Fix IntegrationSink to use actual ServiceAccount name in auth proxy RoleBindings

Kunal1522 · Kunal1522 · commit 7d5881ca3642 · 2026-01-11T21:30:54.000+05:30
Previously, MakeAuthProxyRoleBindings always used "default" as the
ServiceAccount name. Now it uses makeServiceAccountName() to get the
actual SA configured in the IntegrationSink spec, falling back to
"default" if not specified.

This resolves the TODO comment that noted the need to get the real
SA of the pod.
diff --git a/pkg/reconciler/integration/sink/resources/container_image.go b/pkg/reconciler/integration/sink/resources/container_image.go
@@ -224,9 +224,13 @@ func MakeAuthProxyRoleBindings(sink *v1alpha1.IntegrationSink, sinkLister v1alph
 
 	serviceAccounts := map[types.NamespacedName]struct{}{}
 	for _, s := range sinks {
+		saName := makeServiceAccountName(s)
+		if saName == "" {
+			saName = "default"
+		}
 		serviceAccounts[types.NamespacedName{
 			Namespace: s.Namespace,
-			Name:      "default", //TODO: get the real SA of the pod, as it could be that the integrationsink pod does not run under the default SA
+			Name:      saName,
 		}] = struct{}{}
 	}
 
