diff --git a/go.mod b/go.mod index 01782805bd2..8ee191a5e2b 100644 --- a/go.mod +++ b/go.mod @@ -55,10 +55,10 @@ require ( k8s.io/client-go v0.34.3 k8s.io/code-generator v0.34.3 k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 - knative.dev/hack v0.0.0-20260120115810-bf6758cba446 - knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446 - knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a - knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce + knative.dev/hack v0.0.0-20260420222011-c985ed3cefe8 + knative.dev/hack/schema v0.0.0-20260420222011-c985ed3cefe8 + knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64 + knative.dev/reconciler-test v0.0.0-20260225102520-330ffb2184a7 sigs.k8s.io/randfill v1.0.0 sigs.k8s.io/yaml v1.6.0 ) diff --git a/go.sum b/go.sum index cfee0e2028a..4aa0f4dd736 100644 --- a/go.sum +++ b/go.sum @@ -1134,14 +1134,14 @@ k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b h1:MloQ9/bdJyIu9lb1PzujOP k8s.io/kube-openapi v0.0.0-20250710124328-f3f2b991d03b/go.mod h1:UZ2yyWbFTpuhSbFhv24aGNOdoRdJZgsIObGBUaYVsts= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397 h1:hwvWFiBzdWw1FhfY1FooPn3kzWuJ8tmbZBHi4zVsl1Y= k8s.io/utils v0.0.0-20250604170112-4c0f3b243397/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -knative.dev/hack v0.0.0-20260120115810-bf6758cba446 h1:Y8raYHIuAL9/gUKGYD9/dD+EqUTmrpqVDowzfUVSlGs= -knative.dev/hack v0.0.0-20260120115810-bf6758cba446/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= -knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446 h1:V7TW1ZOZObhVcDuN04tYvCfCjvvikv1qZR/6lcp6g4Q= -knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446/go.mod h1:KkibP1IazICP5ClxwN5D26LDSygsqbYnVGuGFTsHNOQ= -knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a h1:9f29OTA7w/iVIX6PS6yveVVzNbcUS74eQfchVe8o2/4= -knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a/go.mod h1:Tz3GoxcNC5vH3Zo//cW3mnHL474u+Y1wbsUIZ11p8No= -knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce h1:pIQCFDsDTRkzrJZDTs2laryYOI6VpcnGF5zezL0NXOw= -knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce/go.mod h1:FUaadFiniAaqqBp/D2g2cO/FUABVR8W4yZd2azDzp7I= +knative.dev/hack v0.0.0-20260420222011-c985ed3cefe8 h1:IrUBuFRxzqUm+f//hY6XGPzXozcoXD/dSsqcid84/Eg= +knative.dev/hack v0.0.0-20260420222011-c985ed3cefe8/go.mod h1:L5RzHgbvam0u8QFHfzCX6MKxu/a/gIGEdaRBqNiVbl0= +knative.dev/hack/schema v0.0.0-20260420222011-c985ed3cefe8 h1:E/dKOJvgjHiL5OtiPuX8Z9K3myWUHntMH9NWzR8SIzw= +knative.dev/hack/schema v0.0.0-20260420222011-c985ed3cefe8/go.mod h1:KkibP1IazICP5ClxwN5D26LDSygsqbYnVGuGFTsHNOQ= +knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64 h1:TiwrcgUKNePfdAbaJT9W4P57lsKjiZnjJ0wVC6XrL0U= +knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64/go.mod h1:Tz3GoxcNC5vH3Zo//cW3mnHL474u+Y1wbsUIZ11p8No= +knative.dev/reconciler-test v0.0.0-20260225102520-330ffb2184a7 h1:wISrHmH0qvRXM7CO7tneq+eIavS8fxtnlZv66ss2G/4= +knative.dev/reconciler-test v0.0.0-20260225102520-330ffb2184a7/go.mod h1:FUaadFiniAaqqBp/D2g2cO/FUABVR8W4yZd2azDzp7I= rsc.io/binaryregexp v0.2.0/go.mod h1:qTv7/COck+e2FymRvadv62gMdZztPaShugOCi3I+8D8= rsc.io/quote/v3 v3.1.0/go.mod h1:yEA65RcK8LyAZtP9Kv3t0HmxON59tX3rD+tICJqUlj0= rsc.io/sampler v1.3.0/go.mod h1:T1hPZKmBbMNahiBKFy5HrXp6adAjACjK9JXDnKaTXpA= diff --git a/rpms.lock.yaml b/rpms.lock.yaml index 10194758d5d..611c46ee264 100644 --- a/rpms.lock.yaml +++ b/rpms.lock.yaml @@ -11,13 +11,13 @@ arches: name: socat evr: 1.7.4.1-8.el9 sourcerpm: socat-1.7.4.1-8.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9.aarch64.