Create service accounts strictly after roles.

[Cynocracy]

This is necessary when the installer of the eventing
YAML does not have bind on all roles in the cluster.
I've been prototyping an RBAC restriction that would
grant escalate on all roles but not bind on all
roles in the Operator RBAC. That adds some guard-rails
that are currently missing, but requires this particular
ordering to be correct.

Proposed Changes

• Create source-observer role before a binding referencing it.

Release Note

• 🧽 Create source-observer role before a binding referencing it.

[Cynocracy]

/retest

[Cynocracy]

/retest

[yolocs]

Is there an issue we can reference for more context?

[Cynocracy]

Yes, this is in reference to

knative/eventing-operator#106

and

knative/serving-operator#282

While limiting the permissions the Operator has, I discovered that today it required the ability to bind a non-existent role due to the incorrect ordering here between
config/200-source-observer-clusterrole.yaml
and
config/200-eventing-serviceaccount.yaml

[Cynocracy]

Updated in light of the other SA creation having the same issue :)

This now creates both SAs after the roles that they need.

[Cynocracy]

You can also see knative/eventing-operator#109 for what this enables.

[n3wscott]

/lgtm
/approve

[knative-prow-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Cynocracy, n3wscott

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [n3wscott]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Cynocracy]

Thanks!