upgrade to latest dependencies

bumping knative.dev/hack 0914314...b979959:
  > b979959 Update community files (# 387)
bumping knative.dev/reconciler-test de3a013...3a59c9d:
  > 3a59c9d Update community files (# 741)
bumping knative.dev/pkg 3f6a546...7ecd548:
  > 7ecd548 Update community files (# 3071)
bumping knative.dev/eventing 96c30bd...5f6713a:
  > 5f6713a fix(test): creating the knsubscribe clusterrolebinding does not cause install script to fail (# 8068)
  > 8e039dd Watch only our own OIDC-related secrets (# 8070)
  > 5a96619 Add Kubernetes Version Check to Installation Script (# 8025)
  > 332d974 Update TokenVerifier to verify AuthZ too (# 8063)
  > 3264b21 List applying EventPolicies in Brokers status (# 8060)
  > 657c3cd List applying policies in job sink (# 8064)
  > 98ed09c [main] Update community files (# 8069)
  > e2d782f # 7879: Changes to add filters field (# 7930)
  > d18595f 🐛 Codecov reject any coverage drop (# 8065)
  > 399bb86 Reconcile EventPolicies when features configmap changes (# 8059)
  > 4f2b53f Set APIVersion and Kind of EventPolicy manually in OwnerReference of backing channels policy (# 8031)

Signed-off-by: Knative Automation <automation@knative.team>

go.mod

@@ -35,10 +35,10 @@ require (
 	k8s.io/apiserver v0.29.2
 	k8s.io/client-go v0.29.2
 	k8s.io/utils v0.0.0-20240102154912-e7106e64919e
-	knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612
-	knative.dev/hack v0.0.0-20240607132042-09143140a254
-	knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4
-	knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854
+	knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5
+	knative.dev/hack v0.0.0-20240704013904-b9799599afcf
+	knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6
+	knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680
 	sigs.k8s.io/controller-runtime v0.12.3
 	sigs.k8s.io/yaml v1.4.0
 )

go.sum

@@ -1213,14 +1213,14 @@ k8s.io/utils v0.0.0-20200912215256-4140de9c8800/go.mod h1:jPW/WVKK9YHAvNhRxK0md/
 k8s.io/utils v0.0.0-20210819203725-bdf08cb9a70a/go.mod h1:jPW/WVKK9YHAvNhRxK0md/EJ228hCsBRufyofKtW8HA=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e h1:eQ/4ljkx21sObifjzXwlPKpdGLrCfRziVtos3ofG/sQ=
 k8s.io/utils v0.0.0-20240102154912-e7106e64919e/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
-knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612 h1:Bs2fXBPUv+Df4YqIDNJRRRYGKrduST/AA4Foa9S23LA=
-knative.dev/eventing v0.41.1-0.20240701131713-96c30bd21612/go.mod h1:3h0QrfHELs61mrTI4GDPEQh4rwsap0YYA5XgRrNgnlc=
-knative.dev/hack v0.0.0-20240607132042-09143140a254 h1:1YFnu3U6dWZg0oxm6GU8kEdA9A+BvSWKJO7sg3N0kq8=
-knative.dev/hack v0.0.0-20240607132042-09143140a254/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
-knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4 h1:slPKf3UKdBFZlz+hFy+KXzTgY9yOePLzRuEhKzgc5a4=
-knative.dev/pkg v0.0.0-20240626134149-3f6a546ac3a4/go.mod h1:Wikg4u73T6vk9TctrxZt60VXzqmGEQIx0iKfk1+9o4c=
-knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854 h1:eyXZBmB8YfOzAzou00DNyS0p1g4dzISRsjGmKoDroJQ=
-knative.dev/reconciler-test v0.0.0-20240702140541-de3a0139e854/go.mod h1:g+5v4Zdqt/e+172sJ1pKOqu4bS58RxxWyef7g/7nV4A=
+knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5 h1:RfCStuPWB5Ny2tjB8pRP5lEgyV3wiDC4SCJMS2Adrs8=
+knative.dev/eventing v0.41.1-0.20240704190613-5f6713a5dcb5/go.mod h1:3h0QrfHELs61mrTI4GDPEQh4rwsap0YYA5XgRrNgnlc=
+knative.dev/hack v0.0.0-20240704013904-b9799599afcf h1:n92FmZRywgtHso7pFAku7CW0qvRAs1hXtMQqO0R6eiE=
+knative.dev/hack v0.0.0-20240704013904-b9799599afcf/go.mod h1:yk2OjGDsbEnQjfxdm0/HJKS2WqTLEFg/N6nUs6Rqx3Q=
+knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6 h1:/oGRGm/csTc0sUHo00MQ3NQrJaRP7iMTGC9bXpeEuuU=
+knative.dev/pkg v0.0.0-20240704013837-7ecd5485cbc6/go.mod h1:Wikg4u73T6vk9TctrxZt60VXzqmGEQIx0iKfk1+9o4c=
+knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680 h1:hsEXUWnfaK/PwqaRCSMFQoHYusibOMit4rDwbjTxHNM=
+knative.dev/reconciler-test v0.0.0-20240704013940-3a59c9dfb680/go.mod h1:g+5v4Zdqt/e+172sJ1pKOqu4bS58RxxWyef7g/7nV4A=
 rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8=
 rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0=
 rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA=