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/r/rsync-3.2.5-3.el9_7.2.aarch64.rpm repoid: ubi-9-for-aarch64-baseos-rpms - size: 416293 - checksum: sha256:99235a7555f6454898ebbcdcf927ebed68e3a60599c9226b9d1d60578d292878 + size: 418979 + checksum: sha256:25f8e769ed6e442259025b1c33d11aa1be0746b0a6fc9e68b942fbd04c01f31a name: rsync - evr: 3.2.5-3.el9 - sourcerpm: rsync-3.2.5-3.el9.src.rpm + evr: 3.2.5-3.el9_7.2 + sourcerpm: rsync-3.2.5-3.el9_7.2.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/os/Packages/t/tar-1.34-9.el9_7.aarch64.rpm repoid: ubi-9-for-aarch64-baseos-rpms size: 898317 @@ -53,12 +53,12 @@ arches: checksum: sha256:4d83732bbf754e00d15133e15673230f41fbdae4a1cc27fba1cfb84744d0bf83 name: socat evr: 1.7.4.1-8.el9 - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9_7.2.src.rpm repoid: ubi-9-for-aarch64-baseos-source-rpms - size: 1306931 - checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 + size: 1311295 + checksum: sha256:a0b3038cb71a7ab8450ef8141f32e8d05b47e1f6d703a0b0e4b927ca4729d662 name: rsync - evr: 3.2.5-3.el9 + evr: 3.2.5-3.el9_7.2 - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/aarch64/baseos/source/SRPMS/Packages/t/tar-1.34-9.el9_7.src.rpm repoid: ubi-9-for-aarch64-baseos-source-rpms size: 2282680 @@ -93,13 +93,13 @@ arches: name: socat evr: 1.7.4.1-8.el9 sourcerpm: socat-1.7.4.1-8.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/r/rsync-3.2.5-3.el9.ppc64le.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/r/rsync-3.2.5-3.el9_7.2.ppc64le.rpm repoid: ubi-9-for-ppc64le-baseos-rpms - size: 449938 - checksum: sha256:1fd8762ad73a60556c9808a5bf2a9d964965adec91c026ef27058266dc75e1f0 + size: 452530 + checksum: sha256:146da2c7f92cea7c0642d1d584a0e2435d4ef288bbe10db55dbdb9cdd2919ed6 name: rsync - evr: 3.2.5-3.el9 - sourcerpm: rsync-3.2.5-3.el9.src.rpm + evr: 3.2.5-3.el9_7.2 + sourcerpm: rsync-3.2.5-3.el9_7.2.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/os/Packages/t/tar-1.34-9.el9_7.ppc64le.rpm repoid: ubi-9-for-ppc64le-baseos-rpms size: 938310 @@ -135,12 +135,12 @@ arches: checksum: sha256:4d83732bbf754e00d15133e15673230f41fbdae4a1cc27fba1cfb84744d0bf83 name: socat evr: 1.7.4.1-8.el9 - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9_7.2.src.rpm repoid: ubi-9-for-ppc64le-baseos-source-rpms - size: 1306931 - checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 + size: 1311295 + checksum: sha256:a0b3038cb71a7ab8450ef8141f32e8d05b47e1f6d703a0b0e4b927ca4729d662 name: rsync - evr: 3.2.5-3.el9 + evr: 3.2.5-3.el9_7.2 - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/ppc64le/baseos/source/SRPMS/Packages/t/tar-1.34-9.el9_7.src.rpm repoid: ubi-9-for-ppc64le-baseos-source-rpms size: 2282680 @@ -175,13 +175,13 @@ arches: name: socat evr: 1.7.4.1-8.el9 sourcerpm: socat-1.7.4.1-8.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/r/rsync-3.2.5-3.el9.s390x.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/r/rsync-3.2.5-3.el9_7.2.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms - size: 418877 - checksum: sha256:2d1a87e86fb23bc665b7c7ce8775c73d500ef6e152f15c78493b95638dfb7925 + size: 421587 + checksum: sha256:0de316c64f8546c2809d3d7ac732ba96bbeaad9b285a92c994c576adab21bab9 name: rsync - evr: 3.2.5-3.el9 - sourcerpm: rsync-3.2.5-3.el9.src.rpm + evr: 3.2.5-3.el9_7.2 + sourcerpm: rsync-3.2.5-3.el9_7.2.