switch trigger sa based auth to impersonate; change secret ref to string and by extension same namespace as EventListener

[gabemontero]

Changes

As the efforts to progress support for multi-tenant event listeners has evolved, most notably around the notion of breaking out EventListenerTrigger into a Trigger CRD, or an analogous resource like a PipelineRecipe defined in the pipelines project, some evolution of the finer grained auth originally introduced in #454 seemed appropriate.

This PR currently has 2 commits with that goal in mind:

• switch the secret reference originally introduced in introduce authentication/authorization at the EventListenerTrigger le… #454 from a ObjectReference to a LocalObjectReference, hence scoping the SA's available for use to the SA's present in the namespace of the trigger object itself; we originally scoped it as ObjectReference because the interceptors had a a multi-namespace scope for secrets per https://github.com/tektoncd/triggers/blob/master/pkg/apis/triggers/v1alpha1/event_listener_types.go#L97-L104 however as the various TEPs/proposals have evolved that no longer seems like a valid motivator for having this SA reference be multi namespace
• as a result, the implementation for creating tekton objects under the permission of the referenced SA has been switched to use impersonation vs. construction of an actual client; this allowed for some positive changes in the roles required, but also should fit in well with how the upcoming TEPs / proposals will get implemented

And as a result this

Fixes #679

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• [/ ] Includes tests (if functionality changed/added)
• [ /] Includes docs (if user facing)
• [ /] Commit messages follow commit message best practices

See the contribution guide for more details.

Release Notes

• BREAKING CHANGE: the optional EventListenerTrigger based level of authentication for creating Tekton object has had its ServiceAccount reference changed from an ObjectReference to a string ServiceAccountName, effectively enforcing that the ServiceAccount be in the same namespace as the EventListenerTrigger

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	36.2%	-6.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	36.2%	-6.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	38.2%	-4.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	38.2%	-4.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	38.2%	-4.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	38.2%	-4.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	38.2%	-4.9
pkg/sink/sink.go	75.2%	76.3%	1.0

[gabemontero]

/assign @dibyom
/assign @khrm

details in the description gentlemen

similar in spirit to #704 but a more comprehensive change as it evolves the support I added back in Feb / Mar of this year.

[dibyom]

Thanks @gabemontero I think this should address #679 too?

[gabemontero]

Thanks @gabemontero I think this should address #679 too?

yes it does @dibyom

[gabemontero]

forgot to

/hold cancel

[khrm]

/lgtm

I think we should move to ServiceAccountName string instead of taking it as ServiceAccount LocalObjectReference. Maybe a pr later on which deprecate ServiceAccount in favour of ServiceAccountName.

Then, this will have the same format as we do in other Tekton resources which requires ServiceAccount.

[gabemontero]

/lgtm

I think we should move to ServiceAccountName string instead of taking it as ServiceAccount LocalObjectReference. Maybe a pr later on which deprecate ServiceAccount in favour of ServiceAccountName.

Then, this will have the same format as we do in other Tekton resources which requires ServiceAccount.

I'm fine with switching to ServiceAccountName with this PR. I'll do that momentarily, and then between the two of you @khrm @dibyom unless anything else comes to mind, feel free to both approve and lgtm. Of course if @dibyom has issue with the move off of LocalObjectReference we can discuss further.

thanks

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[gabemontero]

switch from LocalObjectReference to string pushed

adjusted PR title

Also added Fixes #679 note in description

@dibyom @khrm PTAL

[gabemontero]

oh and I removed more unneeded code from auth_override.go, hence the delta change

we are now down to one method which we have to use the "fake" version of in the unit tests to bypass actual client access to a cluster

the function is covered by the e2e that validates trigger level SA

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[tekton-robot]

The following is the coverage report on the affected files.
Say /test pull-tekton-triggers-go-coverage to re-run this coverage report

File	Old Coverage	New Coverage	Delta
pkg/sink/auth_override.go	43.1%	0.0%	-43.1
pkg/sink/sink.go	75.2%	76.3%	1.0

[gabemontero]

tests back to green after the switch to serviceAccountName string

PTAL @khrm @dibyom

[dibyom]

/approve

[dibyom]

oh and I removed more unneeded code from auth_override.go, hence the delta change

we are now down to one method which we have to use the "fake" version of in the unit tests to bypass actual client access to a cluster

the function is covered by the e2e that validates trigger level SA

Thanks for the clarification!

[khrm]

/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dibyom, khrm

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [dibyom,khrm]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment