From 3e0485f77372d727f6b3fa37392c86fa14398133 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Sun, 29 Oct 2023 20:28:55 +0800
Subject: [PATCH 01/11] Refactor the AuthStatus Logic in Eventing OIDC Feature
 Track

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount.go                    | 28 +++++++++++++++++++
 .../apiserversource/apiserversource.go        | 18 ++----------
 pkg/reconciler/broker/trigger/trigger.go      | 17 ++---------
 pkg/reconciler/pingsource/pingsource.go       | 20 ++-----------
 pkg/reconciler/sinkbinding/controller.go      | 20 ++-----------
 pkg/reconciler/subscription/subscription.go   | 17 ++---------
 6 files changed, 39 insertions(+), 81 deletions(-)

diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index c73064bb9b1..0648daa343e 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -28,8 +28,11 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes"
 	corev1listers "k8s.io/client-go/listers/core/v1"
+	"knative.dev/eventing/pkg/apis/feature"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	"knative.dev/pkg/logging"
 	"knative.dev/pkg/ptr"
+	pkgreconciler "knative.dev/pkg/reconciler"
 )
 
 // GetOIDCServiceAccountNameForResource returns the service account name to use
@@ -94,3 +97,28 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 
 	return nil
 }
+
+type OIDCStatusMarker interface {
+	MarkOIDCIdentityCreatedSucceeded()
+	MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{})
+	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
+}
+
+func OIDCAuthStatusUtility(ctx context.Context, authStatus *duckv1.AuthStatus, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCStatusMarker) pkgreconciler.Event {
+	featureFlags := feature.FromContext(ctx)
+	if featureFlags.IsOIDCAuthentication() {
+		saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
+		authStatus = &duckv1.AuthStatus{
+			ServiceAccountName: &saName,
+		}
+		if err := EnsureOIDCServiceAccountExistsForResource(ctx, serviceAccountLister, kubeclient, gvk, objectMeta); err != nil {
+			marker.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
+			return err
+		}
+		marker.MarkOIDCIdentityCreatedSucceeded()
+	} else {
+		authStatus = nil
+		marker.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	}
+	return nil
+}
diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
index a9c34523232..97d06211f91 100644
--- a/pkg/reconciler/apiserversource/apiserversource.go
+++ b/pkg/reconciler/apiserversource/apiserversource.go
@@ -40,7 +40,6 @@ import (
 	pkgreconciler "knative.dev/pkg/reconciler"
 	"knative.dev/pkg/resolver"
 
-	"knative.dev/eventing/pkg/apis/feature"
 	apisources "knative.dev/eventing/pkg/apis/sources"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
 	"knative.dev/eventing/pkg/auth"
@@ -99,21 +98,8 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *v1.ApiServerSour
 	}
 
 	// OIDC authentication
-	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta)
-		source.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta); err != nil {
-			source.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		source.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		source.Status.Auth = nil
-		source.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.OIDCAuthStatusUtility(ctx, source.Status.Auth, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status); err != nil {
+		return err
 	}
 
 	sinkAddr, err := r.sinkResolver.AddressableFromDestinationV1(ctx, *dest, source)
diff --git a/pkg/reconciler/broker/trigger/trigger.go b/pkg/reconciler/broker/trigger/trigger.go
index b336f8f914a..368d7aee581 100644
--- a/pkg/reconciler/broker/trigger/trigger.go
+++ b/pkg/reconciler/broker/trigger/trigger.go
@@ -143,21 +143,8 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, t *eventingv1.Trigger) p
 		return err
 	}
 
-	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta)
-		t.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta); err != nil {
-			t.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		t.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		t.Status.Auth = nil
-		t.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err = auth.OIDCAuthStatusUtility(ctx, t.Status.Auth, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status); err != nil {
+		return err
 	}
 
 	sub, err := r.subscribeToBrokerChannel(ctx, b, t, brokerTrigger)
diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go
index 1bad1df76f5..076207d91d3 100644
--- a/pkg/reconciler/pingsource/pingsource.go
+++ b/pkg/reconciler/pingsource/pingsource.go
@@ -22,8 +22,6 @@ import (
 	"fmt"
 
 	v1 "k8s.io/client-go/listers/core/v1"
-	"knative.dev/eventing/pkg/apis/feature"
-	"knative.dev/eventing/pkg/auth"
 
 	"go.uber.org/zap"
 
@@ -46,6 +44,7 @@ import (
 	"knative.dev/eventing/pkg/adapter/mtping"
 	"knative.dev/eventing/pkg/adapter/v2"
 	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
+	"knative.dev/eventing/pkg/auth"
 	pingsourcereconciler "knative.dev/eventing/pkg/client/injection/reconciler/sources/v1/pingsource"
 	"knative.dev/eventing/pkg/reconciler/pingsource/resources"
 	reconcilersource "knative.dev/eventing/pkg/reconciler/source"
@@ -106,21 +105,8 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo
 	}
 
 	// OIDC authentication
-	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta)
-		source.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta); err != nil {
-			source.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		source.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		source.Status.Auth = nil
-		source.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.OIDCAuthStatusUtility(ctx, source.Status.Auth, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status); err != nil {
+		return err
 	}
 
 	sinkAddr, err := r.sinkResolver.AddressableFromDestinationV1(ctx, *dest, source)
diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go
index dab1680c477..0a54b8cb642 100644
--- a/pkg/reconciler/sinkbinding/controller.go
+++ b/pkg/reconciler/sinkbinding/controller.go
@@ -19,7 +19,6 @@ package sinkbinding
 import (
 	"context"
 	"errors"
-	"fmt"
 
 	"knative.dev/eventing/pkg/auth"
 	sbinformer "knative.dev/eventing/pkg/client/injection/informers/sources/v1/sinkbinding"
@@ -41,7 +40,6 @@ import (
 	"knative.dev/eventing/pkg/apis/feature"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
 	"knative.dev/pkg/apis/duck"
-	duckv1 "knative.dev/pkg/apis/duck/v1"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount"
 	"knative.dev/pkg/configmap"
@@ -188,22 +186,8 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 			Name:       sb.Spec.Sink.Ref.Name,
 		}, b)
 	}
-
-	featureFlags := s.featureStore.Load()
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta)
-		sb.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta); err != nil {
-			sb.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		sb.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		sb.Status.Auth = nil
-		sb.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.OIDCAuthStatusUtility(ctx, sb.Status.Auth, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status); err != nil {
+		return err
 	}
 
 	addr, err := s.res.AddressableFromDestinationV1(ctx, sb.Spec.Sink, sb)
diff --git a/pkg/reconciler/subscription/subscription.go b/pkg/reconciler/subscription/subscription.go
index 05e4d12d0ab..f9026b14f48 100644
--- a/pkg/reconciler/subscription/subscription.go
+++ b/pkg/reconciler/subscription/subscription.go
@@ -92,21 +92,8 @@ var _ subscriptionreconciler.Finalizer = (*Reconciler)(nil)
 // ReconcileKind implements Interface.ReconcileKind.
 func (r *Reconciler) ReconcileKind(ctx context.Context, subscription *v1.Subscription) pkgreconciler.Event {
 	// OIDC authentication
-	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta)
-		subscription.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta); err != nil {
-			subscription.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		subscription.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		subscription.Status.Auth = nil
-		subscription.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.OIDCAuthStatusUtility(ctx, subscription.Status.Auth, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status); err != nil {
+		return err
 	}
 
 	// Find the channel for this subscription.

From 15f886c2e7325f07f082bab6f6e69d66af244b96 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 31 Oct 2023 10:21:27 +0800
Subject: [PATCH 02/11] fix ineffectual assignment to authStatus

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/apis/eventing/v1/trigger_lifecycle.go     |    4 +
 .../messaging/v1/subscription_lifecycle.go    |    5 +
 pkg/apis/sources/v1/apiserver_lifecycle.go    |    4 +
 pkg/apis/sources/v1/ping_lifecycle.go         |    4 +
 pkg/apis/sources/v1/sinkbinding_lifecycle.go  |    4 +
 pkg/auth/serviceaccount.go                    |   10 +-
 .../apiserversource/apiserversource.go        |    2 +-
 .../apiserversource/apiserversource_test.go   | 1615 +++++++++--------
 pkg/reconciler/broker/trigger/trigger.go      |    2 +-
 pkg/reconciler/pingsource/pingsource.go       |    2 +-
 pkg/reconciler/sinkbinding/controller.go      |    2 +-
 pkg/reconciler/subscription/subscription.go   |    2 +-
 12 files changed, 871 insertions(+), 785 deletions(-)