vendor/knative.dev/eventing/hack/install.sh

@@ -21,6 +21,12 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+go run "$(dirname "$0")/../test/version_check/check_k8s_version.go"
+if [[ $? -ne 0 ]]; then
+    echo "Kubernetes version check failed. Exiting."
+    exit 1
+fi
+
 export SCALE_CHAOSDUCK_TO_ZERO=1
 export REPLICAS=1
 

vendor/knative.dev/eventing/pkg/apis/eventing/v1/broker_lifecycle.go

@@ -32,6 +32,7 @@ const (
 	BrokerConditionFilter                 apis.ConditionType = "FilterReady"
 	BrokerConditionAddressable            apis.ConditionType = "Addressable"
 	BrokerConditionDeadLetterSinkResolved apis.ConditionType = "DeadLetterSinkResolved"
+	BrokerConditionEventPoliciesReady     apis.ConditionType = "EventPoliciesReady"
 )
 
 var brokerCondSet = apis.NewLivingConditionSet(
@@ -40,6 +41,7 @@ var brokerCondSet = apis.NewLivingConditionSet(
 	BrokerConditionFilter,
 	BrokerConditionAddressable,
 	BrokerConditionDeadLetterSinkResolved,
+	BrokerConditionEventPoliciesReady,
 )
 var brokerCondSetLock = sync.RWMutex{}
 
@@ -118,3 +120,19 @@ func (bs *BrokerStatus) MarkDeadLetterSinkResolvedFailed(reason, messageFormat s
 	bs.DeliveryStatus = eventingduck.DeliveryStatus{}
 	bs.GetConditionSet().Manage(bs).MarkFalse(BrokerConditionDeadLetterSinkResolved, reason, messageFormat, messageA...)
 }
+
+func (bs *BrokerStatus) MarkEventPoliciesTrue() {
+	bs.GetConditionSet().Manage(bs).MarkTrue(BrokerConditionEventPoliciesReady)
+}
+
+func (bs *BrokerStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) {
+	bs.GetConditionSet().Manage(bs).MarkTrueWithReason(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (bs *BrokerStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) {
+	bs.GetConditionSet().Manage(bs).MarkFalse(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+func (bs *BrokerStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) {
+	bs.GetConditionSet().Manage(bs).MarkUnknown(BrokerConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}

vendor/knative.dev/eventing/pkg/apis/eventing/v1/test_helper.go

@@ -66,6 +66,7 @@ func (t testHelper) ReadyBrokerStatus() *BrokerStatus {
 		URL: apis.HTTP("example.com"),
 	})
 	bs.MarkDeadLetterSinkResolvedSucceeded(eventingduckv1.DeliveryStatus{})
+	bs.MarkEventPoliciesTrue()
 	return bs
 }
 
@@ -77,6 +78,7 @@ func (t testHelper) ReadyBrokerStatusWithoutDLS() *BrokerStatus {
 	bs.SetAddress(&duckv1.Addressable{
 		URL: apis.HTTP("example.com"),
 	})
+	bs.MarkEventPoliciesTrue()
 	bs.MarkDeadLetterSinkNotConfigured()
 	return bs
 }

vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_lifecycle.go

@@ -23,17 +23,23 @@ import (
 	"knative.dev/pkg/apis"
 