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/os/Packages/t/tar-1.34-9.el9_7.s390x.rpm repoid: ubi-9-for-s390x-baseos-rpms size: 900131 @@ -217,12 +217,12 @@ arches: checksum: sha256:4d83732bbf754e00d15133e15673230f41fbdae4a1cc27fba1cfb84744d0bf83 name: socat evr: 1.7.4.1-8.el9 - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9_7.2.src.rpm repoid: ubi-9-for-s390x-baseos-source-rpms - size: 1306931 - checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 + size: 1311295 + checksum: sha256:a0b3038cb71a7ab8450ef8141f32e8d05b47e1f6d703a0b0e4b927ca4729d662 name: rsync - evr: 3.2.5-3.el9 + evr: 3.2.5-3.el9_7.2 - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/s390x/baseos/source/SRPMS/Packages/t/tar-1.34-9.el9_7.src.rpm repoid: ubi-9-for-s390x-baseos-source-rpms size: 2282680 @@ -257,13 +257,13 @@ arches: name: socat evr: 1.7.4.1-8.el9 sourcerpm: socat-1.7.4.1-8.el9.src.rpm - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9.x86_64.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/r/rsync-3.2.5-3.el9_7.2.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms - size: 421930 - checksum: sha256:b1d90c38b613f2d66dfe0c7c3d067a3ce429f7b2ec5224e560f326fc2fd8d1e5 + size: 424416 + checksum: sha256:8ee9ecceb953b6083284a9fb595fb1b98be7382e269ec9cfc7ecb1c9d27fbe5c name: rsync - evr: 3.2.5-3.el9 - sourcerpm: rsync-3.2.5-3.el9.src.rpm + evr: 3.2.5-3.el9_7.2 + sourcerpm: rsync-3.2.5-3.el9_7.2.src.rpm - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/os/Packages/t/tar-1.34-9.el9_7.x86_64.rpm repoid: ubi-9-for-x86_64-baseos-rpms size: 906521 @@ -299,12 +299,12 @@ arches: checksum: sha256:4d83732bbf754e00d15133e15673230f41fbdae4a1cc27fba1cfb84744d0bf83 name: socat evr: 1.7.4.1-8.el9 - - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9.src.rpm + - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/r/rsync-3.2.5-3.el9_7.2.src.rpm repoid: ubi-9-for-x86_64-baseos-source-rpms - size: 1306931 - checksum: sha256:a1fd44e58d1fb5b52b72586c5ef2e12c040428f771cde1d1350b36d3b9155db0 + size: 1311295 + checksum: sha256:a0b3038cb71a7ab8450ef8141f32e8d05b47e1f6d703a0b0e4b927ca4729d662 name: rsync - evr: 3.2.5-3.el9 + evr: 3.2.5-3.el9_7.2 - url: https://cdn-ubi.redhat.com/content/public/ubi/dist/ubi9/9/x86_64/baseos/source/SRPMS/Packages/t/tar-1.34-9.el9_7.src.rpm repoid: ubi-9-for-x86_64-baseos-source-rpms size: 2282680 diff --git a/third_party/cert-manager/02-trust-manager.yaml b/third_party/cert-manager/02-trust-manager.yaml index 8cce328328c..a264c97cc27 100644 --- a/third_party/cert-manager/02-trust-manager.yaml +++ b/third_party/cert-manager/02-trust-manager.yaml @@ -698,44 +698,6 @@ spec: defaultMode: 420 secretName: trust-manager-tls --- -# Source: trust-manager/templates/certificate.yaml -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: trust-manager - namespace: cert-manager - labels: - app.kubernetes.io/name: trust-manager - helm.sh/chart: trust-manager-v0.12.0 - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/version: "v0.12.0" - app.kubernetes.io/managed-by: Helm -spec: - commonName: "trust-manager.cert-manager.svc" - dnsNames: - - "trust-manager.cert-manager.svc" - secretName: trust-manager-tls - revisionHistoryLimit: 1 - issuerRef: - name: trust-manager - kind: Issuer - group: cert-manager.io ---- -# Source: trust-manager/templates/certificate.yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: trust-manager - namespace: cert-manager - labels: - app.kubernetes.io/name: trust-manager - helm.sh/chart: trust-manager-v0.12.0 - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/version: "v0.12.0" - app.kubernetes.io/managed-by: Helm -spec: - selfSigned: {} ---- # Source: trust-manager/templates/webhook.yaml apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration @@ -775,3 +737,41 @@ webhooks: name: trust-manager namespace: cert-manager path: /validate-trust-cert-manager-io-v1alpha1-bundle +--- +# Source: trust-manager/templates/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: trust-manager + namespace: cert-manager + labels: + app.kubernetes.io/name: trust-manager + helm.sh/chart: trust-manager-v0.12.0 + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/version: "v0.12.0" + app.kubernetes.io/managed-by: Helm +spec: + commonName: "trust-manager.cert-manager.svc" + dnsNames: + - "trust-manager.cert-manager.svc" + secretName: trust-manager-tls + revisionHistoryLimit: 1 + issuerRef: + name: trust-manager + kind: Issuer + group: cert-manager.io +--- +# Source: trust-manager/templates/certificate.yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: trust-manager + namespace: cert-manager + labels: + app.kubernetes.io/name: trust-manager + helm.sh/chart: trust-manager-v0.12.0 + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/version: "v0.12.0" + app.kubernetes.io/managed-by: Helm +spec: + selfSigned: {} diff --git a/vendor/knative.dev/hack/library.sh b/vendor/knative.dev/hack/library.sh index 447484b6de3..c0a536f8a78 100644 --- a/vendor/knative.dev/hack/library.sh +++ b/vendor/knative.dev/hack/library.sh @@ -35,6 +35,13 @@ if [[ ! -v GOPATH ]]; then fi fi +# Pinned tool versions +readonly GUM_VERSION="v0.14.1" +readonly GOTESTSUM_VERSION="v1.13.0" +readonly GOTESTFMT_VERSION="v2.5.0" +readonly TERMINAL_TO_HTML_VERSION="v3.10.0" +readonly GO_LICENSES_VERSION="v2.0.1" + # Useful environment variables [[ -v PROW_JOB_ID ]] && IS_PROW=1 || IS_PROW=0 readonly IS_PROW @@ -265,7 +272,7 @@ function gum_banner() { # Simple info banner for logging purposes. function gum_style() { - go_run github.com/charmbracelet/gum@v0.14.1 style "$@" + go_run "github.com/charmbracelet/gum@${GUM_VERSION}" style "$@" } # Checks whether the given function exists. @@ -588,7 +595,7 @@ function report_go_test() { logfile="${logfile/.xml/.jsonl}" echo "Running go test with args: ${go_test_args[*]}" local gotest_retcode=0 - go_run gotest.tools/gotestsum@v1.13.0 \ + go_run "gotest.tools/gotestsum@${GOTESTSUM_VERSION}" \ --format "${GO_TEST_VERBOSITY:-testname}" \ --junitfile "${xml}" \ --junitfile-testsuite-name relative \ @@ -601,14 +608,14 @@ function report_go_test() { echo "Test log (JSONL) written to ${logfile}" ansilog="${logfile/.jsonl/-ansi.log}" - go_run github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@v2.5.0 \ + go_run "github.com/gotesttools/gotestfmt/v2/cmd/gotestfmt@${GOTESTFMT_VERSION}" \ -input "${logfile}" \ -showteststatus \ -nofail > "$ansilog" echo "Test log (ANSI) written to ${ansilog}" htmllog="${logfile/.jsonl/.html}" - go_run github.com/buildkite/terminal-to-html/v3/cmd/terminal-to-html@v3.10.0 \ + go_run "github.com/buildkite/terminal-to-html/v3/cmd/terminal-to-html@${TERMINAL_TO_HTML_VERSION}" \ --preview < "$ansilog" > "$htmllog" echo "Test log (HTML) written to ${htmllog}" @@ -921,10 +928,10 @@ function run_kntest() { } # Run go-licenses to check for forbidden licenses. +# Extra flags can be passed via the GO_LICENSES_FLAGS environment variable. function check_licenses() { - # Check that we don't have any forbidden licenses. - go_run github.com/google/go-licenses@v1.6.0 \ - check "${REPO_ROOT_DIR}/..." || \ + go_run "github.com/google/go-licenses/v2@${GO_LICENSES_VERSION}" \ + check ${GO_LICENSES_FLAGS:-} "${REPO_ROOT_DIR}/..." || \ { echo "--- FAIL: go-licenses failed the license check"; return 1; } } diff --git a/vendor/knative.dev/pkg/network/tls/config.go b/vendor/knative.dev/pkg/network/tls/config.go new file mode 100644 index 00000000000..6cd205baeb2 --- /dev/null +++ b/vendor/knative.dev/pkg/network/tls/config.go @@ -0,0 +1,156 @@ +/* +Copyright 2026 The Knative Authors + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package tls + +import ( + cryptotls "crypto/tls" + "fmt" + "os" + "strings" +) + +// Environment variable name suffixes for TLS configuration. +// Use with a prefix to namespace them, e.g. "WEBHOOK_" + MinVersionEnvKey +// reads the WEBHOOK_TLS_MIN_VERSION variable. +const ( + MinVersionEnvKey = "TLS_MIN_VERSION" + MaxVersionEnvKey = "TLS_MAX_VERSION" + CipherSuitesEnvKey = "TLS_CIPHER_SUITES" + CurvePreferencesEnvKey = "TLS_CURVE_PREFERENCES" +) + +// DefaultConfigFromEnv returns a tls.Config with secure defaults. +// The prefix is prepended to each standard env-var suffix; +// for example with prefix "WEBHOOK_" the function reads +// WEBHOOK_TLS_MIN_VERSION, WEBHOOK_TLS_MAX_VERSION, etc. +func DefaultConfigFromEnv(prefix string) (*cryptotls.Config, error) { + cfg := &cryptotls.Config{ + MinVersion: cryptotls.VersionTLS13, + } + + if v := os.Getenv(prefix + MinVersionEnvKey); v != "" { + ver, err := parseVersion(v) + if err != nil { + return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MinVersionEnvKey, v, err) + } + cfg.MinVersion = ver + } + + if v := os.Getenv(prefix + MaxVersionEnvKey); v != "" { + ver, err := parseVersion(v) + if err != nil { + return nil, fmt.Errorf("invalid %s%s %q: %w", prefix, MaxVersionEnvKey, v, err) + } + cfg.MaxVersion = ver + } + + if v := os.Getenv(prefix + CipherSuitesEnvKey); v != "" { + suites, err := parseCipherSuites(v) + if err != nil { + return nil, fmt.Errorf("invalid %s%s: %w", prefix, CipherSuitesEnvKey, err) + } + cfg.CipherSuites = suites + } + + if v := os.Getenv(prefix + CurvePreferencesEnvKey); v != "" { + curves, err := parseCurvePreferences(v) + if err != nil { + return nil, fmt.Errorf("invalid %s%s: %w", prefix, CurvePreferencesEnvKey, err) + } + cfg.CurvePreferences = curves + } + + return cfg, nil +} + +// parseVersion converts a TLS version string to the corresponding +// crypto/tls constant. Accepted values are "1.2" and "1.3". +func parseVersion(v string) (uint16, error) { + switch v { + case "1.2": + return cryptotls.VersionTLS12, nil + case "1.3": + return cryptotls.VersionTLS13, nil + default: + return 0, fmt.Errorf("unsupported TLS version %q: must be %q or %q", v, "1.2", "1.3") + } +} + +// parseCipherSuites parses a comma-separated list of TLS cipher-suite names +// (e.g. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384") +// into a slice of cipher-suite IDs. Names must match those returned by +// crypto/tls.CipherSuiteName. +func parseCipherSuites(s string) ([]uint16, error) { + lookup := cipherSuiteLookup() + parts := strings.Split(s, ",") + suites := make([]uint16, 0, len(parts)) + + for _, name := range parts { + name = strings.TrimSpace(name) + if name == "" { + continue + } + id, ok := lookup[name] + if !ok { + return nil, fmt.Errorf("unknown cipher suite %q", name) + } + suites = append(suites, id) + } + + return suites, nil +} + +// parseCurvePreferences parses a comma-separated list of elliptic-curve names +// (e.g. "X25519,CurveP256") into a slice of crypto/tls.CurveID values. +// Both Go constant names (CurveP256) and standard names (P-256) are accepted. +func parseCurvePreferences(s string) ([]cryptotls.CurveID, error) { + parts := strings.Split(s, ",") + curves := make([]cryptotls.CurveID, 0, len(parts)) + + for _, name := range parts { + name = strings.TrimSpace(name) + if name == "" { + continue + } + id, ok := curvesByName[name] + if !ok { + return nil, fmt.Errorf("unknown curve %q", name) + } + curves = append(curves, id) + } + + return curves, nil +} + +func cipherSuiteLookup() map[string]uint16 { + m := make(map[string]uint16) + for _, cs := range cryptotls.CipherSuites() { + m[cs.Name] = cs.ID + } + return m +} + +var curvesByName = map[string]cryptotls.CurveID{ + "CurveP256": cryptotls.CurveP256, + "CurveP384": cryptotls.CurveP384, + "CurveP521": cryptotls.CurveP521, + "X25519": cryptotls.X25519, + "X25519MLKEM768": cryptotls.X25519MLKEM768, + "P-256": cryptotls.CurveP256, + "P-384": cryptotls.CurveP384, + "P-521": cryptotls.CurveP521, +} diff --git a/vendor/knative.dev/pkg/webhook/env.go b/vendor/knative.dev/pkg/webhook/env.go index e622f5f97b5..6d3d32203f4 100644 --- a/vendor/knative.dev/pkg/webhook/env.go +++ b/vendor/knative.dev/pkg/webhook/env.go @@ -72,6 +72,8 @@ func SecretNameFromEnv(defaultSecretName string) string { return secret } +// Deprecated: Use knative.dev/pkg/network/tls.DefaultConfigFromEnv instead. +// TLS configuration is now read automatically inside webhook.New via the shared tls package. func TLSMinVersionFromEnv(defaultTLSMinVersion uint16) uint16 { switch tlsMinVersion := os.Getenv(tlsMinVersionEnvKey); tlsMinVersion { case "1.2": diff --git a/vendor/knative.dev/pkg/webhook/webhook.go b/vendor/knative.dev/pkg/webhook/webhook.go index badc7fef834..e8895db75e5 100644 --- a/vendor/knative.dev/pkg/webhook/webhook.go +++ b/vendor/knative.dev/pkg/webhook/webhook.go @@ -33,6 +33,7 @@ import ( kubeinformerfactory "knative.dev/pkg/injection/clients/namespacedkube/informers/factory" "knative.dev/pkg/network" "knative.dev/pkg/network/handlers" + knativetls "knative.dev/pkg/network/tls" "go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp" "go.opentelemetry.io/otel/metric" @@ -46,7 +47,15 @@ import ( "knative.dev/pkg/system" ) -// Options contains the configuration for the webhook +// Options contains the configuration for the webhook. +// +// TLS fields (TLSMinVersion, TLSMaxVersion, TLSCipherSuites, TLSCurvePreferences) +// are resolved with the following precedence: +// 1. Values set explicitly in Options (programmatic). +// 2. WEBHOOK_TLS_* environment variables (WEBHOOK_TLS_MIN_VERSION, +// WEBHOOK_TLS_MAX_VERSION, WEBHOOK_TLS_CIPHER_SUITES, WEBHOOK_TLS_CURVE_PREFERENCES). +// 3. Defaults (TLS 1.3 minimum version; zero values for the rest, meaning the +// Go standard library picks its defaults). type Options struct { // TLSMinVersion contains the minimum TLS version that is acceptable to communicate with the API server. // TLS 1.3 is the minimum version if not specified otherwise. @@ -180,11 +189,29 @@ func New( logger := logging.FromContext(ctx) - defaultTLSMinVersion := uint16(tls.VersionTLS13) - if opts.TLSMinVersion == 0 { - opts.TLSMinVersion = TLSMinVersionFromEnv(defaultTLSMinVersion) - } else if opts.TLSMinVersion != tls.VersionTLS12 && opts.TLSMinVersion != tls.VersionTLS13 { - return nil, fmt.Errorf("unsupported TLS version: %d", opts.TLSMinVersion) + tlsCfg, err := knativetls.DefaultConfigFromEnv("WEBHOOK_") + if err != nil { + return nil, fmt.Errorf("reading TLS configuration from environment: %w", err) + } + + if opts.TLSMinVersion != 0 { + tlsCfg.MinVersion = opts.TLSMinVersion + } + if opts.TLSMaxVersion != 0 { + tlsCfg.MaxVersion = opts.TLSMaxVersion + } + if opts.TLSCipherSuites != nil { + tlsCfg.CipherSuites = opts.TLSCipherSuites + } + if opts.TLSCurvePreferences != nil { + tlsCfg.CurvePreferences = opts.TLSCurvePreferences + } + + if tlsCfg.MinVersion != tls.VersionTLS12 && tlsCfg.MinVersion != tls.VersionTLS13 { + return nil, fmt.Errorf("unsupported TLS minimum version %d: must be TLS 1.2 or TLS 1.3", tlsCfg.MinVersion) + } + if tlsCfg.MaxVersion != 0 && tlsCfg.MinVersion > tlsCfg.MaxVersion { + return nil, fmt.Errorf("TLS minimum version (%#x) is greater than maximum version (%#x)", tlsCfg.MinVersion, tlsCfg.MaxVersion) } syncCtx, cancel := context.WithCancel(context.Background()) @@ -204,42 +231,35 @@ func New( // a new secret informer from it. secretInformer := kubeinformerfactory.Get(ctx).Core().V1().Secrets() - //nolint:gosec // operator configures TLS min version (default is 1.3) - webhook.tlsConfig = &tls.Config{ - MinVersion: opts.TLSMinVersion, - MaxVersion: opts.TLSMaxVersion, - CipherSuites: opts.TLSCipherSuites, - CurvePreferences: opts.TLSCurvePreferences, - - // If we return (nil, error) the client sees - 'tls: internal error" - // If we return (nil, nil) the client sees - 'tls: no certificates configured' - // - // We'll return (nil, nil) when we don't find a certificate - GetCertificate: func(*tls.ClientHelloInfo) (*tls.Certificate, error) { - secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) - if err != nil { - logger.Errorw("failed to fetch secret", zap.Error(err)) - return nil, nil - } - webOpts := GetOptions(ctx) - sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) - serverKey, ok := secret.Data[sKey] - if !ok { - logger.Warn("server key missing") - return nil, nil - } - serverCert, ok := secret.Data[sCert] - if !ok { - logger.Warn("server cert missing") - return nil, nil - } - cert, err := tls.X509KeyPair(serverCert, serverKey) - if err != nil { - return nil, err - } - return &cert, nil - }, + // If we return (nil, error) the client sees - 'tls: internal error' + // If we return (nil, nil) the client sees - 'tls: no certificates configured' + // + // We'll return (nil, nil) when we don't find a certificate + tlsCfg.GetCertificate = func(*tls.ClientHelloInfo) (*tls.Certificate, error) { + secret, err := secretInformer.Lister().Secrets(system.Namespace()).Get(opts.SecretName) + if err != nil { + logger.Errorw("failed to fetch secret", zap.Error(err)) + return nil, nil + } + webOpts := GetOptions(ctx) + sKey, sCert := getSecretDataKeyNamesOrDefault(webOpts.ServerPrivateKeyName, webOpts.ServerCertificateName) + serverKey, ok := secret.Data[sKey] + if !ok { + logger.Warn("server key missing") + return nil, nil + } + serverCert, ok := secret.Data[sCert] + if !ok { + logger.Warn("server cert missing") + return nil, nil + } + cert, err := tls.X509KeyPair(serverCert, serverKey) + if err != nil { + return nil, err + } + return &cert, nil } + webhook.tlsConfig = tlsCfg } webhook.mux.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) { diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/resources.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/resources.go index 6f299dfa0c1..79b42c0c591 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/resources.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/resources.go @@ -20,6 +20,7 @@ import ( "context" "embed" "encoding/base64" + "encoding/json" "fmt" "strings" @@ -31,6 +32,7 @@ import ( kubeclient "knative.dev/pkg/client/injection/kube/client" "knative.dev/pkg/logging" "knative.dev/pkg/network" + "knative.dev/pkg/observability" "knative.dev/reconciler-test/pkg/environment" eventshubrbac "knative.dev/reconciler-test/pkg/eventshub/rbac" @@ -205,6 +207,17 @@ func Install(name string, options ...EventsHubOption) feature.StepFn { envs[EventGeneratorsEnv] = "forwarder" // No event recording desired, just logging. envs[EventLogsEnv] = "logger" + // Disable Prometheus metrics server to avoid port conflict with