diff --git a/pkg/apis/eventing/v1/trigger_lifecycle.go b/pkg/apis/eventing/v1/trigger_lifecycle.go
index 110d05b18d7..3ac1949b74f 100644
--- a/pkg/apis/eventing/v1/trigger_lifecycle.go
+++ b/pkg/apis/eventing/v1/trigger_lifecycle.go
@@ -226,3 +226,7 @@ func (ts *TriggerStatus) MarkOIDCIdentityCreatedNotSupported() {
 	// in case the OIDC feature is not supported, we mark the condition as true, to not mark the Trigger unready.
 	triggerCondSet.Manage(ts).MarkTrueWithReason(TriggerConditionOIDCIdentityCreated, fmt.Sprintf("%s feature not yet supported for this Broker class", feature.OIDCAuthentication), "")
 }
+
+func (ts *TriggerStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
+	ts.Auth = authStatus
+}
diff --git a/pkg/apis/messaging/v1/subscription_lifecycle.go b/pkg/apis/messaging/v1/subscription_lifecycle.go
index b6be048fe9c..3476057c156 100644
--- a/pkg/apis/messaging/v1/subscription_lifecycle.go
+++ b/pkg/apis/messaging/v1/subscription_lifecycle.go
@@ -18,6 +18,7 @@ package v1
 
 import (
 	"knative.dev/pkg/apis"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
 // SubCondSet is a condition set with Ready as the happy condition and
@@ -131,3 +132,7 @@ func (ss *SubscriptionStatus) MarkOIDCIdentityCreatedFailed(reason, messageForma
 func (ss *SubscriptionStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	SubCondSet.Manage(ss).MarkUnknown(SubscriptionConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
+
+func (ss *SubscriptionStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
+	ss.Auth = authStatus
+}
diff --git a/pkg/apis/sources/v1/apiserver_lifecycle.go b/pkg/apis/sources/v1/apiserver_lifecycle.go
index 70d0f767493..c7807b2d357 100644
--- a/pkg/apis/sources/v1/apiserver_lifecycle.go
+++ b/pkg/apis/sources/v1/apiserver_lifecycle.go
@@ -146,3 +146,7 @@ func (s *ApiServerSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFor
 func (s *ApiServerSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	apiserverCondSet.Manage(s).MarkUnknown(ApiServerConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
+
+func (s *ApiServerSourceStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
+	s.Auth = authStatus
+}
diff --git a/pkg/apis/sources/v1/ping_lifecycle.go b/pkg/apis/sources/v1/ping_lifecycle.go
index 8fa7cea6fae..34f001fa00a 100644
--- a/pkg/apis/sources/v1/ping_lifecycle.go
+++ b/pkg/apis/sources/v1/ping_lifecycle.go
@@ -142,3 +142,7 @@ func (s *PingSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFormat s
 func (s *PingSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	PingSourceCondSet.Manage(s).MarkUnknown(PingSourceConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
+
+func (s *PingSourceStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
+	s.Auth = authStatus
+}
diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
index 5a8d1003554..bff10c0162e 100644
--- a/pkg/apis/sources/v1/sinkbinding_lifecycle.go
+++ b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
@@ -112,6 +112,10 @@ func (sbs *SinkBindingStatus) MarkOIDCIdentityCreatedUnknown(reason, messageForm
 	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
 
+func (sbs *SinkBindingStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
+	sbs.Auth = authStatus
+}
+
 // Do implements psbinding.Bindable
 func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 	// First undo so that we can just unconditionally append below.
diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index 0648daa343e..8825e43aeb2 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -102,22 +102,24 @@ type OIDCStatusMarker interface {
 	MarkOIDCIdentityCreatedSucceeded()
 	MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{})
 	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
+	MarkStatus(authStatus *duckv1.AuthStatus)
 }
 
-func OIDCAuthStatusUtility(ctx context.Context, authStatus *duckv1.AuthStatus, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCStatusMarker) pkgreconciler.Event {
+func OIDCAuthStatusUtility(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCStatusMarker) pkgreconciler.Event {
 	featureFlags := feature.FromContext(ctx)
 	if featureFlags.IsOIDCAuthentication() {
 		saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
-		authStatus = &duckv1.AuthStatus{
+
+		marker.MarkStatus(&duckv1.AuthStatus{
 			ServiceAccountName: &saName,
-		}
+		})
 		if err := EnsureOIDCServiceAccountExistsForResource(ctx, serviceAccountLister, kubeclient, gvk, objectMeta); err != nil {
 			marker.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
 			return err
 		}
 		marker.MarkOIDCIdentityCreatedSucceeded()
 	} else {
-		authStatus = nil
+		marker.MarkStatus(nil)
 		marker.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
 	}
 	return nil
diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
index 97d06211f91..29685caeb0f 100644
--- a/pkg/reconciler/apiserversource/apiserversource.go
+++ b/pkg/reconciler/apiserversource/apiserversource.go
@@ -98,7 +98,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *v1.ApiServerSour
 	}
 
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, source.Status.Auth, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status); err != nil {
+	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/apiserversource/apiserversource_test.go b/pkg/reconciler/apiserversource/apiserversource_test.go
index f2101a1321e..132d639d9d8 100644
--- a/pkg/reconciler/apiserversource/apiserversource_test.go
+++ b/pkg/reconciler/apiserversource/apiserversource_test.go
@@ -98,787 +98,850 @@ const (
 )
 
 func TestReconcile(t *testing.T) {
-	table := TableTest{{
-		Name: "not enough permissions",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapter(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceNoSufficientPermissions,
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WantErr: true,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeWarning, "InternalError", `insufficient permissions: User system:serviceaccount:testnamespace:default cannot get, list, watch resource "namespaces" in API group "" in Namespace "testnamespace"`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(false)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapter(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid with namespace selector",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapter(t),
-			rttesting.NewNamespace("test-a", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
-			rttesting.NewNamespace("test-b", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
-			rttesting.NewNamespace("test-c", rttesting.WithNamespaceLabeled(map[string]string{"target": "no"})),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b"}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
-			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
-			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
-		},
-		WantUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b"}, false),
-		}},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid with an empty namespace selector",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapter(t),
-			rttesting.NewNamespace("test-a"),
-			rttesting.NewNamespace("test-b"),
-			rttesting.NewNamespace("test-c"),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b", "test-c"}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
-			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
-			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
-			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
-			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-c"),
-			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-c"),
-			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-c"),
-		},
-		WantUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b", "test-c"}, true),
-		}},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid with eventmode of resourcemode",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					EventMode:  sourcesv1.ResourceMode,
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapterWithEventMode(t, sourcesv1.ResourceMode),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					EventMode:  sourcesv1.ResourceMode,
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceResourceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid with sink URI",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapter(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "missing sink",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-		},
-		Key: testNS + "/" + sourceName,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeWarning, "SinkNotFound",
-				`Sink not found: {"ref":{"kind":"Channel","namespace":"testnamespace","name":"testsink","apiVersion":"messaging.knative.dev/v1"}}`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceSinkNotFound,
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "receive adapter does not exist, fails to create",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-		},
-		Key:     testNS + "/" + sourceName,
-		WantErr: true,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, apiserversourceDeploymentCreated,
-				"Deployment created, error:inducing failure for create deployments"),
-			Eventf(corev1.EventTypeWarning, "InternalError",
-				"inducing failure for create deployments"),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-			makeReceiveAdapter(t),
-		},
-		WithReactors: []clientgotesting.ReactionFunc{
-			subjectAccessReviewCreateReactor(true),
-			InduceFailure("create", "Deployments"),
+	table := TableTest{
+		{
+			Name: "OIDC: creates OIDC service account",
+			Ctx: feature.ToContext(context.Background(), feature.Flags{
+				feature.OIDCAuthentication: feature.Enabled,
+			}),
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceeded(),
+					rttestingv1.WithApiServerSourceOIDCServiceAccountName(makeApiServerSourceOIDCServiceAccount().Name),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeApiServerSourceOIDCServiceAccount(),
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
 		},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		{
+			Name: "not enough permissions",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceNoSufficientPermissions,
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantErr: true,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeWarning, "InternalError", `insufficient permissions: User system:serviceaccount:testnamespace:default cannot get, list, watch resource "namespaces" in API group "" in Namespace "testnamespace"`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(false)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid with namespace selector",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+				rttesting.NewNamespace("test-a", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
+				rttesting.NewNamespace("test-b", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
+				rttesting.NewNamespace("test-c", rttesting.WithNamespaceLabeled(map[string]string{"target": "no"})),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b"}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
+				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
+				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
+			},
+			WantUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b"}, false),
+			}},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid with an empty namespace selector",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+				rttesting.NewNamespace("test-a"),
+				rttesting.NewNamespace("test-b"),
+				rttesting.NewNamespace("test-c"),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b", "test-c"}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
+				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
+				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
+				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
+				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-c"),
+				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-c"),
+				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-c"),
+			},
+			WantUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b", "test-c"}, true),
+			}},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid with eventmode of resourcemode",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						EventMode:  sourcesv1.ResourceMode,
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapterWithEventMode(t, sourcesv1.ResourceMode),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						EventMode:  sourcesv1.ResourceMode,
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceResourceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid with sink URI",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapter(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "missing sink",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+			},
+			Key: testNS + "/" + sourceName,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeWarning, "SinkNotFound",
+					`Sink not found: {"ref":{"kind":"Channel","namespace":"testnamespace","name":"testsink","apiVersion":"messaging.knative.dev/v1"}}`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceSinkNotFound,
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "receive adapter does not exist, fails to create",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+			},
+			Key:     testNS + "/" + sourceName,
+			WantErr: true,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, apiserversourceDeploymentCreated,
+					"Deployment created, error:inducing failure for create deployments"),
+				Eventf(corev1.EventTypeWarning, "InternalError",
+					"inducing failure for create deployments"),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+				makeReceiveAdapter(t),
+			},
+			WithReactors: []clientgotesting.ReactionFunc{
+				subjectAccessReviewCreateReactor(true),
+				InduceFailure("create", "Deployments"),
+			},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
 
-	}, {
-		Name: "valid with relative uri reference",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{
-						Sink: duckv1.Destination{
-							Ref: sinkDest.Ref,
-							URI: &apis.URL{Path: sinkURIReference},
+		}, {
+			Name: "valid with relative uri reference",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{
+							Sink: duckv1.Destination{
+								Ref: sinkDest.Ref,
+								URI: &apis.URL{Path: sinkURIReference},
+							},
+						},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeAvailableReceiveAdapterWithTargetURI(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{
+							Sink: duckv1.Destination{
+								Ref: sinkDest.Ref,
+								URI: &apis.URL{Path: sinkURIReference},
+							},
 						},
-					},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeAvailableReceiveAdapterWithTargetURI(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{
-						Sink: duckv1.Destination{
-							Ref: sinkDest.Ref,
-							URI: &apis.URL{Path: sinkURIReference},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkTargetURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "deployment update due to env",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeReceiveAdapterWithDifferentEnv(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceDeploymentUnavailable,
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: makeReceiveAdapter(t),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "deployment update due to service account",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{
+							Sink: sinkDest,
 						},
-					},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkTargetURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "deployment update due to env",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeReceiveAdapterWithDifferentEnv(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceDeploymentUnavailable,
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: makeReceiveAdapter(t),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "deployment update due to service account",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{
-						Sink: sinkDest,
-					},
-					ServiceAccountName: "malin",
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeReceiveAdapterWithDifferentServiceAccount(t, "morgan"),
-		},
-		Key: testNS + "/" + sourceName,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{
-						Sink: sinkDest,
-					},
-					ServiceAccountName: "malin",
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeploymentUnavailable,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: makeReceiveAdapterWithDifferentServiceAccount(t, "malin"),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "malin"),
-			makeSubjectAccessReview("namespaces", "list", "malin"),
-			makeSubjectAccessReview("namespaces", "watch", "malin"),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "deployment update due to container count",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewChannel(sinkName, testNS,
-				rttestingv1.WithInitChannelConditions,
-				rttestingv1.WithChannelAddress(sinkAddressable),
-			),
-			makeReceiveAdapterWithDifferentContainerCount(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeploymentUnavailable,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: makeReceiveAdapter(t),
-		}},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
-		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	}, {
-		Name: "valid with broker sink",
-		Objects: []runtime.Object{
-			rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-			),
-			rttestingv1.NewBroker(sinkName, testNS,
-				rttestingv1.WithInitBrokerConditions,
-				rttestingv1.WithBrokerAddressURI(apis.HTTP(sinkDNS)),
-			),
-			makeAvailableReceiveAdapter(t),
-		},
-		Key: testNS + "/" + sourceName,
-		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-					Resources: []sourcesv1.APIVersionKindSelector{{
-						APIVersion: "v1",
-						Kind:       "Namespace",
-					}},
-					SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
-				}),
-				rttestingv1.WithApiServerSourceUID(sourceUID),
-				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				// Status Update:
-				rttestingv1.WithInitApiServerSourceConditions,
-				rttestingv1.WithApiServerSourceDeployed,
-				rttestingv1.WithApiServerSourceSink(sinkURI),
-				rttestingv1.WithApiServerSourceSufficientPermissions,
-				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-			),
-		}},
-		WantEvents: []string{
-			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-		},
-		WantPatches: []clientgotesting.PatchActionImpl{
-			patchFinalizers(sourceName, testNS),
-		},
-		WantCreates: []runtime.Object{
-			makeSubjectAccessReview("namespaces", "get", "default"),
-			makeSubjectAccessReview("namespaces", "list", "default"),
-			makeSubjectAccessReview("namespaces", "watch", "default"),
+						ServiceAccountName: "malin",
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeReceiveAdapterWithDifferentServiceAccount(t, "morgan"),
+			},
+			Key: testNS + "/" + sourceName,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{
+							Sink: sinkDest,
+						},
+						ServiceAccountName: "malin",
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeploymentUnavailable,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: makeReceiveAdapterWithDifferentServiceAccount(t, "malin"),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "malin"),
+				makeSubjectAccessReview("namespaces", "list", "malin"),
+				makeSubjectAccessReview("namespaces", "watch", "malin"),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "deployment update due to container count",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewChannel(sinkName, testNS,
+					rttestingv1.WithInitChannelConditions,
+					rttestingv1.WithChannelAddress(sinkAddressable),
+				),
+				makeReceiveAdapterWithDifferentContainerCount(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeploymentUnavailable,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: makeReceiveAdapter(t),
+			}},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+		}, {
+			Name: "valid with broker sink",
+			Objects: []runtime.Object{
+				rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				),
+				rttestingv1.NewBroker(sinkName, testNS,
+					rttestingv1.WithInitBrokerConditions,
+					rttestingv1.WithBrokerAddressURI(apis.HTTP(sinkDNS)),
+				),
+				makeAvailableReceiveAdapter(t),
+			},
+			Key: testNS + "/" + sourceName,
+			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+						Resources: []sourcesv1.APIVersionKindSelector{{
+							APIVersion: "v1",
+							Kind:       "Namespace",
+						}},
+						SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
+					}),
+					rttestingv1.WithApiServerSourceUID(sourceUID),
+					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+					// Status Update:
+					rttestingv1.WithInitApiServerSourceConditions,
+					rttestingv1.WithApiServerSourceDeployed,
+					rttestingv1.WithApiServerSourceSink(sinkURI),
+					rttestingv1.WithApiServerSourceSufficientPermissions,
+					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+				),
+			}},
+			WantEvents: []string{
+				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			},
+			WantPatches: []clientgotesting.PatchActionImpl{
+				patchFinalizers(sourceName, testNS),
+			},
+			WantCreates: []runtime.Object{
+				makeSubjectAccessReview("namespaces", "get", "default"),
+				makeSubjectAccessReview("namespaces", "list", "default"),
+				makeSubjectAccessReview("namespaces", "watch", "default"),
+			},
+			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
 		},
-		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-	},
 		{
 			Name: "OIDC: creates OIDC service account",
 			Ctx: feature.ToContext(context.Background(), feature.Flags{
diff --git a/pkg/reconciler/broker/trigger/trigger.go b/pkg/reconciler/broker/trigger/trigger.go
index 368d7aee581..db1ebd33c98 100644
--- a/pkg/reconciler/broker/trigger/trigger.go
+++ b/pkg/reconciler/broker/trigger/trigger.go
@@ -143,7 +143,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, t *eventingv1.Trigger) p
 		return err
 	}
 
-	if err = auth.OIDCAuthStatusUtility(ctx, t.Status.Auth, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status); err != nil {
+	if err = auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go
index 076207d91d3..aed0b908c66 100644
--- a/pkg/reconciler/pingsource/pingsource.go
+++ b/pkg/reconciler/pingsource/pingsource.go
@@ -105,7 +105,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo
 	}
 
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, source.Status.Auth, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status); err != nil {
+	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go
index 0a54b8cb642..0790dce984d 100644
--- a/pkg/reconciler/sinkbinding/controller.go
+++ b/pkg/reconciler/sinkbinding/controller.go
@@ -186,7 +186,7 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 			Name:       sb.Spec.Sink.Ref.Name,
 		}, b)
 	}
-	if err := auth.OIDCAuthStatusUtility(ctx, sb.Status.Auth, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status); err != nil {
+	if err := auth.OIDCAuthStatusUtility(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/subscription/subscription.go b/pkg/reconciler/subscription/subscription.go
index f9026b14f48..85fe9f22937 100644
--- a/pkg/reconciler/subscription/subscription.go
+++ b/pkg/reconciler/subscription/subscription.go
@@ -92,7 +92,7 @@ var _ subscriptionreconciler.Finalizer = (*Reconciler)(nil)
 // ReconcileKind implements Interface.ReconcileKind.
 func (r *Reconciler) ReconcileKind(ctx context.Context, subscription *v1.Subscription) pkgreconciler.Event {
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, subscription.Status.Auth, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status); err != nil {
+	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status); err != nil {
 		return err
 	}
 

From a7628df22e207ab4de5ad7f7daccb95530042263 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 31 Oct 2023 10:25:54 +0800
Subject: [PATCH 03/11] revert apiserversource_test file

