Add auth-proxy and enable on IntegrationSink

[creydr]

Most/all of the IntegrationSink components are not written in Golang and thus can use our libs for AuthN and AuthZ checks. Therefor the IntegrationSink does not support AuthN and AuthZ currently.
This PR adds an auth-proxy, which can be used as a sidecar container and does the Auth checks. Therefor we can get AuthN/AuthZ support on the IntegrationSink.

This PR contains the following main parts:

• Adds the auth-proxy (788cc90)
• Updates the integration sink controller to include the auth-proxy as a sidecar to the integrationsink deployments and takes care about the needed RBAC (auth-proxy needs permissions to read the features & logging CM from eventing namespace) (c5f6679)
• Adding AuthN & AuthZ e2e tests for the IntegrationSink (9f0ff40)

Hint:
The auth-proxy requires permissions to read the features and logging configmaps from the knative-eventing namespace. Therefor each pod running an IntegrationSink needs to have a RoleBinding for the knative-eventing-auth-proxy role in the knative-eventing namespace. Instead of adding a RoleBinding for each IntegrationSink, we aggregate it together in the eventing-auth-proxy RoleBinding to not have x similar RoleBindings.

[codecov]

Codecov Report

❌ Patch coverage is 6.08229% with 525 lines in your changes missing coverage. Please review.
✅ Project coverage is 50.73%. Comparing base (941dafa) to head (4409cbc).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/auth_proxy/main.go	0.00%	195 Missing ⚠️
...iler/integration/sink/resources/container_image.go	0.00%	167 Missing ⚠️
pkg/reconciler/integration/sink/integrationsink.go	35.22%	51 Missing and 6 partials ⚠️
pkg/reconciler/integration/sink/controller.go	0.00%	42 Missing ⚠️
pkg/auth/verifier.go	0.00%	39 Missing ⚠️
.../apis/sinks/v1alpha1/integration_sink_lifecycle.go	0.00%	12 Missing ⚠️
pkg/eventingtls/eventingtls.go	0.00%	6 Missing ⚠️
pkg/reconciler/testing/v1alpha1/integrationsink.go	0.00%	6 Missing ⚠️
pkg/reconciler/integration/sink/resources/names.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8708      +/-   ##
==========================================
- Coverage   51.62%   50.73%   -0.90%     
==========================================
  Files         401      402       +1     
  Lines       25459    25962     +503     
==========================================
+ Hits        13144    13172      +28     
- Misses      11509    11979     +470     
- Partials      806      811       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Cali0707]

maybe we add otel instrumentation to these servers for a better observability picture into this sidecar?

IMO, this should be a follow up PR on top of this

[matzew]

yes, let's do OTel in a separate one

[Cali0707]

@creydr could you TAL at the linter errors?

Error: cmd/auth_proxy/main.go:155:2: ineffectual assignment to ctx (ineffassign)
  	ctx = logging.WithLogger(ctx, logger)
  	^
  Error: pkg/auth/verifier.go:400:2: Consider pre-allocating `subjectsWithFiltersFromApplyingPolicies` (prealloc)
  	var subjectsWithFiltersFromApplyingPolicies []SubjectsWithFilters

[creydr]

@creydr could you TAL at the linter errors?

Error: cmd/auth_proxy/main.go:155:2: ineffectual assignment to ctx (ineffassign)
  	ctx = logging.WithLogger(ctx, logger)
  	^
  Error: pkg/auth/verifier.go:400:2: Consider pre-allocating `subjectsWithFiltersFromApplyingPolicies` (prealloc)
  	var subjectsWithFiltersFromApplyingPolicies []SubjectsWithFilters

fixed

[Cali0707]

/lgtm
/hold in case @creydr wants to wait for other reviews

[Cali0707]

@creydr I may be missing something but since we aren't copying the request here would this have the same problem for structured events that #8710 is trying to avoid?

[creydr]

The authVerifier.Verify...() method, internally copies the request to avoid the problem.
In #8710 we had the issue, that the request was accessed before it was passed to the authVerifier already. (At least I think so)

But I'll rebase this PR after #8710 is in, to get the authz tests updated, which check for this issue now

[creydr]

Needed to resolve some merge conflicts

[matzew]

I htink we need like this for event transformer as well

but lets do on separate pr

[creydr]

Yes. I'd do this as a separate PR. Added #8715 to have an issue for it

[matzew]

/lgtm
/approve

[knative-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: creydr, matzew

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [creydr,matzew]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[creydr]

Pod scheduling timeout.
/retest-required
/unhold

[Cali0707]

@creydr @matzew should we backport this one at all?

[creydr]

@creydr @matzew should we backport this one at all?

I wouldn't at this point and give it a bit time to settle (and also integrate it into EventTransform). But when users ask for it, we can do it of course.