queue-proxy. + // The forwarder runs as a Knative Service which injects a queue-proxy sidecar + // that provides metrics on port 9090. Starting eventshub's own metrics server + // would cause a "bind: address already in use" error. + if obsCfg, err := ParseObservabilityConfig(envs[ConfigObservabilityEnv]); err == nil && obsCfg != nil { + // Clear metrics configuration to disable the metrics server + obsCfg.Metrics = observability.MetricsConfig{} + if obsCfgStr, err := json.Marshal(obsCfg); err == nil { + envs[ConfigObservabilityEnv] = string(obsCfgStr) + } + } cfg["envs"] = envs cfg["sink"] = sinkURL.URL.String() @@ -212,7 +225,7 @@ func Install(name string, options ...EventsHubOption) feature.StepFn { if _, err := manifest.InstallYamlFS(ctx, forwarderTemplates, cfg); err != nil { log.Fatal(err) } - knativeservice.IsReady(name) + knativeservice.IsReady(name)(ctx, t) } } } diff --git a/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go b/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go index 954e3fe35a8..ec49f4870b0 100644 --- a/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go +++ b/vendor/knative.dev/reconciler-test/pkg/eventshub/utils.go @@ -19,6 +19,7 @@ package eventshub import ( "context" "encoding/json" + "errors" "net/http" "os" "strconv" @@ -156,16 +157,21 @@ func defaultResource(serviceName string) (*resource.Resource, error) { attrs = append(attrs, semconv.K8SPodName(pn)) } - // Ignore the error because it complains about semconv - // schema version differences - resource, err := resource.Merge( + res, err := resource.Merge( resource.Default(), resource.NewWithAttributes( semconv.SchemaURL, attrs..., ), ) - return resource, err + + if errors.Is(err, resource.ErrSchemaURLConflict) { + // Ignore the error because it complains about semconv + // schema version differences + return res, nil + } + + return res, err } func ParseObservabilityConfig(configStr string) (*observability.Config, error) { diff --git a/vendor/modules.txt b/vendor/modules.txt index 43525ab8658..2a4371c6c01 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1369,16 +1369,16 @@ k8s.io/utils/pointer k8s.io/utils/ptr k8s.io/utils/strings/slices k8s.io/utils/trace -# knative.dev/hack v0.0.0-20260120115810-bf6758cba446 +# knative.dev/hack v0.0.0-20260420222011-c985ed3cefe8 ## explicit; go 1.24 knative.dev/hack -# knative.dev/hack/schema v0.0.0-20260120115810-bf6758cba446 +# knative.dev/hack/schema v0.0.0-20260420222011-c985ed3cefe8 ## explicit; go 1.21 knative.dev/hack/schema/commands knative.dev/hack/schema/docs knative.dev/hack/schema/registry knative.dev/hack/schema/schema -# knative.dev/pkg v0.0.0-20260120122510-4a022ed9999a +# knative.dev/pkg v0.0.0-20260319144603-18c5d580ae64 ## explicit; go 1.24.0 knative.dev/pkg/apiextensions/storageversion knative.dev/pkg/apiextensions/storageversion/cmd/migrate @@ -1489,6 +1489,7 @@ knative.dev/pkg/logging/logkey knative.dev/pkg/logging/testing knative.dev/pkg/network knative.dev/pkg/network/handlers +knative.dev/pkg/network/tls knative.dev/pkg/observability knative.dev/pkg/observability/attributekey knative.dev/pkg/observability/configmap @@ -1534,7 +1535,7 @@ knative.dev/pkg/webhook/resourcesemantics knative.dev/pkg/webhook/resourcesemantics/conversion knative.dev/pkg/webhook/resourcesemantics/defaulting knative.dev/pkg/webhook/resourcesemantics/validation -# knative.dev/reconciler-test v0.0.0-20260120140419-4301404c03ce +# knative.dev/reconciler-test v0.0.0-20260225102520-330ffb2184a7 ## explicit; go 1.24.0 knative.dev/reconciler-test/cmd/eventshub knative.dev/reconciler-test/pkg/environment