feat: Supporting using pod default credentials for Integration Source and Sink

[qswinson]

Fixes #8437

Proposed Changes

This PR adds support for using the pod AWS default credentials for IntegrationSource and IntegrationSink resources. It adds an optional property .spec.aws.auth.serviceAccountName to specify the ServiceAccount the pod should run as. The ServiceAccount applies the desired role to the pod as the default credentials.

This change requires the latest images from aws-*-source in order for the Camel useDefaultCredentialsProvider property to be loaded from the environment variable.

Pre-review Checklist

• At least 80% unit test coverage
• E2E tests for any new behavior
• Docs PR for any user-facing impact
• Spec PR for any new API feature
• Conformance test for any change to the spec

Release Note

Add support for using Pod default credentials in AWS IntegrationSource and IntegrationSink resources by specifying a ServiceAccount.

Docs
knative/docs#6394

[knative-prow]

Welcome @qswinson! It looks like this is your first PR to knative/eventing 🎉

[knative-prow]

Hi @qswinson. Thanks for your PR.

I'm waiting for a knative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dprotaso]

/ok-to-test

[codecov]

Codecov Report

❌ Patch coverage is 43.18182% with 25 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.60%. Comparing base (bfd6957) to head (f282427).
⚠️ Report is 5 commits behind head on main.

Files with missing lines	Patch %	Lines
...iler/integration/sink/resources/container_image.go	42.85%	11 Missing and 1 partial ⚠️
...er/integration/source/resources/containersource.go	47.61%	10 Missing and 1 partial ⚠️
pkg/apis/common/integration/v1alpha1/auth.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8731      +/-   ##
==========================================
+ Coverage   50.23%   50.60%   +0.36%     
==========================================
  Files         409      409              
  Lines       26665    26707      +42     
==========================================
+ Hits        13396    13515     +119     
+ Misses      12427    12341      -86     
- Partials      842      851       +9     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[dprotaso]

/retest

[dprotaso]

LGTM

Added a question for the maintainers.

[dprotaso]

@matzew @creydr how come I don't see this and accessKey field in the Integration* CRDs. Is stuff read from the secret and then these fields populated?

[matzew]

yes, that is via secret and there populated

[qswinson]

/retest

[dprotaso]

@qswinson I don't think it's a flake but a side-effect of something in your PR.

Looking at the testgrid here the test is stable - https://testgrid.k8s.io/r/knative-own-testgrid/eventing#continuous&include-filter-by-regex=TestIntegrationSourceWithTLS

[dprotaso]

cc @matzew @creydr for a review in the meantime

[matzew]

I think we should use the new version of supported ENV_VARs, seE: https://github.com/knative-extensions/eventing-integrations/blob/main/aws-s3-sink/properties.adoc

/cc @christophd

[christophd]

yes +1 for more readability

[knative-prow]

@matzew: GitHub didn't allow me to request PR reviews from the following users: christophd.

Note that only knative members and repo collaborators can review this PR, and authors cannot review their own PRs.

In response to this:

I think we should use the new version of supported ENV_VARs, seE: https://github.com/knative-extensions/eventing-integrations/blob/main/aws-s3-sink/properties.adoc

/cc @christophd

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[dprotaso]

/test reconciler-tests_eventing_main

[dprotaso]

/lgtm

[dprotaso]

Leaving approval for @matzew & @creydr

[matzew]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: matzew, qswinson

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [matzew]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dprotaso]

/retest

[dprotaso]

I pushed a change increase the timeout. The reconciler failures were from cert manager certs not being deleted fast enough.

[creydr]

/lgtm

[dprotaso]

thanks @qswinson 🎉