 	"knative.dev/eventing/pkg/apis/sinks"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
 const (
 	// JobSinkConditionReady has status True when the JobSink is ready to send events.
 	JobSinkConditionReady = apis.ConditionReady
 
 	JobSinkConditionAddressable apis.ConditionType = "Addressable"
+
+	// JobSinkConditionEventPoliciesReady has status True when all the applying EventPolicies for this
+	// JobSink are ready.
+	JobSinkConditionEventPoliciesReady apis.ConditionType = "EventPoliciesReady"
 )
 
 var JobSinkCondSet = apis.NewLivingConditionSet(
 	JobSinkConditionAddressable,
+	JobSinkConditionEventPoliciesReady,
 )
 
 // GetConditionSet retrieves the condition set for this resource. Implements the KRShaped interface.
@@ -71,8 +77,43 @@ func (s *JobSinkStatus) InitializeConditions() {
 	JobSinkCondSet.Manage(s).InitializeConditions()
 }
 
+// MarkAddressableReady marks the Addressable condition to True.
+func (s *JobSinkStatus) MarkAddressableReady() {
+	JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionAddressable)
+}
+
+// MarkEventPoliciesFailed marks the EventPoliciesReady condition to False with the given reason and message.
+func (s *JobSinkStatus) MarkEventPoliciesFailed(reason, messageFormat string, messageA ...interface{}) {
+	JobSinkCondSet.Manage(s).MarkFalse(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+// MarkEventPoliciesUnknown marks the EventPoliciesReady condition to Unknown with the given reason and message.
+func (s *JobSinkStatus) MarkEventPoliciesUnknown(reason, messageFormat string, messageA ...interface{}) {
+	JobSinkCondSet.Manage(s).MarkUnknown(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
+// MarkEventPoliciesTrue marks the EventPoliciesReady condition to True.
+func (s *JobSinkStatus) MarkEventPoliciesTrue() {
+	JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionEventPoliciesReady)
+}
+
+// MarkEventPoliciesTrueWithReason marks the EventPoliciesReady condition to True with the given reason and message.
+func (s *JobSinkStatus) MarkEventPoliciesTrueWithReason(reason, messageFormat string, messageA ...interface{}) {
+	JobSinkCondSet.Manage(s).MarkTrueWithReason(JobSinkConditionEventPoliciesReady, reason, messageFormat, messageA...)
+}
+
 func (e *JobSink) SetJobStatusSelector() {
 	if e.Spec.Job != nil {
 		e.Status.JobStatus.Selector = fmt.Sprintf("%s=%s", sinks.JobSinkNameLabel, e.GetName())
 	}
 }
+
+func (s *JobSinkStatus) SetAddress(address *duckv1.Addressable) {
+	s.Address = address
+	if address == nil || address.URL.IsEmpty() {
+		JobSinkCondSet.Manage(s).MarkFalse(JobSinkConditionAddressable, "EmptyHostname", "hostname is the empty string")
+	} else {
+		JobSinkCondSet.Manage(s).MarkTrue(JobSinkConditionAddressable)
+
+	}
+}

vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/job_sink_types.go

@@ -22,6 +22,7 @@ import (
 
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
+	eventingduckv1 "knative.dev/eventing/pkg/apis/duck/v1"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
 )
@@ -68,6 +69,10 @@ type JobSinkStatus struct {
 
 	// +optional
 	JobStatus JobStatus `json:"job,omitempty"`
+
+	// AppliedEventPoliciesStatus contains the list of EventPolicies which apply to this JobSink
+	// +optional
+	eventingduckv1.AppliedEventPoliciesStatus `json:",inline"`
 }
 
 type JobStatus struct {

vendor/knative.dev/eventing/pkg/apis/sinks/v1alpha1/test_helpers.go

@@ -0,0 +1,28 @@
+/*
+Copyright 2024 The Knative Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+	http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/google/go-cmp/cmp/cmpopts"
+	"knative.dev/pkg/apis"
+)
+
+var (
+	ignoreAllButTypeAndStatus = cmpopts.IgnoreFields(
+		apis.Condition{},
+		"LastTransitionTime", "Message", "Reason", "Severity")
+)

vendor/knative.dev/eventing/pkg/auth/event_policy.go

@@ -35,6 +35,10 @@ import (
 	"knative.dev/pkg/resolver"
 )
 
