spec:
                         serviceAccountName:
                           description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                           type: string
+                        serviceAccountNames:
+                          description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                          type: array
+                          items:
+                            type: string
   names:
     kind: Channel
     plural: channels

config/core/resources/containersource.yaml

@@ -94,6 +94,11 @@ spec:
                     serviceAccountName:
                       description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                       type: string
+                    serviceAccountNames:
+                      description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                      type: array
+                      items:
+                        type: string
                 ceAttributes:
                   description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.
                   type: array

config/core/resources/parallel.yaml

@@ -345,6 +345,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               branchStatuses:
                 description: BranchStatuses is an array of corresponding to branch
                     statuses. Matches the Spec.Branches array in the order.

config/core/resources/pingsource.yaml

@@ -135,6 +135,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               ceAttributes:
                 description: 'CloudEventAttributes are the specific attributes that
                           the Source uses as part of its CloudEvents.'
@@ -316,6 +321,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               ceAttributes:
                 description: 'CloudEventAttributes are the specific attributes that
                         the Source uses as part of its CloudEvents.'

config/core/resources/sequence.yaml

@@ -196,6 +196,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               channelStatuses:
                 description: ChannelStatuses is an array of corresponding Channel statuses. Matches the Spec.Steps array in the order.
                 type: array

config/core/resources/sinkbindings.yaml

@@ -136,6 +136,11 @@ spec:
                     serviceAccountName:
                       description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                       type: string
+                    serviceAccountNames:
+                      description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                      type: array
+                      items:
+                        type: string
                 ceAttributes:
                   description: CloudEventAttributes are the specific attributes that the Source uses as part of its CloudEvents.
                   type: array

config/core/resources/subscription.yaml

@@ -169,6 +169,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               conditions:
                 description: Conditions the latest available observations of a resource's current state.
                 type: array

config/core/resources/trigger.yaml

@@ -169,6 +169,11 @@ spec:
                   serviceAccountName:
                     description: ServiceAccountName is the name of the generated service account used for this components OIDC authentication.
                     type: string
+                  serviceAccountNames:
+                    description: ServiceAccountNames is the list of names of the generated service accounts used for this components OIDC authentication.
+                    type: array
+                    items:
+                      type: string
               conditions:
                 description: Conditions the latest available observations of a resource's current state.
                 type: array

pkg/apis/flows/v1/parallel_lifecycle.go

@@ -25,7 +25,7 @@ import (
 	pkgduckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
-var pCondSet = apis.NewLivingConditionSet(ParallelConditionReady, ParallelConditionChannelsReady, ParallelConditionSubscriptionsReady, ParallelConditionAddressable, ParallelConditionOIDCIdentityCreated)
+var pCondSet = apis.NewLivingConditionSet(ParallelConditionReady, ParallelConditionChannelsReady, ParallelConditionSubscriptionsReady, ParallelConditionAddressable)
 
 const (
 	// ParallelConditionReady has status True when all subconditions below have been set to True.
@@ -41,8 +41,7 @@ const (
 
 	// ParallelConditionAddressable has status true when this Parallel meets
 	// the Addressable contract and has a non-empty hostname.
-	ParallelConditionAddressable         apis.ConditionType = "Addressable"
-	ParallelConditionOIDCIdentityCreated apis.ConditionType = "OIDCIdentityCreated"
+	ParallelConditionAddressable apis.ConditionType = "Addressable"
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -81,6 +80,7 @@ func (ps *ParallelStatus) PropagateSubscriptionStatuses(filterSubscriptions []*m
 	if ps.BranchStatuses == nil || len(subscriptions) != len(ps.BranchStatuses) {
 		ps.BranchStatuses = make([]ParallelBranchStatus, len(subscriptions))
 	}
+	ps.Auth = nil
 	allReady := true
 	// If there are no subscriptions, treat that as a False branch. Could go either way, but this seems right.
 	if len(subscriptions) == 0 {
@@ -126,6 +126,19 @@ func (ps *ParallelStatus) PropagateSubscriptionStatuses(filterSubscriptions []*m
 			allReady = false
 		}
 
+		if fs.Status.Auth != nil && fs.Status.Auth.ServiceAccountName != nil {
+			if ps.Auth == nil {
+				ps.Auth = &pkgduckv1.AuthStatus{}
+			}
+			ps.Auth.ServiceAccountNames = append(ps.Auth.ServiceAccountNames, *fs.Status.Auth.ServiceAccountName)
+		}
+
+		if s.Status.Auth != nil && s.Status.Auth.ServiceAccountName != nil {
+			if ps.Auth == nil {
+				ps.Auth = &pkgduckv1.AuthStatus{}
+			}
+			ps.Auth.ServiceAccountNames = append(ps.Auth.ServiceAccountNames, *s.Status.Auth.ServiceAccountName)
+		}
 	}
 	if allReady {
 		pCondSet.Manage(ps).MarkTrue(ParallelConditionSubscriptionsReady)
@@ -196,22 +209,6 @@ func (ps *ParallelStatus) MarkAddressableNotReady(reason, messageFormat string,
 	pCondSet.Manage(ps).MarkFalse(ParallelConditionAddressable, reason, messageFormat, messageA...)
 }
 
-func (ps *ParallelStatus) MarkOIDCIdentityCreatedSucceeded() {
-	pCondSet.Manage(ps).MarkTrue(ParallelConditionOIDCIdentityCreated)
-}
-
-func (ps *ParallelStatus) MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{}) {
-	pCondSet.Manage(ps).MarkTrueWithReason(ParallelConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
-}
-
-func (ps *ParallelStatus) MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{}) {
-	pCondSet.Manage(ps).MarkFalse(ParallelConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
-}
-
-func (ps *ParallelStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
-	pCondSet.Manage(ps).MarkUnknown(ParallelConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
-}
-
 func (ps *ParallelStatus) setAddress(address *pkgduckv1.Addressable) {
 	ps.Address = address
 	if address == nil {