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 .../apiserversource/apiserversource_test.go   | 1619 ++++++++---------
 1 file changed, 778 insertions(+), 841 deletions(-)

diff --git a/pkg/reconciler/apiserversource/apiserversource_test.go b/pkg/reconciler/apiserversource/apiserversource_test.go
index 132d639d9d8..f2101a1321e 100644
--- a/pkg/reconciler/apiserversource/apiserversource_test.go
+++ b/pkg/reconciler/apiserversource/apiserversource_test.go
@@ -98,850 +98,787 @@ const (
 )
 
 func TestReconcile(t *testing.T) {
-	table := TableTest{
-		{
-			Name: "OIDC: creates OIDC service account",
-			Ctx: feature.ToContext(context.Background(), feature.Flags{
-				feature.OIDCAuthentication: feature.Enabled,
-			}),
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceeded(),
-					rttestingv1.WithApiServerSourceOIDCServiceAccountName(makeApiServerSourceOIDCServiceAccount().Name),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeApiServerSourceOIDCServiceAccount(),
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		},
-		{
-			Name: "not enough permissions",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceNoSufficientPermissions,
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantErr: true,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeWarning, "InternalError", `insufficient permissions: User system:serviceaccount:testnamespace:default cannot get, list, watch resource "namespaces" in API group "" in Namespace "testnamespace"`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(false)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid with namespace selector",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-				rttesting.NewNamespace("test-a", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
-				rttesting.NewNamespace("test-b", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
-				rttesting.NewNamespace("test-c", rttesting.WithNamespaceLabeled(map[string]string{"target": "no"})),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b"}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
-				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
-				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
-			},
-			WantUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b"}, false),
-			}},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid with an empty namespace selector",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-				rttesting.NewNamespace("test-a"),
-				rttesting.NewNamespace("test-b"),
-				rttesting.NewNamespace("test-c"),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b", "test-c"}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
-				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
-				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
-				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
-				makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-c"),
-				makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-c"),
-				makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-c"),
-			},
-			WantUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b", "test-c"}, true),
-			}},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid with eventmode of resourcemode",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						EventMode:  sourcesv1.ResourceMode,
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapterWithEventMode(t, sourcesv1.ResourceMode),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						EventMode:  sourcesv1.ResourceMode,
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceResourceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid with sink URI",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapter(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "missing sink",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-			},
-			Key: testNS + "/" + sourceName,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeWarning, "SinkNotFound",
-					`Sink not found: {"ref":{"kind":"Channel","namespace":"testnamespace","name":"testsink","apiVersion":"messaging.knative.dev/v1"}}`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceSinkNotFound,
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "receive adapter does not exist, fails to create",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-			},
-			Key:     testNS + "/" + sourceName,
-			WantErr: true,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, apiserversourceDeploymentCreated,
-					"Deployment created, error:inducing failure for create deployments"),
-				Eventf(corev1.EventTypeWarning, "InternalError",
-					"inducing failure for create deployments"),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-				makeReceiveAdapter(t),
-			},
-			WithReactors: []clientgotesting.ReactionFunc{
-				subjectAccessReviewCreateReactor(true),
-				InduceFailure("create", "Deployments"),
-			},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-
-		}, {
-			Name: "valid with relative uri reference",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{
-							Sink: duckv1.Destination{
-								Ref: sinkDest.Ref,
-								URI: &apis.URL{Path: sinkURIReference},
-							},
-						},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeAvailableReceiveAdapterWithTargetURI(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{
-							Sink: duckv1.Destination{
-								Ref: sinkDest.Ref,
-								URI: &apis.URL{Path: sinkURIReference},
-							},
-						},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkTargetURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "deployment update due to env",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeReceiveAdapterWithDifferentEnv(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceDeploymentUnavailable,
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: makeReceiveAdapter(t),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "deployment update due to service account",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{
-							Sink: sinkDest,
+	table := TableTest{{
+		Name: "not enough permissions",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapter(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceNoSufficientPermissions,
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WantErr: true,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeWarning, "InternalError", `insufficient permissions: User system:serviceaccount:testnamespace:default cannot get, list, watch resource "namespaces" in API group "" in Namespace "testnamespace"`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(false)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapter(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid with namespace selector",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapter(t),
+			rttesting.NewNamespace("test-a", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
+			rttesting.NewNamespace("test-b", rttesting.WithNamespaceLabeled(map[string]string{"target": "yes"})),
+			rttesting.NewNamespace("test-c", rttesting.WithNamespaceLabeled(map[string]string{"target": "no"})),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{MatchLabels: map[string]string{"target": "yes"}}),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b"}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
+			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
+			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
+		},
+		WantUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b"}, false),
+		}},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid with an empty namespace selector",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapter(t),
+			rttesting.NewNamespace("test-a"),
+			rttesting.NewNamespace("test-b"),
+			rttesting.NewNamespace("test-c"),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceNamespaceSelector(metav1.LabelSelector{}),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{"test-a", "test-b", "test-c"}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-a"),
+			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-b"),
+			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-b"),
+			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-b"),
+			makeNamespacedSubjectAccessReview("namespaces", "get", "default", "test-c"),
+			makeNamespacedSubjectAccessReview("namespaces", "list", "default", "test-c"),
+			makeNamespacedSubjectAccessReview("namespaces", "watch", "default", "test-c"),
+		},
+		WantUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: makeAvailableReceiveAdapterWithNamespaces(t, []string{"test-a", "test-b", "test-c"}, true),
+		}},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid with eventmode of resourcemode",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					EventMode:  sourcesv1.ResourceMode,
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapterWithEventMode(t, sourcesv1.ResourceMode),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					EventMode:  sourcesv1.ResourceMode,
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceResourceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid with sink URI",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapter(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "missing sink",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+		},
+		Key: testNS + "/" + sourceName,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeWarning, "SinkNotFound",
+				`Sink not found: {"ref":{"kind":"Channel","namespace":"testnamespace","name":"testsink","apiVersion":"messaging.knative.dev/v1"}}`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceSinkNotFound,
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "receive adapter does not exist, fails to create",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+		},
+		Key:     testNS + "/" + sourceName,
+		WantErr: true,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, apiserversourceDeploymentCreated,
+				"Deployment created, error:inducing failure for create deployments"),
+			Eventf(corev1.EventTypeWarning, "InternalError",
+				"inducing failure for create deployments"),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+			makeReceiveAdapter(t),
+		},
+		WithReactors: []clientgotesting.ReactionFunc{
+			subjectAccessReviewCreateReactor(true),
+			InduceFailure("create", "Deployments"),
+		},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+
+	}, {
+		Name: "valid with relative uri reference",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{
+						Sink: duckv1.Destination{
+							Ref: sinkDest.Ref,
+							URI: &apis.URL{Path: sinkURIReference},
 						},
-						ServiceAccountName: "malin",
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeReceiveAdapterWithDifferentServiceAccount(t, "morgan"),
-			},
-			Key: testNS + "/" + sourceName,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{
-							Sink: sinkDest,
+					},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeAvailableReceiveAdapterWithTargetURI(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{
+						Sink: duckv1.Destination{
+							Ref: sinkDest.Ref,
+							URI: &apis.URL{Path: sinkURIReference},
 						},
-						ServiceAccountName: "malin",
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeploymentUnavailable,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: makeReceiveAdapterWithDifferentServiceAccount(t, "malin"),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "malin"),
-				makeSubjectAccessReview("namespaces", "list", "malin"),
-				makeSubjectAccessReview("namespaces", "watch", "malin"),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "deployment update due to container count",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewChannel(sinkName, testNS,
-					rttestingv1.WithInitChannelConditions,
-					rttestingv1.WithChannelAddress(sinkAddressable),
-				),
-				makeReceiveAdapterWithDifferentContainerCount(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-				Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeploymentUnavailable,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: makeReceiveAdapter(t),
-			}},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
-		}, {
-			Name: "valid with broker sink",
-			Objects: []runtime.Object{
-				rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-				),
-				rttestingv1.NewBroker(sinkName, testNS,
-					rttestingv1.WithInitBrokerConditions,
-					rttestingv1.WithBrokerAddressURI(apis.HTTP(sinkDNS)),
-				),
-				makeAvailableReceiveAdapter(t),
-			},
-			Key: testNS + "/" + sourceName,
-			WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
-				Object: rttestingv1.NewApiServerSource(sourceName, testNS,
-					rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
-						Resources: []sourcesv1.APIVersionKindSelector{{
-							APIVersion: "v1",
-							Kind:       "Namespace",
-						}},
-						SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
-					}),
-					rttestingv1.WithApiServerSourceUID(sourceUID),
-					rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
-					// Status Update:
-					rttestingv1.WithInitApiServerSourceConditions,
-					rttestingv1.WithApiServerSourceDeployed,
-					rttestingv1.WithApiServerSourceSink(sinkURI),
-					rttestingv1.WithApiServerSourceSufficientPermissions,
-					rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
-					rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
-					rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
-					rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
-				),
-			}},
-			WantEvents: []string{
-				Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
-			},
-			WantPatches: []clientgotesting.PatchActionImpl{
-				patchFinalizers(sourceName, testNS),
-			},
-			WantCreates: []runtime.Object{
-				makeSubjectAccessReview("namespaces", "get", "default"),
-				makeSubjectAccessReview("namespaces", "list", "default"),
-				makeSubjectAccessReview("namespaces", "watch", "default"),
-			},
-			WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
-			SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+					},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkTargetURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "deployment update due to env",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeReceiveAdapterWithDifferentEnv(t),
 		},
+		Key: testNS + "/" + sourceName,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceDeploymentUnavailable,
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: makeReceiveAdapter(t),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "deployment update due to service account",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{
+						Sink: sinkDest,
+					},
+					ServiceAccountName: "malin",
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeReceiveAdapterWithDifferentServiceAccount(t, "morgan"),
+		},
+		Key: testNS + "/" + sourceName,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{
+						Sink: sinkDest,
+					},
+					ServiceAccountName: "malin",
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeploymentUnavailable,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: makeReceiveAdapterWithDifferentServiceAccount(t, "malin"),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "malin"),
+			makeSubjectAccessReview("namespaces", "list", "malin"),
+			makeSubjectAccessReview("namespaces", "watch", "malin"),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "deployment update due to container count",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewChannel(sinkName, testNS,
+				rttestingv1.WithInitChannelConditions,
+				rttestingv1.WithChannelAddress(sinkAddressable),
+			),
+			makeReceiveAdapterWithDifferentContainerCount(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+			Eventf(corev1.EventTypeNormal, "ApiServerSourceDeploymentUpdated", `Deployment "apiserversource-test-apiserver-source-1234" updated`),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: sinkDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeploymentUnavailable,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: makeReceiveAdapter(t),
+		}},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	}, {
+		Name: "valid with broker sink",
+		Objects: []runtime.Object{
+			rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+			),
+			rttestingv1.NewBroker(sinkName, testNS,
+				rttestingv1.WithInitBrokerConditions,
+				rttestingv1.WithBrokerAddressURI(apis.HTTP(sinkDNS)),
+			),
+			makeAvailableReceiveAdapter(t),
+		},
+		Key: testNS + "/" + sourceName,
+		WantStatusUpdates: []clientgotesting.UpdateActionImpl{{
+			Object: rttestingv1.NewApiServerSource(sourceName, testNS,
+				rttestingv1.WithApiServerSourceSpec(sourcesv1.ApiServerSourceSpec{
+					Resources: []sourcesv1.APIVersionKindSelector{{
+						APIVersion: "v1",
+						Kind:       "Namespace",
+					}},
+					SourceSpec: duckv1.SourceSpec{Sink: brokerDest},
+				}),
+				rttestingv1.WithApiServerSourceUID(sourceUID),
+				rttestingv1.WithApiServerSourceObjectMetaGeneration(generation),
+				// Status Update:
+				rttestingv1.WithInitApiServerSourceConditions,
+				rttestingv1.WithApiServerSourceDeployed,
+				rttestingv1.WithApiServerSourceSink(sinkURI),
+				rttestingv1.WithApiServerSourceSufficientPermissions,
+				rttestingv1.WithApiServerSourceReferenceModeEventTypes(source),
+				rttestingv1.WithApiServerSourceStatusObservedGeneration(generation),
+				rttestingv1.WithApiServerSourceStatusNamespaces([]string{testNS}),
+				rttestingv1.WithApiServerSourceOIDCIdentityCreatedSucceededBecauseOIDCFeatureDisabled(),
+			),
+		}},
+		WantEvents: []string{
+			Eventf(corev1.EventTypeNormal, "FinalizerUpdate", "Updated %q finalizers", sourceName),
+		},
+		WantPatches: []clientgotesting.PatchActionImpl{
+			patchFinalizers(sourceName, testNS),
+		},
+		WantCreates: []runtime.Object{
+			makeSubjectAccessReview("namespaces", "get", "default"),
+			makeSubjectAccessReview("namespaces", "list", "default"),
+			makeSubjectAccessReview("namespaces", "watch", "default"),
+		},
+		WithReactors:            []clientgotesting.ReactionFunc{subjectAccessReviewCreateReactor(true)},
+		SkipNamespaceValidation: true, // SubjectAccessReview objects are cluster-scoped.
+	},
 		{
 			Name: "OIDC: creates OIDC service account",
 			Ctx: feature.ToContext(context.Background(), feature.Flags{