+const (
+	kubernetesServiceAccountPrefix = "system:serviceaccount"
+)
+
 // GetEventPoliciesForResource returns the applying EventPolicies for a given resource
 func GetEventPoliciesForResource(lister listerseventingv1alpha1.EventPolicyLister, resourceGVK schema.GroupVersionKind, resourceObjectMeta metav1.ObjectMeta) ([]*v1alpha1.EventPolicy, error) {
 	policies, err := lister.EventPolicies(resourceObjectMeta.GetNamespace()).List(labels.Everything())
@@ -194,7 +198,7 @@ func resolveSubjectsFromReference(resolver *resolver.AuthenticatableResolver, re
 
 	objFullSANames := make([]string, 0, len(objSAs))
 	for _, sa := range objSAs {
-		objFullSANames = append(objFullSANames, fmt.Sprintf("system:serviceaccount:%s:%s", reference.Namespace, sa))
+		objFullSANames = append(objFullSANames, fmt.Sprintf("%s:%s:%s", kubernetesServiceAccountPrefix, reference.Namespace, sa))
 	}
 
 	return objFullSANames, nil

vendor/knative.dev/eventing/pkg/auth/serviceaccount.go

@@ -21,11 +21,13 @@ import (
 	"fmt"
 	"strings"
 
-	"knative.dev/eventing/pkg/apis/feature"
+	"k8s.io/apimachinery/pkg/api/equality"
 	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/kmeta"
 	pkgreconciler "knative.dev/pkg/reconciler"
 
+	"knative.dev/eventing/pkg/apis/feature"
+
 	"go.uber.org/zap"
 	v1 "k8s.io/api/core/v1"
 	apierrs "k8s.io/apimachinery/pkg/api/errors"
@@ -38,10 +40,10 @@ import (
 )
 
 const (
-	//OIDCLabelKey is used to filter out all the informers that related to OIDC work
-	OIDCLabelKey = "oidc"
+	// OIDCLabelKey is used to filter out all the informers that related to OIDC work
+	OIDCLabelKey = "eventing.knative.dev/oidc"
 
-	// OIDCTokenRoleLabelSelector is the label selector for the OIDC token creator role and rolebinding informers
+	// OIDCLabelSelector is the label selector for the OIDC resources
 	OIDCLabelSelector = OIDCLabelKey
 )
 
@@ -87,28 +89,38 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 	saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
 	sa, err := serviceAccountLister.ServiceAccounts(objectMeta.Namespace).Get(saName)
 
+	expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
+
 	// If the resource doesn't exist, we'll create it.
 	if apierrs.IsNotFound(err) {
 		logging.FromContext(ctx).Debugw("Creating OIDC service account", zap.Error(err))
 
-		expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
-
 		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Create(ctx, expected, metav1.CreateOptions{})
 		if err != nil {
-			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+			return fmt.Errorf("could not create OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 		}
 
 		return nil
 	}
-
 	if err != nil {
-		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Name, objectMeta.Namespace, gvk.Kind, err)
+		return fmt.Errorf("could not get OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
 	}
-
 	if !metav1.IsControlledBy(&sa.ObjectMeta, &objectMeta) {
 		return fmt.Errorf("service account %s not owned by %s %s", sa.Name, gvk.Kind, objectMeta.Name)
 	}
 
+	if !equality.Semantic.DeepDerivative(expected, sa) {
+		expected.ResourceVersion = sa.ResourceVersion
+
+		_, err = kubeclient.CoreV1().ServiceAccounts(objectMeta.Namespace).Update(ctx, expected, metav1.UpdateOptions{})
+		if err != nil {
+			return fmt.Errorf("could not update OIDC service account %s/%s for %s: %w", objectMeta.Namespace, objectMeta.Name, gvk.Kind, err)
+		}
+
+		return nil
+
+	}
+
 	return nil
 }