From 504bca7a934b65ff2a70eaa527fedbb6deeef499 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Thu, 16 Nov 2023 17:58:55 +0800
Subject: [PATCH 04/11] fix after rewiews

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/apis/eventing/v1/trigger_lifecycle.go         |  4 ----
 pkg/apis/messaging/v1/subscription_lifecycle.go   |  5 -----
 pkg/apis/sources/v1/apiserver_lifecycle.go        |  4 ----
 pkg/apis/sources/v1/ping_lifecycle.go             |  4 ----
 pkg/apis/sources/v1/sinkbinding_lifecycle.go      |  4 ----
 pkg/auth/serviceaccount.go                        | 15 +++++++--------
 pkg/reconciler/apiserversource/apiserversource.go |  6 +++++-
 pkg/reconciler/broker/trigger/trigger.go          |  5 ++++-
 pkg/reconciler/pingsource/pingsource.go           |  6 +++++-
 pkg/reconciler/sinkbinding/controller.go          |  7 ++++++-
 pkg/reconciler/subscription/subscription.go       |  5 ++++-
 11 files changed, 31 insertions(+), 34 deletions(-)

diff --git a/pkg/apis/eventing/v1/trigger_lifecycle.go b/pkg/apis/eventing/v1/trigger_lifecycle.go
index 3ac1949b74f..110d05b18d7 100644
--- a/pkg/apis/eventing/v1/trigger_lifecycle.go
+++ b/pkg/apis/eventing/v1/trigger_lifecycle.go
@@ -226,7 +226,3 @@ func (ts *TriggerStatus) MarkOIDCIdentityCreatedNotSupported() {
 	// in case the OIDC feature is not supported, we mark the condition as true, to not mark the Trigger unready.
 	triggerCondSet.Manage(ts).MarkTrueWithReason(TriggerConditionOIDCIdentityCreated, fmt.Sprintf("%s feature not yet supported for this Broker class", feature.OIDCAuthentication), "")
 }
-
-func (ts *TriggerStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
-	ts.Auth = authStatus
-}
diff --git a/pkg/apis/messaging/v1/subscription_lifecycle.go b/pkg/apis/messaging/v1/subscription_lifecycle.go
index 3476057c156..b6be048fe9c 100644
--- a/pkg/apis/messaging/v1/subscription_lifecycle.go
+++ b/pkg/apis/messaging/v1/subscription_lifecycle.go
@@ -18,7 +18,6 @@ package v1
 
 import (
 	"knative.dev/pkg/apis"
-	duckv1 "knative.dev/pkg/apis/duck/v1"
 )
 
 // SubCondSet is a condition set with Ready as the happy condition and
@@ -132,7 +131,3 @@ func (ss *SubscriptionStatus) MarkOIDCIdentityCreatedFailed(reason, messageForma
 func (ss *SubscriptionStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	SubCondSet.Manage(ss).MarkUnknown(SubscriptionConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
-
-func (ss *SubscriptionStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
-	ss.Auth = authStatus
-}
diff --git a/pkg/apis/sources/v1/apiserver_lifecycle.go b/pkg/apis/sources/v1/apiserver_lifecycle.go
index c7807b2d357..70d0f767493 100644
--- a/pkg/apis/sources/v1/apiserver_lifecycle.go
+++ b/pkg/apis/sources/v1/apiserver_lifecycle.go
@@ -146,7 +146,3 @@ func (s *ApiServerSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFor
 func (s *ApiServerSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	apiserverCondSet.Manage(s).MarkUnknown(ApiServerConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
-
-func (s *ApiServerSourceStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
-	s.Auth = authStatus
-}
diff --git a/pkg/apis/sources/v1/ping_lifecycle.go b/pkg/apis/sources/v1/ping_lifecycle.go
index 34f001fa00a..8fa7cea6fae 100644
--- a/pkg/apis/sources/v1/ping_lifecycle.go
+++ b/pkg/apis/sources/v1/ping_lifecycle.go
@@ -142,7 +142,3 @@ func (s *PingSourceStatus) MarkOIDCIdentityCreatedFailed(reason, messageFormat s
 func (s *PingSourceStatus) MarkOIDCIdentityCreatedUnknown(reason, messageFormat string, messageA ...interface{}) {
 	PingSourceCondSet.Manage(s).MarkUnknown(PingSourceConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
-
-func (s *PingSourceStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
-	s.Auth = authStatus
-}
diff --git a/pkg/apis/sources/v1/sinkbinding_lifecycle.go b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
index bff10c0162e..5a8d1003554 100644
--- a/pkg/apis/sources/v1/sinkbinding_lifecycle.go
+++ b/pkg/apis/sources/v1/sinkbinding_lifecycle.go
@@ -112,10 +112,6 @@ func (sbs *SinkBindingStatus) MarkOIDCIdentityCreatedUnknown(reason, messageForm
 	sbCondSet.Manage(sbs).MarkUnknown(SinkBindingConditionOIDCIdentityCreated, reason, messageFormat, messageA...)
 }
 
-func (sbs *SinkBindingStatus) MarkStatus(authStatus *duckv1.AuthStatus) {
-	sbs.Auth = authStatus
-}
-
 // Do implements psbinding.Bindable
 func (sb *SinkBinding) Do(ctx context.Context, ps *duckv1.WithPod) {
 	// First undo so that we can just unconditionally append below.
diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index 8825e43aeb2..d5b46763107 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -98,19 +98,16 @@ func EnsureOIDCServiceAccountExistsForResource(ctx context.Context, serviceAccou
 	return nil
 }
 
-type OIDCStatusMarker interface {
+type OIDCIdentityStatusMarker interface {
 	MarkOIDCIdentityCreatedSucceeded()
 	MarkOIDCIdentityCreatedSucceededWithReason(reason, messageFormat string, messageA ...interface{})
 	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
-	MarkStatus(authStatus *duckv1.AuthStatus)
 }
 
-func OIDCAuthStatusUtility(ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCStatusMarker) pkgreconciler.Event {
-	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
+func OIDCAuthStatusUtility(flags feature.Flags, ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event {
+	if flags.IsOIDCAuthentication() {
 		saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
-
-		marker.MarkStatus(&duckv1.AuthStatus{
+		setAuthStatus(&duckv1.AuthStatus{
 			ServiceAccountName: &saName,
 		})
 		if err := EnsureOIDCServiceAccountExistsForResource(ctx, serviceAccountLister, kubeclient, gvk, objectMeta); err != nil {
@@ -119,7 +116,9 @@ func OIDCAuthStatusUtility(ctx context.Context, serviceAccountLister corev1liste
 		}
 		marker.MarkOIDCIdentityCreatedSucceeded()
 	} else {
-		marker.MarkStatus(nil)
+		setAuthStatus(&duckv1.AuthStatus{
+			ServiceAccountName: nil,
+		})
 		marker.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
 	}
 	return nil
diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
index 29685caeb0f..22a8ec78d38 100644
--- a/pkg/reconciler/apiserversource/apiserversource.go
+++ b/pkg/reconciler/apiserversource/apiserversource.go
@@ -40,6 +40,7 @@ import (
 	pkgreconciler "knative.dev/pkg/reconciler"
 	"knative.dev/pkg/resolver"
 
+	"knative.dev/eventing/pkg/apis/feature"
 	apisources "knative.dev/eventing/pkg/apis/sources"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
 	"knative.dev/eventing/pkg/auth"
@@ -98,7 +99,10 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *v1.ApiServerSour
 	}
 
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status); err != nil {
+	featureFlags := feature.FromContext(ctx)
+	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+		source.Status.Auth = as
+	}); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/broker/trigger/trigger.go b/pkg/reconciler/broker/trigger/trigger.go
index db1ebd33c98..9c7ef78ae06 100644
--- a/pkg/reconciler/broker/trigger/trigger.go
+++ b/pkg/reconciler/broker/trigger/trigger.go
@@ -143,7 +143,10 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, t *eventingv1.Trigger) p
 		return err
 	}
 
-	if err = auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status); err != nil {
+	featureFlags := feature.FromContext(ctx)
+	if err = auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status, func(as *duckv1.AuthStatus) {
+		t.Status.Auth = as
+	}); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go
index aed0b908c66..4a4b8d33de7 100644
--- a/pkg/reconciler/pingsource/pingsource.go
+++ b/pkg/reconciler/pingsource/pingsource.go
@@ -43,6 +43,7 @@ import (
 
 	"knative.dev/eventing/pkg/adapter/mtping"
 	"knative.dev/eventing/pkg/adapter/v2"
+	"knative.dev/eventing/pkg/apis/feature"
 	sourcesv1 "knative.dev/eventing/pkg/apis/sources/v1"
 	"knative.dev/eventing/pkg/auth"
 	pingsourcereconciler "knative.dev/eventing/pkg/client/injection/reconciler/sources/v1/pingsource"
@@ -105,7 +106,10 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo
 	}
 
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status); err != nil {
+	featureFlags := feature.FromContext(ctx)
+	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+		source.Status.Auth = as
+	}); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go
index 0790dce984d..2de8be90bc4 100644
--- a/pkg/reconciler/sinkbinding/controller.go
+++ b/pkg/reconciler/sinkbinding/controller.go
@@ -40,6 +40,7 @@ import (
 	"knative.dev/eventing/pkg/apis/feature"
 	v1 "knative.dev/eventing/pkg/apis/sources/v1"
 	"knative.dev/pkg/apis/duck"
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	kubeclient "knative.dev/pkg/client/injection/kube/client"
 	serviceaccountinformer "knative.dev/pkg/client/injection/kube/informers/core/v1/serviceaccount"
 	"knative.dev/pkg/configmap"
@@ -186,7 +187,11 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 			Name:       sb.Spec.Sink.Ref.Name,
 		}, b)
 	}
-	if err := auth.OIDCAuthStatusUtility(ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status); err != nil {
+
+	featureFlags := s.featureStore.Load()
+	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status, func(as *duckv1.AuthStatus) {
+		sb.Status.Auth = as
+	}); err != nil {
 		return err
 	}
 
diff --git a/pkg/reconciler/subscription/subscription.go b/pkg/reconciler/subscription/subscription.go
index 85fe9f22937..5a245658ad5 100644
--- a/pkg/reconciler/subscription/subscription.go
+++ b/pkg/reconciler/subscription/subscription.go
@@ -92,7 +92,10 @@ var _ subscriptionreconciler.Finalizer = (*Reconciler)(nil)
 // ReconcileKind implements Interface.ReconcileKind.
 func (r *Reconciler) ReconcileKind(ctx context.Context, subscription *v1.Subscription) pkgreconciler.Event {
 	// OIDC authentication
-	if err := auth.OIDCAuthStatusUtility(ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status); err != nil {
+	featureFlags := feature.FromContext(ctx)
+	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status, func(as *duckv1.AuthStatus) {
+		subscription.Status.Auth = as
+	}); err != nil {
 		return err
 	}
 

From f24b0dfef8f590e671a64af6d0943aaa3eb240e9 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Thu, 16 Nov 2023 18:04:19 +0800
Subject: [PATCH 05/11] OIDCAuthStatusUtility to SetupOIDCServiceAccount

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount.go                        | 2 +-
 pkg/reconciler/apiserversource/apiserversource.go | 2 +-
 pkg/reconciler/broker/trigger/trigger.go          | 2 +-
 pkg/reconciler/pingsource/pingsource.go           | 2 +-
 pkg/reconciler/sinkbinding/controller.go          | 2 +-
 pkg/reconciler/subscription/subscription.go       | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index d5b46763107..057233a1413 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -104,7 +104,7 @@ type OIDCIdentityStatusMarker interface {
 	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
 }
 
-func OIDCAuthStatusUtility(flags feature.Flags, ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event {
+func SetupOIDCServiceAccount(flags feature.Flags, ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event {
 	if flags.IsOIDCAuthentication() {
 		saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
 		setAuthStatus(&duckv1.AuthStatus{
diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
index 22a8ec78d38..dda72669d61 100644
--- a/pkg/reconciler/apiserversource/apiserversource.go
+++ b/pkg/reconciler/apiserversource/apiserversource.go
@@ -100,7 +100,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *v1.ApiServerSour
 
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
 		source.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/broker/trigger/trigger.go b/pkg/reconciler/broker/trigger/trigger.go
index 9c7ef78ae06..51dc87d995a 100644
--- a/pkg/reconciler/broker/trigger/trigger.go
+++ b/pkg/reconciler/broker/trigger/trigger.go
@@ -144,7 +144,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, t *eventingv1.Trigger) p
 	}
 
 	featureFlags := feature.FromContext(ctx)
-	if err = auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status, func(as *duckv1.AuthStatus) {
+	if err = auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status, func(as *duckv1.AuthStatus) {
 		t.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go
index 4a4b8d33de7..802a1a40b47 100644
--- a/pkg/reconciler/pingsource/pingsource.go
+++ b/pkg/reconciler/pingsource/pingsource.go
@@ -107,7 +107,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo
 
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
 		source.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go
index 2de8be90bc4..908ac44196d 100644
--- a/pkg/reconciler/sinkbinding/controller.go
+++ b/pkg/reconciler/sinkbinding/controller.go
@@ -189,7 +189,7 @@ func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psb
 	}
 
 	featureFlags := s.featureStore.Load()
-	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status, func(as *duckv1.AuthStatus) {
 		sb.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/subscription/subscription.go b/pkg/reconciler/subscription/subscription.go
index 5a245658ad5..7894417ad78 100644
--- a/pkg/reconciler/subscription/subscription.go
+++ b/pkg/reconciler/subscription/subscription.go
@@ -93,7 +93,7 @@ var _ subscriptionreconciler.Finalizer = (*Reconciler)(nil)
 func (r *Reconciler) ReconcileKind(ctx context.Context, subscription *v1.Subscription) pkgreconciler.Event {
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.OIDCAuthStatusUtility(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status, func(as *duckv1.AuthStatus) {
 		subscription.Status.Auth = as
 	}); err != nil {
 		return err

From 96e975c00e1869525cd9ddfced91068858c57219 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Thu, 16 Nov 2023 19:10:59 +0800
Subject: [PATCH 06/11] fix unit test

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount.go | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index 057233a1413..acbf2c2887a 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -116,9 +116,7 @@ func SetupOIDCServiceAccount(flags feature.Flags, ctx context.Context, serviceAc
 		}
 		marker.MarkOIDCIdentityCreatedSucceeded()
 	} else {
-		setAuthStatus(&duckv1.AuthStatus{
-			ServiceAccountName: nil,
-		})
+		setAuthStatus(nil)
 		marker.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
 	}
 	return nil

From df6e18a5edb4d29e5aea32e3f4727afc2096f113 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 21 Nov 2023 23:48:55 +0800
Subject: [PATCH 07/11] revert pkg/reconciler/sinkbinding/controller.go

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/reconciler/sinkbinding/controller.go | 42 ------------------------
 1 file changed, 42 deletions(-)

diff --git a/pkg/reconciler/sinkbinding/controller.go b/pkg/reconciler/sinkbinding/controller.go
index cec40773dff..2113fb2a07e 100644
--- a/pkg/reconciler/sinkbinding/controller.go
+++ b/pkg/reconciler/sinkbinding/controller.go
@@ -18,7 +18,6 @@ package sinkbinding
 
 import (
 	"context"
-	"errors"
 	"time"
 
 	"knative.dev/eventing/pkg/auth"
@@ -200,47 +199,6 @@ func WithContextFactory(ctx context.Context, handler func(types.NamespacedName))
 	}
 }
 
-
-func (s *SinkBindingSubResourcesReconciler) Reconcile(ctx context.Context, b psbinding.Bindable) error {
-	sb := b.(*v1.SinkBinding)
-	if s.res == nil {
-		err := errors.New("Resolver is nil")
-		logging.FromContext(ctx).Errorf("%w", err)
-		sb.Status.MarkBindingUnavailable("NoResolver", "No Resolver associated with context for sink")
-		return err
-	}
-	if sb.Spec.Sink.Ref != nil {
-		s.tracker.TrackReference(tracker.Reference{
-			APIVersion: sb.Spec.Sink.Ref.APIVersion,
-			Kind:       sb.Spec.Sink.Ref.Kind,
-			Namespace:  sb.Spec.Sink.Ref.Namespace,
-			Name:       sb.Spec.Sink.Ref.Name,
-		}, b)
-	}
-
-	featureFlags := s.featureStore.Load()
-	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, s.serviceAccountLister, s.kubeclient, v1.SchemeGroupVersion.WithKind("SinkBinding"), sb.ObjectMeta, &sb.Status, func(as *duckv1.AuthStatus) {
-		sb.Status.Auth = as
-	}); err != nil {
-		return err
-	}
-
-	addr, err := s.res.AddressableFromDestinationV1(ctx, sb.Spec.Sink, sb)
-	if err != nil {
-		logging.FromContext(ctx).Errorf("Failed to get Addressable from Destination: %w", err)
-		sb.Status.MarkBindingUnavailable("NoAddressable", "Addressable could not be extracted from destination")
-		return err
-	}
-	sb.Status.MarkSink(addr)
-	return nil
-}
-
-// I'm just here so I won't get fined
-func (*SinkBindingSubResourcesReconciler) ReconcileDeletion(ctx context.Context, b psbinding.Bindable) error {
-	return nil
-}
-
-
 func createRecorder(ctx context.Context, agentName string) record.EventRecorder {
 	logger := logging.FromContext(ctx)
 

From d29077c16bea93d7d581afcb7f9ad656407a2312 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 21 Nov 2023 23:51:47 +0800
Subject: [PATCH 08/11] make context is the first argument to a function by
 convention https://developer20.com/go-context/

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount.go                        | 2 +-
 pkg/reconciler/apiserversource/apiserversource.go | 2 +-
 pkg/reconciler/broker/trigger/trigger.go          | 2 +-
 pkg/reconciler/pingsource/pingsource.go           | 2 +-
 pkg/reconciler/subscription/subscription.go       | 2 +-
 5 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/pkg/auth/serviceaccount.go b/pkg/auth/serviceaccount.go
index acbf2c2887a..01e31f4b642 100644
--- a/pkg/auth/serviceaccount.go
+++ b/pkg/auth/serviceaccount.go
@@ -104,7 +104,7 @@ type OIDCIdentityStatusMarker interface {
 	MarkOIDCIdentityCreatedFailed(reason, messageFormat string, messageA ...interface{})
 }
 
-func SetupOIDCServiceAccount(flags feature.Flags, ctx context.Context, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event {
+func SetupOIDCServiceAccount(ctx context.Context, flags feature.Flags, serviceAccountLister corev1listers.ServiceAccountLister, kubeclient kubernetes.Interface, gvk schema.GroupVersionKind, objectMeta metav1.ObjectMeta, marker OIDCIdentityStatusMarker, setAuthStatus func(a *duckv1.AuthStatus)) pkgreconciler.Event {
 	if flags.IsOIDCAuthentication() {
 		saName := GetOIDCServiceAccountNameForResource(gvk, objectMeta)
 		setAuthStatus(&duckv1.AuthStatus{
diff --git a/pkg/reconciler/apiserversource/apiserversource.go b/pkg/reconciler/apiserversource/apiserversource.go
index dda72669d61..f96a8e4c9f8 100644
--- a/pkg/reconciler/apiserversource/apiserversource.go
+++ b/pkg/reconciler/apiserversource/apiserversource.go
@@ -100,7 +100,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *v1.ApiServerSour
 
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeClientSet, v1.SchemeGroupVersion.WithKind("ApiServerSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
 		source.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/broker/trigger/trigger.go b/pkg/reconciler/broker/trigger/trigger.go
index 51dc87d995a..b8cb2469c58 100644
--- a/pkg/reconciler/broker/trigger/trigger.go
+++ b/pkg/reconciler/broker/trigger/trigger.go
@@ -144,7 +144,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, t *eventingv1.Trigger) p
 	}
 
 	featureFlags := feature.FromContext(ctx)
-	if err = auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status, func(as *duckv1.AuthStatus) {
+	if err = auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeclient, eventingv1.SchemeGroupVersion.WithKind("Trigger"), t.ObjectMeta, &t.Status, func(as *duckv1.AuthStatus) {
 		t.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/pingsource/pingsource.go b/pkg/reconciler/pingsource/pingsource.go
index 802a1a40b47..cd88c938646 100644
--- a/pkg/reconciler/pingsource/pingsource.go
+++ b/pkg/reconciler/pingsource/pingsource.go
@@ -107,7 +107,7 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, source *sourcesv1.PingSo
 
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeClientSet, sourcesv1.SchemeGroupVersion.WithKind("PingSource"), source.ObjectMeta, &source.Status, func(as *duckv1.AuthStatus) {
 		source.Status.Auth = as
 	}); err != nil {
 		return err
diff --git a/pkg/reconciler/subscription/subscription.go b/pkg/reconciler/subscription/subscription.go
index 7894417ad78..5b3e9dc9767 100644
--- a/pkg/reconciler/subscription/subscription.go
+++ b/pkg/reconciler/subscription/subscription.go
@@ -93,7 +93,7 @@ var _ subscriptionreconciler.Finalizer = (*Reconciler)(nil)
 func (r *Reconciler) ReconcileKind(ctx context.Context, subscription *v1.Subscription) pkgreconciler.Event {
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if err := auth.SetupOIDCServiceAccount(featureFlags, ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status, func(as *duckv1.AuthStatus) {
+	if err := auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Subscription"), subscription.ObjectMeta, &subscription.Status, func(as *duckv1.AuthStatus) {
 		subscription.Status.Auth = as
 	}); err != nil {
 		return err

From 20df018ba4d004f7d065c981f362bd4796c20ca7 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 28 Nov 2023 17:51:30 +0800
Subject: [PATCH 09/11] add TestEnsureOIDCServiceAccountExistsForResource

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount_test.go | 37 +++++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)

diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go
index c938b203ec7..97d4e184060 100644
--- a/pkg/auth/serviceaccount_test.go
+++ b/pkg/auth/serviceaccount_test.go
@@ -17,14 +17,20 @@ limitations under the License.
 package auth
 
 import (
+	"context"
 	"testing"
 
+	kubeclient "knative.dev/pkg/client/injection/kube/client/fake"
+
 	"github.com/google/go-cmp/cmp"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
+	rttestingv1 "knative.dev/eventing/pkg/reconciler/testing/v1"
 	"knative.dev/pkg/ptr"
+	rectesting "knative.dev/pkg/reconciler/testing"
 )
 
 func TestGetOIDCServiceAccountNameForResource(t *testing.T) {
@@ -100,3 +106,34 @@ func TestGetOIDCServiceAccountForResource(t *testing.T) {
 		t.Errorf("GetServiceAccount() = %+v, want %+v - diff %s", got, want, diff)
 	}
 }
+
+func TestEnsureOIDCServiceAccountExistsForResource(t *testing.T) {
+	ctx, _ := rectesting.SetupFakeContext(t)
+	gvk := eventingv1.SchemeGroupVersion.WithKind("Broker")
+	objectMeta := metav1.ObjectMeta{
+		Name:      "my-broker",
+		Namespace: "my-namespace",
+		UID:       "my-uuid",
+	}
+
+	eventtypes := make([]runtime.Object, 0, 10)
+	listers := rttestingv1.NewListers(eventtypes)
+
+	err := EnsureOIDCServiceAccountExistsForResource(ctx, listers.GetServiceAccountLister(), kubeclient.Get(ctx), gvk, objectMeta)
+	if err != nil {
+		t.Errorf("EnsureOIDCServiceAccountExistsForResource failed: %s", err)
+
+	}
+	expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
+	sa, err := kubeclient.Get(ctx).CoreV1().ServiceAccounts(objectMeta.Namespace).Get(context.TODO(), expected.Name, metav1.GetOptions{})
+	if err != nil {
+		t.Errorf("get ServiceAccounts  failed: %s", err)
+	}
+	if sa == nil || sa.Name != expected.Name {
+		t.Errorf("EnsureOIDCServiceAccountExistsForResource create ServiceAccounts  failed: %s", err)
+	}
+}
+
+func TestSetupOIDCServiceAccount(t *testing.T) {
+
+}

From b3f67477f60ed1d3b0731eac2a09be92fdbb7884 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 28 Nov 2023 19:44:11 +0800
Subject: [PATCH 10/11] add TestSetupOIDCServiceAccount

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/auth/serviceaccount_test.go | 65 +++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)

diff --git a/pkg/auth/serviceaccount_test.go b/pkg/auth/serviceaccount_test.go
index 97d4e184060..551733e0d2b 100644
--- a/pkg/auth/serviceaccount_test.go
+++ b/pkg/auth/serviceaccount_test.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"testing"
 
+	duckv1 "knative.dev/pkg/apis/duck/v1"
 	kubeclient "knative.dev/pkg/client/injection/kube/client/fake"
 
 	"github.com/google/go-cmp/cmp"
@@ -28,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	eventingv1 "knative.dev/eventing/pkg/apis/eventing/v1"
+	"knative.dev/eventing/pkg/apis/feature"
 	rttestingv1 "knative.dev/eventing/pkg/reconciler/testing/v1"
 	"knative.dev/pkg/ptr"
 	rectesting "knative.dev/pkg/reconciler/testing"
@@ -135,5 +137,68 @@ func TestEnsureOIDCServiceAccountExistsForResource(t *testing.T) {
 }
 
 func TestSetupOIDCServiceAccount(t *testing.T) {
+	ctx, _ := rectesting.SetupFakeContext(t)
+	gvk := eventingv1.SchemeGroupVersion.WithKind("Trigger")
+	objectMeta := metav1.ObjectMeta{
+		Name:      "my-trigger",
+		Namespace: "my-namespace",
+		UID:       "my-uuid",
+	}
+	eventtypes := make([]runtime.Object, 0, 10)
+	listers := rttestingv1.NewListers(eventtypes)
+	trigger := rttestingv1.NewTrigger("my-trigger", "my-namespace", "my-broker")
+	expected := GetOIDCServiceAccountForResource(gvk, objectMeta)
+	err := SetupOIDCServiceAccount(ctx, feature.Flags{
+		feature.OIDCAuthentication: feature.Enabled,
+	}, listers.GetServiceAccountLister(), kubeclient.Get(ctx), gvk, objectMeta, &trigger.Status, func(as *duckv1.AuthStatus) {
+		trigger.Status.Auth = as
+	})
+
+	if err != nil {
+		t.Errorf("SetupOIDCServiceAccount  failed: %s", err)
+	}
+	if trigger.Status.Auth == nil || *trigger.Status.Auth.ServiceAccountName != expected.Name {
+		t.Errorf("SetupOIDCServiceAccount setAuthStatus  failed")
+	}
+
+	// match OIDCIdentityCreated condition
+	matched := false
+	for _, condition := range trigger.Status.Conditions {
+		if condition.Type == eventingv1.TriggerConditionOIDCIdentityCreated {
+			if condition.Reason == "" {
+				matched = true
+			}
+		}
+	}
+	if !matched {
+		t.Errorf("SetupOIDCServiceAccount didn't set TriggerConditionOIDCIdentityCreated Status")
+	}
+
+	err = SetupOIDCServiceAccount(ctx, feature.Flags{
+		feature.OIDCAuthentication: feature.Disabled,
+	}, listers.GetServiceAccountLister(), kubeclient.Get(ctx), gvk, objectMeta, &trigger.Status, func(as *duckv1.AuthStatus) {
+		trigger.Status.Auth = as
+	})
+
+	if err != nil {
+		t.Errorf("SetupOIDCServiceAccount  failed: %s", err)
+	}
 
+	if trigger.Status.Auth != nil {
+		t.Errorf("SetupOIDCServiceAccount setAuthStatus  failed")
+	}
+
+	// match OIDCIdentityCreated condition
+	matched = false
+	for _, condition := range trigger.Status.Conditions {
+		if condition.Type == eventingv1.TriggerConditionOIDCIdentityCreated {
+			if condition.Reason == "authentication-oidc feature disabled" {
+				matched = true
+			}
+		}
+	}
+
+	if !matched {
+		t.Errorf("SetupOIDCServiceAccount didn't set TriggerConditionOIDCIdentityCreated Status")
+	}
 }

From e9a9767dc9945fea240dd9461cf9af6d99ae0ea9 Mon Sep 17 00:00:00 2001
From: pingjiang <xiangpingjiang1998@gmail.com>
Date: Tue, 28 Nov 2023 19:54:16 +0800
Subject: [PATCH 11/11] apply to parallel and sequence

Signed-off-by: pingjiang <xiangpingjiang1998@gmail.com>
---
 pkg/reconciler/parallel/parallel.go | 17 ++++-------------
 pkg/reconciler/sequence/sequence.go | 18 ++++--------------
 2 files changed, 8 insertions(+), 27 deletions(-)

diff --git a/pkg/reconciler/parallel/parallel.go b/pkg/reconciler/parallel/parallel.go
index fda2313dd70..12a593dc51e 100644
--- a/pkg/reconciler/parallel/parallel.go
+++ b/pkg/reconciler/parallel/parallel.go
@@ -80,19 +80,10 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, p *v1.Parallel) pkgrecon
 	// 3. Rinse and repeat step #2 above for each branch in the list
 	// OIDC authentication
 	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("Parallel"), p.ObjectMeta)
-		p.Status.Auth = &duckv1knative.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Parallel"), p.ObjectMeta); err != nil {
-			p.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		p.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		p.Status.Auth = nil
-		p.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Parallel"), p.ObjectMeta, &p.Status, func(as *duckv1knative.AuthStatus) {
+		p.Status.Auth = as
+	}); err != nil {
+		return err
 	}
 
 	if p.Status.BranchStatuses == nil {
diff --git a/pkg/reconciler/sequence/sequence.go b/pkg/reconciler/sequence/sequence.go
index 8cc1ad8e8e9..7a7d5fdbf7a 100644
--- a/pkg/reconciler/sequence/sequence.go
+++ b/pkg/reconciler/sequence/sequence.go
@@ -130,20 +130,10 @@ func (r *Reconciler) ReconcileKind(ctx context.Context, s *v1.Sequence) pkgrecon
 	}
 
 	featureFlags := feature.FromContext(ctx)
-	if featureFlags.IsOIDCAuthentication() {
-		saName := auth.GetOIDCServiceAccountNameForResource(v1.SchemeGroupVersion.WithKind("Sequence"), s.ObjectMeta)
-		s.Status.Auth = &duckv1.AuthStatus{
-			ServiceAccountName: &saName,
-		}
-
-		if err := auth.EnsureOIDCServiceAccountExistsForResource(ctx, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Sequence"), s.ObjectMeta); err != nil {
-			s.Status.MarkOIDCIdentityCreatedFailed("Unable to resolve service account for OIDC authentication", "%v", err)
-			return err
-		}
-		s.Status.MarkOIDCIdentityCreatedSucceeded()
-	} else {
-		s.Status.Auth = nil
-		s.Status.MarkOIDCIdentityCreatedSucceededWithReason(fmt.Sprintf("%s feature disabled", feature.OIDCAuthentication), "")
+	if err := auth.SetupOIDCServiceAccount(ctx, featureFlags, r.serviceAccountLister, r.kubeclient, v1.SchemeGroupVersion.WithKind("Sequence"), s.ObjectMeta, &s.Status, func(as *duckv1.AuthStatus) {
+		s.Status.Auth = as
+	}); err != nil {
+		return err
 	}
 
 	return r.removeUnwantedSubscriptions(ctx, s, subs)